I have been testing lxc and figured out how to limit both resources and disk size.
I realy like the way lxc works.
My setup is:
Host: Debian buster with lxc installed on btrfs formatted disk.
Containers: Debian buster
Every thing works fine so far, but there is one thing I can not get my head around and that puzzels me. I have setup an unprivilegied container containing a webserver (apache) and a postgres database, all inside the same container. Now I want to enable apparmor inside the container to limit processes, but I do not get it to work.
The apparmor daemon is running with the message: Not starting AppArmor in container
If I run aa-status I just get: apparmor module is loaded. apparmor filesystem is not mounted.
I tried to find info online but the filesystem is not mounted points to the fact that securityfs is not mounted, and reading further it is not recommended to mount securtyfs for security reasons.
If I look in apparmor on the hosts there are several lines in processes in enforce mode that says that they are unconfined, pointing to the container, as in:
/usr/sbin/apache2 (11850) lxc-urd-web-001_</var/lib/lxc>//&:lxc-urd-web-001_<-var-lib-lxc>:unconfined
Even if it says unconfined it does not show up in aa-unconfined
This is where I get all confused!
Should you not run apparmor inside an unprivilegied container?
Should you handle apparmor for the container from the host?
Thanks in advance!!