Differences

This shows you the differences between two versions of the page.

--- projects:package-building [2013/07/13 07:53] – siretart
+++ projects:package-building [2013/07/14 08:31] (current) – notes on my lxc setup siretart
@@ Line 19: / Line 19: @@
 Steps to create a container suitable for package building:
-   SUITE=wheezy lxc-create -t debian-build
+  SUITE=wheezy lxc-create -t debian-build
-   echo 'lxc.network.ipv4 = 10.0.3.200' >> /var/lib/lxc/debian-build/config
+  ln -s /var/lib/lxc/debian-build/config /etc/lxc/auto/debian-build.conf
-   ln -s /var/lib/lxc/debian-build/config /etc/lxc/auto/debian-build.conf
+Ubuntu confines the container with app-armor in order to limit the capability and permissions of processes inside the container, and thus, to limit the security risks of untrusted code "breaking out" of the container. Unfortunately, some of those measures break schroot. To fix this there are two options:
+  - Run the container in with the unconfined profile
+  - Create and use the following profile:
+<code>
+# /etc/apparmor.d/lxc/lxc-schroot
+#
+# Do not load this file.  Rather, load /etc/apparmor.d/lxc-containers, which
+# will source all profiles under /etc/apparmor.d/lxc
+profile lxc-container-schroot flags=(attach_disconnected,mediate_deleted) {
+  #include <abstractions/lxc/container-base>
+  #include <abstractions/lxc/start-container>
+  mount fstype=cgroup -> /sys/fs/cgroup/**,
+  mount options in (ro,rw,bind,nosuid,noexec,remount) /**/ -> /var/lib/schroot/**/,
+  mount fstype=proc,
+  mount fstype=sysfs,
+}
+</code>
+Unfortunately, this is not enough. The default lxc configuration limits the use of ''mknod'', so further tweaks to the lxc container configuration are necessary. Here is my configuration for reference:
+<code>
+# Template used to create this container: debian
+# Template script checksum (SHA-1): 33e3fc0cb7e2809453c36e81fe0fe4aa5542c208
+lxc.network.type = veth
+lxc.network.link = lxcbr0
+lxc.network.flags = up
+lxc.network.ipv4 = 10.0.3.200
+lxc.rootfs = /var/lib/lxc/debian-build/rootfs
+lxc.tty = 4
+lxc.pts = 1024
+lxc.utsname = debian-build
+# When using LXC with apparmor, uncomment the next line to run unconfined:
+#lxc.aa_profile = unconfined
+lxc.aa_profile = lxc-container-schroot
+lxc.cgroup.devices.deny = a
+# /dev/null and zero
+lxc.cgroup.devices.allow = c 1:3 rwm
+lxc.cgroup.devices.allow = c 1:5 rwm
+# consoles
+lxc.cgroup.devices.allow = c 5:1 rwm
+lxc.cgroup.devices.allow = c 5:0 rwm
+lxc.cgroup.devices.allow = c 4:0 rwm
+lxc.cgroup.devices.allow = c 4:1 rwm
+# /dev/{,u}random
+lxc.cgroup.devices.allow = c 1:9 rwm
+lxc.cgroup.devices.allow = c 1:8 rwm
+lxc.cgroup.devices.allow = c 136:* rwm
+lxc.cgroup.devices.allow = c 5:2 rwm
+# rtc
+lxc.cgroup.devices.allow = c 254:0 rwm
+# found on http://wiki.progress-linux.org/software/lxc/
+# Allow to mknod all devices (but not using them)
+lxc.cgroup.devices.allow                = c *:* m
+lxc.cgroup.devices.allow                = b *:* m
+# mounts point
+lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
+lxc.mount.entry = sysfs sys sysfs defaults  0 0
+</code>