Hi all,
I have been testing lxc and figured out how to limit both resources and disk size.
I realy like the way lxc works.
My setup is:
Host: Debian buster with lxc installed on btrfs formatted disk.
Containers: Debian buster
Every thing works fine so far, but there is one thing I can not get my head around and that puzzels me. I have setup an unprivilegied container containing a webserver (apache) and a postgres database, all inside the same container. Now I want to enable apparmor inside the container to limit processes, but I do not get it to work.
The apparmor daemon is running with the message: Not starting AppArmor in container
If I run aa-status I just get: apparmor module is loaded. apparmor filesystem is not mounted.
I tried to find info online but the filesystem is not mounted points to the fact that securityfs is not mounted, and reading further it is not recommended to mount securtyfs for security reasons.
If I look in apparmor on the hosts there are several lines in processes in enforce mode that says that they are unconfined, pointing to the container, as in:
Even if it says unconfined it does not show up in aa-unconfined
This is where I get all confused!
Should you not run apparmor inside an unprivilegied container?
Should you handle apparmor for the container from the host?
Running apparmor inside an unprivileged container is perfectly fine, apparmor supports namespacing for this reason and the profile you show above confirms your system supports namespacing (LXD applies a base profile, then stacks unconfined on top and your container is then free to load its own profiles).
Most likely your issue is a bug in the AppArmor init scripts in Debian which fail to detect a container environment where AppArmor would work properly.
Can you try say images:ubuntu/20.04 for a test container and see if installing apparmor in there behaves properly? If so, then the issue is definitely with the apparmor package at least in that particular Debian release.
Thanks for your help Stéphane!!
Yes, after starting a ubuntu container and enabling apparmor, that worked fine.
I looked through the config of the ubuntu container and compared it with the debian config and I realized that the main difference is that securityfs is by default mounted in the ubuntu container and in debian not.
I mounted securityfs in the debian container and apparmor started to work as expected.
I still have a question though, I read here: https://wiki.ubuntu.com/LxcSecurity
and there it says that you should not mount securityfs in your container.
So how are you supposed to reason around this?
To be able to increase the security with apparmor, you have to lower the security a bit?
It’s fine to mount it, especially in unprivileged containers.
In privileged containers you may want to restrict access to it through apparmor so only /sys/kernel/security/apparmor may be accessed.