Containers

From Apertis
Jump to: navigation, search

Contents

Background

Apertis is a quite complex system which uses a lot of linux infrastructure to make it secure and reliable, containers tend to be very flexible in how they can be deployed but one of the typical key aspects is to run the contained system with as little capabilities as possible.

Apertis can use AppArmor to enforce boundaries on contained systems.

Running Apertis VM

The easiest way is to try in self-hosted with an Apertis host and guest.

  • The first step is to launch the Apertis SDK image in VirtualBox or run an Apertis SDK image in Qemu VM:
    $ wget https://images.apertis.org/release/17.12/17.12.0/amd64/sdk/apertis_17.12-sdk-amd64-sdk_17.12.0.img.gz
    $ wget https://images.apertis.org/release/17.12/17.12.0/amd64/sdk/apertis_17.12-sdk-amd64-sdk_17.12.0.img.bmap
    $ bmaptool copy apertis_17.12-sdk-amd64-sdk_17.12.0.img.gz sdk.img
    $ qemu-system-x86_64 -virtioconsole mon:stdio -m 2048 -enable-kvm -cpu host -vga qxl \
      -net nic,model=virtio -net user,hostfwd=tcp::2222-:22 \
      -drive if=pflash,format=raw,readonly,file=/usr/share/ovmf/OVMF.fd \
      -drive if=virtio,format=raw,cache=unsafe,file=sdk.img
    
  • Log into the VM as user:user

Non-Apertis hosts

Kernel requirements

The kernel must have containers support. The AppArmor patches must be applied. Stock ubuntu kernel (4.8) and Apertis SDK kernel (4.4) are known to have the appropriate patches. The Apertis target kernel on amd64 and arm64 images have also been tested successfully.

To check if LXC is properly supported by your kernel:

sudo lxc-checkconfig

Container host setup

On Ubuntu, the following package versions were used:

  • apparmor 2.11.0-2ubuntu4
  • lxc 2.0.7-0ubuntu1~16.10.2
  • libgnutls30 3.5.3-5ubuntu1.1 (as a dependency)

AppArmor must be enabled on the host for the AppArmor-based application framework used by Apertis to work correctly in containers:

sudo aa-status --enabled && echo "AppArmor correctly enabled" || echo "AppArmor must be enabled for Apertis containers to work appropriately"

LXC must be allowed to let containers change profiles in their lxc-* AppArmor namespaces. Apertis already allows for that by default, while on Ubuntu this can be configured in /etc/apparmor.d/abstractions/lxc/start-container by adding that line at the end:

change_profile -> :lxc-*:unconfined,

Networking in the container

LXC automatically sets up a bridge device named lxcbr0, the configuration above makes it available in the container as eth0. DHCP is used by LXC to assign addresses, and connman in the Apertis container is able to pick it up automatically.

Apparmor notes

The key elements that must be mentioned in the guest configuration file are to mount /sys/kernel/security and the AppArmor profile in which the container is expected to run. The AppArmor profile in which applications in the container will run is the intersection of

  1. the profile in which the LXC container itself is running
  2. the profile of the application itself

An AppArmor namespace is defined to mask the container profile: applications can then apply their own profiles as they do on non-containerized setups, with the unconfined profile in the container actually being $NAMESPACE://unconfined and being subject to the container-level profile.

This creates a barrier between different containers and their profiles. For each container running on the same host, a different namespace is needed.

Running the Apertis container

Create Apertis container

Create container in Apertis VM

Create a container named apertis-test as root from any published OSTree-based ospack for LXC:

sudo lxc-create -t apertis-ostree --name apertis-test -- --ospack "https://images.apertis.org/daily/18.03/20180329.1/amd64/lxc/apertis_ostree_18.03-minimal-amd64-lxc_20180329.1.tar.gz"

Create container in non-Apertis host

  • Download the LXC template to be used for container creation and set executable bit on downloaded template file:
    wget https://git.apertis.org/cgit/apertis-image-recipes.git/plain/lxc/lxc-apertis-ostree
    chmod a+x lxc-apertis-ostree
    
  • Create a container named apertis-test as root from any published OSTree-based ospack for LXC:
    sudo lxc-create -t $PWD/lxc-apertis-ostree --name apertis-test -- --ospack "https://images.apertis.org/daily/18.03/20180329.1/amd64/lxc/apertis_ostree_18.03-minimal-amd64-lxc_20180329.1.tar.gz"
    

Start the container in foreground mode:

sudo lxc-start -F --name apertis-test

Upgrade container with OStree

Log into the container as user:user and pull the updated ostree, deploy and reboot into deployed OS tree:

sudo ostree admin upgrade -r

Shutdown

Shutting down the container will bring you back to the host:

sudo poweroff

Destroy container

Destroy the container:

sudo lxc-destroy --name apertis-test
Personal tools
Namespaces

Variants
Actions
Navigation
Tools