On 08/26/2013 03:42 PM, 止语 wrote:
I am playing with libvirt 1.1.1 (lxc)
when I was starting a LXC container, the process location of cgroup is pretty , just
the root directory
from the process. But I could tune the cgroup in a container as an user that logged, This
is not accepted...
I wonder how to restrict it with apparmor ,so one can not modify files in the cgroup fs,
e.g the cpus or mem,
if i restrict it with "deny /sys/fs/cgroup/** wrklx," in apparmor ,the
container woulld not start up .
"Permission denied", because that a process would mount the cgroup, it seems
done by libvirt_lxc,
Any way to restrict the cgroup in the container or just not mount cgroup in the container
??
Any help would be appreciated, thanks .
The simplest way is to enable user namespace for libvirt.
the below is the configuration you should do to enable user namespace
[quote]
If you want to enable user namespace,set the idmap element. the uid and gid elements have
three attributes:
start
First user id in container.
target
The first user id in container will be mapped to this target user id in host.
count
How many users in container being allowed to map to host's user.
<idmap>
<uid start='0' target='1000' count='10'/>
<gid start='0' target='1000' count='10'/>
</idmap>
[/quote]