change 'lxc.aa_*' to 'lxc.apparmor.*' if version 3.

2019-06-14 22:57:13 +02:00
parent 4a7ebb6a19
commit a3c8d5c12a
2 changed files with 81 additions and 9 deletions
--- a/create-lx-container.sh
+++ b/create-lx-container.sh
@@ -1057,15 +1057,11 @@ EOF
      fi
   fi

-
-
-
-
-
-
 fi

-cat << EOF >> ${LXC_CONTAINER_DIR}/config 2>> $err_msg
+
+if [[ $LXC_MAJOR_VERSION -lt 3 ]]; then
+   cat << EOF >> ${LXC_CONTAINER_DIR}/config 2>> $err_msg

 # Mount iso file inside LX Container
 #lxc.aa_profile = unconfined
@@ -1082,8 +1078,68 @@ lxc.start.order = 100
 # -
 lxc.cgroup.memory.limit_in_bytes = $(( $(free -b | grep -oP '\d+' | head -n 1)-1000000000 ))
 EOF
-if [[ $? -ne 0 ]]; then
-	_failed=true
+   if [[ $? -ne 0 ]]; then
+      _failed=true
+   fi
+else
+   cat << EOF >> ${LXC_CONTAINER_DIR}/config 2>> $err_msg
+
+# Mount iso file inside LX Container
+#lxc.apparmor.profile = unconfined
+#lxc.cgroup.devices.allow = b 7:* rwm
+#lxc.cgroup.devices.allow = c 10:237 rwm
+
+
+# Specify the apparmor profile under which the container should be run.
+#
+# To specify that the container should be unconfined, use
+#    lxc.apparmor.profile = unconfined
+#
+# If the apparmor profile should remain unchanged (i.e. if you are nesting
+# containers and are already confined), then use
+#    lxc.apparmor.profile = unchanged
+#
+# If you instruct LXC to generate the apparmor profile, then use
+#    lxc.apparmor.profile = generated
+#
+#
+# MariaDB (and maybe others) does not start
+# =========================================
+#
+# see also: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920643
+#
+# AppArmor support in Debian has increased, thus preventing some systemd
+# isolation features to work in LXC 3.0.X. Debian has backported some
+# patches from LXC 3.1 that, along with some configurations in a
+# container, will allow systemd isolation features to work.
+#
+# This may entirely be a an apparmor/systemd issue and nothing to do
+# with mariadb.
+#
+# A workaround is to remove the the following lines from
+# systemd service file:
+#    ProtectSystem=full
+#    PrivateDevices=true
+#    ProtectHome=true
+#
+# Another workarround is to diasble apparmor here:
+#    lxc.apparmor.profile = unconfined
+#
+lxc.apparmor.profile = unconfined
+
+
+# Autostart
+lxc.start.auto = 1
+lxc.start.delay = 5
+lxc.start.order = 100
+
+# Limt memory to 1GB less than full Memory of the server
+# -
+lxc.cgroup.memory.limit_in_bytes = $(( $(free -b | grep -oP '\d+' | head -n 1)-1000000000 ))
+EOF
+   if [[ $? -ne 0 ]]; then
+      _failed=true
+   fi
 fi

 if $_failed ; then