Last active
December 27, 2015 01:09
-
-
Save wyaeld/7243037 to your computer and use it in GitHub Desktop.
/etc/apparmor.d/usr.bin.lxc-start for Jerome
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 14:13 $ cat /etc/apparmor.d/usr.bin.lxc-start | |
| #include <tunables/global> | |
| /usr/bin/lxc-start flags=(attach_disconnected) { | |
| #include <abstractions/lxc/start-container> | |
| } | |
| ~/ |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| So, in complain mode it works? | |
| ``` | |
| 14:17 $ sudo aa-complain /usr/bin/lxc-start | |
| Setting /usr/bin/lxc-start to complain mode. | |
| ~/dockerfiles/var-run-mount-xp | |
| 14:17 $ sudo docker build . | |
| Uploading context 10240 bytes | |
| Step 1 : FROM ubuntu:12.04 | |
| ---> 8dbd9e392a96 | |
| Step 2 : VOLUME ["/var/run/foo"] | |
| ---> Using cache | |
| ---> 6f486b9c6987 | |
| Step 3 : RUN touch "/tmp/bar" | |
| ---> Running in f5a2a72d6eb5 | |
| ---> 5b66824158ea | |
| Successfully built 5b66824158ea | |
| ``` |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| dmesg output from that specific command | |
| ``` | |
| [191891.928892] aufs test_add:261:docker[8462]: uid/gid/perm /var/lib/docker/graph/_tmp/_dockerinit 0/0/0711, 0/0/0755 | |
| [191891.928907] aufs test_add:261:docker[8462]: uid/gid/perm /var/lib/docker/graph/8dbd9e392a964056420e5d58ca5cc376ef18e2de93b5cc90e868a1bbc8318c1c/layer 0/0/0711, 0/0/0755 | |
| [191891.955217] device vethKDL76d entered promiscuous mode | |
| [191891.955381] IPv6: ADDRCONF(NETDEV_UP): vethKDL76d: link is not ready | |
| [191892.007685] type=1400 audit(1383182297.080:45): apparmor="ALLOWED" operation="getattr" info="Failed name lookup" error=-13 parent=9815 profile="/usr/bin/lxc-start" name="var/lib/docker/containers/f5a2a72d6eb5063dbb8354e7c20e577bb7e29f80b005fefb9e24b685b46522cb/rw" pid=9820 comm="lxc-start" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 | |
| [191892.007706] type=1400 audit(1383182297.080:46): apparmor="ALLOWED" operation="getattr" info="Failed name lookup" error=-13 parent=9815 profile="/usr/bin/lxc-start" name="var/lib/docker/containers/f5a2a72d6eb5063dbb8354e7c20e577bb7e29f80b005fefb9e24b685b46522cb/rw" pid=9820 comm="lxc-start" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 | |
| [191892.008396] type=1400 audit(1383182297.080:47): apparmor="ALLOWED" operation="mount" info="failed type match" error=-13 parent=9815 profile="/usr/bin/lxc-start" name="/run/foo/" pid=9820 comm="lxc-start" srcname="/var/lib/docker/volumes/74974768f7ac8cd0e9edeae03482248a40b912cff74bae4e1f95867edd520e4f/layer/" flags="rw, bind" | |
| [191892.008420] type=1400 audit(1383182297.080:48): apparmor="ALLOWED" operation="mount" info="failed type match" error=-13 parent=9815 profile="/usr/bin/lxc-start" name="/run/foo/" pid=9820 comm="lxc-start" flags="rw, remount, bind" | |
| [191892.008508] type=1400 audit(1383182297.080:49): apparmor="ALLOWED" operation="mkdir" info="Failed name lookup" error=-13 parent=9815 profile="/usr/bin/lxc-start" name="var/lib/docker/containers/f5a2a72d6eb5063dbb8354e7c20e577bb7e29f80b005fefb9e24b685b46522cb/rw/dev" pid=9820 comm="lxc-start" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 | |
| [191892.008572] type=1400 audit(1383182297.080:50): apparmor="ALLOWED" operation="symlink" info="Failed name lookup" error=-13 parent=9815 profile="/usr/bin/lxc-start" name="var/lib/docker/containers/f5a2a72d6eb5063dbb8354e7c20e577bb7e29f80b005fefb9e24b685b46522cb/rw/dev/kmsg" pid=9820 comm="lxc-start" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 | |
| [191892.008697] type=1400 audit(1383182297.080:51): apparmor="ALLOWED" operation="mkdir" info="Failed name lookup" error=-13 parent=9815 profile="/usr/bin/lxc-start" name="var/lib/docker/containers/f5a2a72d6eb5063dbb8354e7c20e577bb7e29f80b005fefb9e24b685b46522cb/rw/lxc_putold" pid=9820 comm="lxc-start" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 | |
| [191892.014115] type=1400 audit(1383182297.084:52): apparmor="ALLOWED" operation="open" info="Failed name lookup" error=-13 parent=9815 profile="/usr/bin/lxc-start" name="var/lib/docker/containers/f5a2a72d6eb5063dbb8354e7c20e577bb7e29f80b005fefb9e24b685b46522cb/rw/lxc_putold" pid=9820 comm="lxc-start" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 | |
| [191892.014144] type=1400 audit(1383182297.084:53): apparmor="ALLOWED" operation="rename_src" info="Failed name lookup" error=-13 parent=9815 profile="/usr/bin/lxc-start" name="var/lib/docker/containers/f5a2a72d6eb5063dbb8354e7c20e577bb7e29f80b005fefb9e24b685b46522cb/rw/lxc_putold" pid=9820 comm="lxc-start" requested_mask="rwd" denied_mask="rwd" fsuid=0 ouid=0 | |
| [191892.014153] type=1400 audit(1383182297.084:54): apparmor="ALLOWED" operation="rename_dest" info="Failed name lookup" error=-13 parent=9815 profile="/usr/bin/lxc-start" name="var/lib/docker/containers/f5a2a72d6eb5063dbb8354e7c20e577bb7e29f80b005fefb9e24b685b46522cb/rw/.wh..wh.lxc_putold.114e" pid=9820 comm="lxc-start" requested_mask="wc" denied_mask="wc" fsuid=0 ouid=0 | |
| [191892.014424] IPv6: ADDRCONF(NETDEV_CHANGE): vethKDL76d: link becomes ready | |
| [191892.014485] docker0: port 1(vethKDL76d) entered forwarding state | |
| [191892.014508] docker0: port 1(vethKDL76d) entered forwarding state | |
| [191892.134693] docker0: port 1(vethKDL76d) entered disabled state | |
| [191892.135151] device vethKDL76d left promiscuous mode | |
| [191892.135154] docker0: port 1(vethKDL76d) entered disabled state | |
| [191892.154812] userif-3: sent link down event. | |
| [191892.154817] userif-3: sent link up event.<4>[191892.163935] aufs test_add:261:docker[8467]: uid/gid/perm /var/lib/docker/graph/_tmp/_dockerinit 0/0/0711, 0/0/0755 | |
| [191892.163950] aufs test_add:261:docker[8467]: uid/gid/perm /var/lib/docker/graph/8dbd9e392a964056420e5d58ca5cc376ef18e2de93b5cc90e868a1bbc8318c1c/layer 0/0/0711, 0/0/0755 | |
| [191893.151435] userif-3: sent link down event. | |
| [191893.151440] userif-3: sent link up event. | |
| ``` |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment