[pve-devel] [PATCH lxc] Add apparmor patch for /run -> /var/run binding
Wolfgang Bumiller
w.bumiller at proxmox.com
Fri Feb 5 08:44:19 CET 2016
Fixes some issues (mount retry loops) with suse 13.1 and
13.2 containers.
---
Note: this patch has been accepted upstream and should be in the next release.
...armor-allow-binding-run-lock-var-run-lock.patch | 32 ++++++++++++++++++++++
debian/patches/series | 1 +
2 files changed, 33 insertions(+)
create mode 100644 debian/patches/0001-apparmor-allow-binding-run-lock-var-run-lock.patch
diff --git a/debian/patches/0001-apparmor-allow-binding-run-lock-var-run-lock.patch b/debian/patches/0001-apparmor-allow-binding-run-lock-var-run-lock.patch
new file mode 100644
index 0000000..cf51641
--- /dev/null
+++ b/debian/patches/0001-apparmor-allow-binding-run-lock-var-run-lock.patch
@@ -0,0 +1,32 @@
+From 4a491a31c23e64f29152a4b5e4ff07b361074261 Mon Sep 17 00:00:00 2001
+From: Wolfgang Bumiller <w.bumiller at proxmox.com>
+Date: Tue, 2 Feb 2016 09:13:04 +0100
+Subject: [PATCH] apparmor: allow binding /run/{,lock/} -> /var/run/{,lock/}
+
+Some systems need to be able to bind-mount /run to /var/run
+and /run/lock to /var/run/lock. (Tested with opensuse 13.1
+containers migrated from openvz.)
+
+Signed-off-by: Wolfgang Bumiller <w.bumiller at proxmox.com>
+---
+ config/apparmor/abstractions/container-base.in | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in
+index 1121256..3a001d8 100644
+--- a/config/apparmor/abstractions/container-base.in
++++ b/config/apparmor/abstractions/container-base.in
+@@ -62,6 +62,10 @@
+ # allow bind mount of /lib/init/fstab for lxcguest
+ mount options=(rw, bind) /lib/init/fstab.lxc/ -> /lib/init/fstab/,
+
++ # allow bind mounts of /run/{,lock} to /var/run/{,lock}
++ mount options=(rw, bind) /run/ -> /var/run/,
++ mount options=(rw, bind) /run/lock/ -> /var/lock/,
++
+ # deny writes in /proc/sys/fs but allow binfmt_misc to be mounted
+ mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/,
+ deny @{PROC}/sys/fs/** wklx,
+--
+2.1.4
+
diff --git a/debian/patches/series b/debian/patches/series
index 322f714..b881754 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -15,3 +15,4 @@ run-lxcnetaddbr.patch
delete_network_show_error.diff
0001-AppArmor-add-make-rslave-to-usr.bin.lxc-start.patch
0002-Added-lxc.monitor.unshare.patch
+0001-apparmor-allow-binding-run-lock-var-run-lock.patch
--
2.1.4
More information about the pve-devel
mailing list