lxd容器与apparmor

安全很重要,但也很烦人。

lxd容器test8内无法启动tomcat9,查看服务状态如下:

# systemctl status tomcat9
● tomcat9.service - Apache Tomcat 9 Web Application Server
   Loaded: loaded (/lib/systemd/system/tomcat9.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Thu 2019-06-06 20:52:24 CST; 10min ago
     Docs: https://tomcat.apache.org/tomcat-9.0-doc/index.html
  Process: 187 ExecStartPre=/usr/libexec/tomcat9/tomcat-update-policy.sh (code=exited, status=0/SUCCESS)
  Process: 191 ExecStart=/bin/sh /usr/libexec/tomcat9/tomcat-start.sh (code=exited, status=226/NAMESPACE)
 Main PID: 191 (code=exited, status=226/NAMESPACE)

Jun 06 20:52:24 test8 systemd[1]: Starting Apache Tomcat 9 Web Application Server...
Jun 06 20:52:24 test8 systemd[1]: Started Apache Tomcat 9 Web Application Server.
Jun 06 20:52:24 test8 systemd[191]: tomcat9.service: Failed to set up mount namespacing: Permission den
ied
Jun 06 20:52:24 test8 systemd[191]: tomcat9.service: Failed at step NAMESPACE spawning /bin/sh: Permiss
ion denied
Jun 06 20:52:24 test8 systemd[1]: tomcat9.service: Main process exited, code=exited, status=226/NAMESPA
CE
Jun 06 20:52:24 test8 systemd[1]: tomcat9.service: Failed with result 'exit-code'.

这里就是因为apparmor阻止了一些资源的访问,细粒度的配置还需要仔细阅读文档,当前可以暂时关闭apparmor对容器的所有限制

$ lxc config set test8 raw.lxc "lxc.apparmor.profile=unconfined"
$ lxc restart test8

然后就可以正常启动tomcat9服务了。

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.