LXC, Juju and AppArmor (was: Re: Juju and AppArmor)

Serge Hallyn serge.hallyn at ubuntu.com
Sat Aug 10 12:37:49 UTC 2013


Quoting Sidnei da Silva (sidnei.da.silva at canonical.com):
> Hi Jamie,
> 
> We're starting to build up apparmor profiles for some of our juju-deployed
> services.
> 
> Turns out that when deploying those into lxc containers we get an error
> 'trying to load profile while confined' or something along these lines.
> 
> Is there a way to make those apparmor profiles loadable even within lxc? My
> understanding is that the lxc containers themselves are apparmor-confined,
> which might be good enough to not escape into the host, but it would be
> awesome to allow profiles to be applied within the container as well.

Stacked profiles are what would allow this, and are on John's todo list.

For now, you can choose to run the container unconfined, in which case
you can apply your own profile from within the container.
(lxc.aa_profile = unconfined).

-serge



More information about the Juju mailing list