1fca76c8d3
This change allows containers to mount and remount volumes as needed. Before this change, when users had a mounted volume within a container, like in the case of services using NFS or RBD, it was not possible to remount a volume within the container runtime. While a user could unmount and mount a volume or restart a container, these actions results in service interuption where as a remount would simply reload the mounted volume without service interuption. Change-Id: Iff588cad451320167b92f2d79e4693a1037be966 Closes-Bug: #1814200 Signed-off-by: cloudnull <kevin@cloudnull.com>
30 lines
1.1 KiB
Django/Jinja
30 lines
1.1 KiB
Django/Jinja
# Do not load this file. Rather, load /etc/apparmor.d/lxc-containers, which
|
|
# will source all profiles under /etc/apparmor.d/lxc
|
|
|
|
profile lxc-openstack flags=(attach_disconnected,mediate_deleted) {
|
|
#include <abstractions/lxc/container-base>
|
|
|
|
# allow standard blockdevtypes.
|
|
# The concern here is in-kernel superblock parsers bringing down the
|
|
# host with bad data. However, we continue to disallow proc, sys, securityfs,
|
|
# etc to nonstandard locations.
|
|
mount fstype=ext* -> /**,
|
|
mount fstype=nbd* -> /**,
|
|
mount fstype=xfs -> /**,
|
|
mount fstype=btrfs -> /**,
|
|
mount fstype=vfat* -> /**,
|
|
mount fstype=fuseblk -> /**,
|
|
mount fstype=nbd* -> /**,
|
|
mount fstype=nfs* -> /**,
|
|
mount fstype=rpc_pipefs,
|
|
mount fstype=devpts,
|
|
|
|
# allow System access.
|
|
mount fstype=cgroup -> /sys/fs/cgroup/**,
|
|
mount fstype=cgroup2 -> /sys/fs/cgroup/**,
|
|
mount fstype=proc -> {{ lxc_container_cache_path }}/**,
|
|
mount fstype=sysfs -> {{ lxc_container_cache_path }}/**,
|
|
mount options=(rw,remount),
|
|
mount options=(rw,bind) {{ lxc_container_cache_path }}/**/dev/shm/ -> {{ lxc_container_cache_path }}/**/run/shm/,
|
|
}
|