Apertis is a quite complex system which uses a lot of linux infrastructure to make it secure and reliable, containers tend to be very flexible in how they can be deployed but one of the typical key aspects is to run the contained system with as little capabilities as possible.
Apertis can use AppArmor to enforce boundaries on contained systems.
Running Apertis VM
The easiest way is to try in self-hosted with an Apertis host and guest.
- The first step is to launch the Apertis SDK image in VirtualBox or run an Apertis SDK image in Qemu VM:
$ wget https://images.apertis.org/release/17.12/17.12.0/amd64/sdk/apertis_17.12-sdk-amd64-sdk_17.12.0.img.gz $ wget https://images.apertis.org/release/17.12/17.12.0/amd64/sdk/apertis_17.12-sdk-amd64-sdk_17.12.0.img.bmap $ bmaptool copy apertis_17.12-sdk-amd64-sdk_17.12.0.img.gz sdk.img $ qemu-system-x86_64 -virtioconsole mon:stdio -m 2048 -enable-kvm -cpu host -vga qxl \ -net nic,model=virtio -net user,hostfwd=tcp::2222-:22 \ -drive if=pflash,format=raw,readonly,file=/usr/share/ovmf/OVMF.fd \ -drive if=virtio,format=raw,cache=unsafe,file=sdk.img
- Log into the VM as
The kernel must have containers support. The AppArmor patches must be applied. Stock ubuntu kernel (4.8) and Apertis SDK kernel (4.4) are known to have the appropriate patches. The Apertis target kernel on amd64 and arm64 images have also been tested successfully.
To check if LXC is properly supported by your kernel:
Container host setup
On Ubuntu, the following package versions were used:
libgnutls303.5.3-5ubuntu1.1 (as a dependency)
AppArmor must be enabled on the host for the AppArmor-based application framework used by Apertis to work correctly in containers:
sudo aa-status --enabled && echo "AppArmor correctly enabled" || echo "AppArmor must be enabled for Apertis containers to work appropriately"
LXC must be allowed to let containers change profiles in their
lxc-* AppArmor namespaces.
Apertis already allows for that by default, while on Ubuntu this can be configured in
/etc/apparmor.d/abstractions/lxc/start-container by adding that line at the end:
change_profile -> :lxc-*:unconfined,
Networking in the container
LXC automatically sets up a bridge device named
lxcbr0, the configuration above makes it available in the container as
DHCP is used by LXC to assign addresses, and
connman in the Apertis container is able to pick it up automatically.
The key elements that must be mentioned in the guest configuration file are to mount /sys/kernel/security and the AppArmor profile in which the container is expected to run. The AppArmor profile in which applications in the container will run is the intersection of
- the profile in which the LXC container itself is running
- the profile of the application itself
An AppArmor namespace is defined to mask the container profile: applications can then apply their own profiles as they do on non-containerized setups, with the
unconfined profile in the container actually being
$NAMESPACE://unconfined and being subject to the container-level profile.
This creates a barrier between different containers and their profiles. For each container running on the same host, a different namespace is needed.
Running the Apertis container
Create Apertis container
Create container in Apertis VM
Create a container named apertis-test as
root from any published OSTree-based ospack for LXC:
sudo lxc-create -t apertis-ostree --name apertis-test -- --ospack "https://images.apertis.org/daily/18.03/20180329.1/amd64/lxc/apertis_ostree_18.03-minimal-amd64-lxc_20180329.1.tar.gz"
Create container in non-Apertis host
- Download the LXC template to be used for container creation and set executable bit on downloaded template file:
wget https://git.apertis.org/cgit/apertis-image-recipes.git/plain/lxc/lxc-apertis-ostree chmod a+x lxc-apertis-ostree
- Create a container named apertis-test as
rootfrom any published OSTree-based ospack for LXC:
sudo lxc-create -t $PWD/lxc-apertis-ostree --name apertis-test -- --ospack "https://images.apertis.org/daily/18.03/20180329.1/amd64/lxc/apertis_ostree_18.03-minimal-amd64-lxc_20180329.1.tar.gz"
Start the container in foreground mode:
sudo lxc-start -F --name apertis-test
Upgrade container with OStree
Log into the container as
user:user and pull the updated ostree, deploy and reboot into deployed OS tree:
sudo ostree admin upgrade -r
Shutting down the container will bring you back to the host:
Destroy the container:
sudo lxc-destroy --name apertis-test