2

我正在尝试在 LXC 非特权容器中运行 Docker 容器。谁能建议我错过了什么?

如果我从 LXC 容器中删除 apparmor,它可以正常工作。似乎我需要做一些 apparmor 魔法才能在不禁用 apparmor 的情况下使其工作?

这是我当前的 LXC 容器配置:

lxc.include = /usr/share/lxc/config/nesting.conf

# Distribution configuration
lxc.include = /usr/share/lxc/config/common.conf

# For Ubuntu 14.04
lxc.mount.entry = /sys/kernel/debug sys/kernel/debug none bind,optional 0 0
lxc.mount.entry = /sys/kernel/security sys/kernel/security none bind,optional 0 0
lxc.mount.entry = /sys/fs/pstore sys/fs/pstore none bind,optional 0 0
lxc.mount.entry = mqueue dev/mqueue mqueue rw,relatime,create=dir,optional 0 0
lxc.include = /usr/share/lxc/config/userns.conf

# For Ubuntu 14.04
lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
lxc.arch = linux64

# Container specific configuration
lxc.idmap = u 0 1258512 65536
lxc.idmap = g 0 1258512 65536
lxc.rootfs.path = dir:/var/lib/lxc/ubuntu/rootfs
lxc.uts.name = ubuntu

# Network configuration
lxc.net.0.type = veth
lxc.net.0.link = br0
lxc.net.0.link = lxcbr0
lxc.net.0.flags = up
lxc.net.0.hwaddr = 00:16:3e:3e:3f:77
lxc.net.0.ipv4.address = 10.0.3.242/24
lxc.net.0.ipv4.gateway = auto
lxc.cgroup.memory.limit_in_bytes = 512M
lxc.cgroup.cpuset.cpus = 0-31
lxc.start.auto = 1
4

1 回答 1

0

配置中的以下内容是否有助于解决:

lxc.aa_profile = unconfined

它可能会破坏您的安全配置文件,但可能会让您朝着正确的方向开始。

于 2019-10-01T19:37:07.450 回答