I'm using nested LXC with lxc-container-default-with-nesting profile which looks like the following.
profile lxc-container-default-with-nesting flags=(attach_disconnected,mediate_deleted) {
#include <abstractions/lxc/container-base>
#include <abstractions/lxc/start-container>
# Uncomment the line below if you are not using cgmanager
# mount fstype=cgroup -> /sys/fs/cgroup/**,
deny /dev/.lxc/proc/** rw,
deny /dev/.lxc/sys/** rw,
mount fstype=proc -> /var/cache/lxc/**,
mount fstype=sysfs -> /var/cache/lxc/**,
mount options=(rw,bind),
}
and I have two questions about the following line.
mount fstype=proc -> /var/cache/lxc/**,
Why is it safe to allow container to mount /proc ?
Why container needs to mount /proc under /var/cache/lxc ?
Nested Container Configuration
That config file allows you to create nested LXC containers, one inside another. By default, this is disabled since it bypasses some of the default cgroup restrictions (more info here).
In general, it changes apparmor rules to allow lxc to re-mount certain system resources (with certain restrictions) inside the container.
lxc.container.conf
If you look at
man lxc.container.conf, this section explains settings you can edit for howprocis mounted. I think it usesproc:mixedby default (but I haven't confirmed this!)Unprivileged LXC
As an aside, if you're not using unprivileged LXC, you should be. Seriously. It adds an additional layer of protection that restricts what the
rootuser in the container can do (It actually maps it to a non-root user outside the container). This provides an additional layer of protection for/procin case something slips by the apparmour rules.As far as why it uses
/var/cache/lxc, I have no idea. A guess would be that it has to do with not conflicting withcgmanager. Looking at the source might be a good place to start if you're interested in the reasoning.