[tor-dev] apparmor in lxc containers [#17754]
Jessica Frazelle
jess at docker.com
Tue Dec 15 15:34:03 UTC 2015
You can use a docker container with a custom apparmor profile.
On Dec 15, 2015, 02:40 -0800, intrigeri<intrigeri at boum.org>, wrote:
> Hi,
>
> Peter Palfrader wrote (15 Dec 2015 08:24:25 GMT) :
> > https://bugs.torproject.org/17754 reports that tor no longer works in
> > LXC containers.
>
> > I have set up an ubuntu wily VM, and a wily LXC container in it, and I
> > can confirm that with the AppArmorProfile= line in the service file, tor
> > will not launch.
>
> Given the logs I see on the ticket, it looks like systemd was not
> allowed by the container to apply our AppArmor policy.
> Linux namespaces support more and more stuff these days, but they
> didn't go as far as supporting stacking AppArmor policies yet:
>
> https://bugs.launchpad.net/apparmor/+bug/1379535
>
> ... not even mentioning limitations that AppArmor has with stacked
> filesystems such as aufs and overlayfs, which are commonly used
> for containers.
>
> > Do you have any ideas how to properly fix this? Or what the best
> > workaround would be to document?
>
> Sadly, I don't know what we can do better at the moment than disabling
> AppArmor when running in such environments, like:
> https://trac.torproject.org/projects/tor/ticket/17754#comment:6
>
> Cheers,
> --
> intrigeri
> _______________________________________________
> tor-dev mailing list
> tor-dev at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20151215/ab481679/attachment.html>
More information about the tor-dev
mailing list