openstack/openstack-ansible
Code Issues Proposed changes
d7450b1a10
openstack-ansible/playbooks/roles/lxc_hosts/templates/lxc-openstack.apparmor.j2
Shu Shen de2dc69641 Configurable lxc cache and rootfs path 
The rootfs of the containers use large disk space and is defaulted to
/var/lib/lxc. It's desirable to configure an alternative rootfs directory on a
partition with large enough free space to hold the rootfs.

The rootfs of a container is hard-linked to the lxc cache when created by lxc
templates. Therefore both have to reside on the same partition and the lxc
cache shall be configurable as well as the rootfs directory.

The lxc-ubuntu template is patched by lxc-host role to use the configured lxc
cache folder. This patch should be removed once the updated upstream lxc with
support of configuring the cache path goes mainstream.

To confgiure these parameters, set the following variables in global_overrides
of openstack_user_config.yml:
    - lxc_container_directory, defaults to /var/lib/lxc
    - lxc_container_cache_path, defaults to /var/cache/lxc

Closes-Bug: #1463905
Change-Id: I9ccf0c45e0a1875644750e0d70ce613265040176
2015-06-15 20:56:13 +00:00

27 lines
1011 B
Django/Jinja
Raw Blame History

# Do not load this file. Rather, load /etc/apparmor.d/lxc-containers, which
# will source all profiles under /etc/apparmor.d/lxc
profile lxc-openstack flags=(attach_disconnected,mediate_deleted) {
#include <abstractions/lxc/container-base>
# allow standard blockdevtypes.
# The concern here is in-kernel superblock parsers bringing down the
# host with bad data. However, we continue to disallow proc, sys, securityfs,
# etc to nonstandard locations.
mount fstype=ext* -> /**,
mount fstype=nbd* -> /**,
mount fstype=xfs -> /**,
mount fstype=btrfs -> /**,
mount fstype=vfat* -> /**,
mount fstype=fuseblk -> /**,
mount fstype=nbd* -> /**,
mount fstype=nfs* -> /**,
mount fstype=devpts,
# allow System access.
mount fstype=cgroup -> /sys/fs/cgroup/**,
mount fstype=proc -> {{ lxc_container_cache_path }}/**,
mount fstype=sysfs -> {{ lxc_container_cache_path }}/**,
mount options=(rw,bind) {{ lxc_container_cache_path }}/**/dev/shm/ -> {{ lxc_container_cache_path }}/**/run/shm/,
}
View Git Blame Copy Permalink