LXC 3 with Buster container certain services fails

[lbthomsen]

After upgrading to buster/lxc 3, some services fails when using buster-based containers - most noticeable:

apache2,
mariadb-server (mysql)
dovecot

[lbthomsen]

The reason is that the above services - in buster - creates a private namespace for temporary files as a security measure. This is not allowed by default for lxc containers.

The solution is to allow this in the apparmor profile that the containers are using.

It is really bad style in Debian packages to modify files that belong to another package, so I suggest the following:

1. We create a NEW /etc/apparmor.d/lxc/lxc-default-subutai profile and install this along with agent
2. We create a NEW /usr/share/lxc/config/subutai.conf which enables above apparmor profile (and fuse while we're at it).
3. We create new base templates that uses our subutai.conf rather than debian.common.conf

This would be the most elegant approach.

[lbthomsen]

Suggested /etc/apparmor.d/lxc/lxc-default-subutai:

# Do not load this file.  Rather, load /etc/apparmor.d/lxc-containers, which
# will source all profiles under /etc/apparmor.d/lxc

profile lxc-container-default-subutai flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/lxc/container-base>
  #include <abstractions/lxc/start-container>
  deny mount fstype=devpts,
  mount fstype=cgroup -> /sys/fs/cgroup/**,
  mount fstype=cgroup2 -> /sys/fs/cgroup/**,
  mount options=(rw,bind),
  mount options=(rw,rbind),
  mount options=(rw,rshared),
  mount options=(ro,nosuid,noexec,remount,bind,strictatime),
}

Suggested /usr/share/lxc/config/subutai.conf:

# This derives from the global common config
lxc.include = /usr/share/lxc/config/common.conf

# Doesn't support consoles in /dev/lxc/
lxc.tty.dir =

# When using LXC with apparmor, the container will be confined by default.
# If you wish for it to instead run unconfined, copy the following line
# (uncommented) to the container's configuration file.
#lxc.apparmor.profile = unconfined
lxc.apparmor.profile = lxc-container-default-subutai

# If you wish to allow mounting block filesystems, then use the following
# line instead, and make sure to grant access to the block device and/or loop
# devices below in lxc.cgroup.devices.allow.
#lxc.apparmor.profile = lxc-container-default-with-mounting
lxc.mount.entry = /dev/fuse dev/fuse none bind,create=file

# Extra cgroup device access
## rtc
lxc.cgroup.devices.allow = c 254:0 rm
## tun
lxc.cgroup.devices.allow = c 10:200 rwm
## hpet
lxc.cgroup.devices.allow = c 10:228 rwm
## kvm
lxc.cgroup.devices.allow = c 10:232 rwm
## To use loop devices, copy the following line to the container's
## configuration file (uncommented).
#lxc.cgroup.devices.allow = b 7:* rwm

[akarasulu]

Why did we not catch these on the upgrade? Obviously some services are still continuing to operate but I guess those were peers with fuse devices enabled?

[lbthomsen]

Only an issue with buster++ containers. And it is not even the OS as such but the packaging - buster apache and mariadb are using apparmor features not allowed in lxc containers by default.