change 'lxc.aa_*' to 'lxc.apparmor.*' if version 3.

2019-06-14 22:57:13 +02:00 · 2019-06-14 22:57:13 +02:00 · a3c8d5c12a
commit a3c8d5c12a
parent 4a7ebb6a19
2 changed files with 81 additions and 9 deletions
--- a/convert_lxc_config_to_version_3.sh
+++ b/convert_lxc_config_to_version_3.sh
@ -275,6 +275,22 @@ else
 	echo_skipped
 fi

+echo
+echononl "   Replace 'lxc.aa_' -> 'lxc.apparmor.'.."
+if $(grep -qE "^\s*#*\s*lxc.aa_.*=" "${LXC_ROOT_DIR}/${LXC_NAME}/config" 2> /dev/null) ; then 
+	perl -i.${backup_date} -n -p \
+		-e "s/^(\s*#*\s*)lxc.aa_(.*)=\s*(.*)/\1lxc.apparmor.\2 = \3/" "${LXC_ROOT_DIR}/${LXC_NAME}/config" \
+		> $log_file 2>&1
+	if [[ $? -gt 0 ]]; then
+		echo_failed
+		error "$(cat $log_file)"
+	else
+		echo_done
+	fi
+else
+	echo_skipped
+fi
+


 echo ""
--- a/create-lx-container.sh
+++ b/create-lx-container.sh
@ -1057,15 +1057,11 @@ EOF
      fi
   fi

-
-
-
-
-
-
 fi

-cat << EOF >> ${LXC_CONTAINER_DIR}/config 2>> $err_msg
+
+if [[ $LXC_MAJOR_VERSION -lt 3 ]]; then
+   cat << EOF >> ${LXC_CONTAINER_DIR}/config 2>> $err_msg

 # Mount iso file inside LX Container
 #lxc.aa_profile = unconfined
@ -1082,8 +1078,68 @@ lxc.start.order = 100
 # -
 lxc.cgroup.memory.limit_in_bytes = $(( $(free -b | grep -oP '\d+' | head -n 1)-1000000000 ))
 EOF
-if [[ $? -ne 0 ]]; then
+   if [[ $? -ne 0 ]]; then
      _failed=true
+   fi
+else
+   cat << EOF >> ${LXC_CONTAINER_DIR}/config 2>> $err_msg
+
+# Mount iso file inside LX Container
+#lxc.apparmor.profile = unconfined
+#lxc.cgroup.devices.allow = b 7:* rwm
+#lxc.cgroup.devices.allow = c 10:237 rwm
+
+
+# Specify the apparmor profile under which the container should be run.
+#
+# To specify that the container should be unconfined, use
+#    lxc.apparmor.profile = unconfined
+#
+# If the apparmor profile should remain unchanged (i.e. if you are nesting
+# containers and are already confined), then use
+#    lxc.apparmor.profile = unchanged
+#
+# If you instruct LXC to generate the apparmor profile, then use
+#    lxc.apparmor.profile = generated
+#
+#
+# MariaDB (and maybe others) does not start
+# =========================================
+#
+# see also: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920643
+#
+# AppArmor support in Debian has increased, thus preventing some systemd
+# isolation features to work in LXC 3.0.X. Debian has backported some
+# patches from LXC 3.1 that, along with some configurations in a
+# container, will allow systemd isolation features to work.
+#
+# This may entirely be a an apparmor/systemd issue and nothing to do
+# with mariadb.
+#
+# A workaround is to remove the the following lines from
+# systemd service file:
+#    ProtectSystem=full
+#    PrivateDevices=true
+#    ProtectHome=true
+#
+# Another workarround is to diasble apparmor here:
+#    lxc.apparmor.profile = unconfined
+#
+lxc.apparmor.profile = unconfined
+
+
+# Autostart
+lxc.start.auto = 1
+lxc.start.delay = 5
+lxc.start.order = 100
+
+# Limt memory to 1GB less than full Memory of the server
+# -
+lxc.cgroup.memory.limit_in_bytes = $(( $(free -b | grep -oP '\d+' | head -n 1)-1000000000 ))
+EOF
+   if [[ $? -ne 0 ]]; then
+      _failed=true
+   fi
 fi

 if $_failed ; then