I’m trying to run mock in lxd container. It chroots into fs and then at some point tries to mount /proc filesystem which fails. Host shows that the mount is blocked by apparmour:
I tried to add “mount fstype=nfs,” into /etc/apparmor.d/lxc/lxc-default and it did not help (yes, I reloaded apparmour and restarted the container). I tried to add “lxc.aa_profile = lxc-container-default-with-mounting” into container config (lxc config edit container_name, raw.lxc: lxc.aa_profile = …), but this gives me “Config parsing error: Initialize LXC: Failed to load raw.lxc” error.
How can I convince the container to allow /proc mounts?
Hallo!
It hits again!
Now I’m trying to run mock under centos8 in container under lxd 4.3 control. When initialising mock root (mock --init) I get the following error:
Could not create dir /var/lib/mock/cs7/root/sys/fs/selinux. Error: [Errno 30] Read-only file system: '/var/lib/mock/cs7/root/sys/fs/selinux
I have all possible permissions in continer config: security.nesting: "true", security.privileged: "true", lxc.apparmor.profile=unconfined and also my hack from last year reported in this thread (raw.apparmor: mount fstype=proc,) - nothing helps.
This time I have no errors from apparmor. --show-log for container reports the following:
lxc buildserver 20200718090712.698 WARN cgfsng - cgroups/cgfsng.c:mkdir_eexist_on_last:1153 - File exists - Failed to create directory "/sys/fs/cgroup/cpuset//lxc.payload.buildserver"
lxc buildserver 20200718090712.700 ERROR utils - utils.c:lxc_can_use_pidfd:1834 - Kernel does not support pidfds
Any suggestions how to proceed?
I tried mock 1.4.21 and latest from epel (2.3)
Best regards,
If you take away all the security of a container, why do you use a container? i would say, use the VM option in LXD. Management will only become more difficult with updates.
I remove all security only in attempt to find out the actual reason for /var/lib/mock/cs7/root/sys/fs/selinux error. When I figure out what causes this problem I will restore as much of the restrictions as possible.
