From 9c744cb454f7d912ae1dd6215caf550a25929944 Mon Sep 17 00:00:00 2001 From: Abin Shahab Date: Thu, 22 Jan 2015 03:58:43 +0000 Subject: [PATCH] Fixes apparmor regression Signed-off-by: Abin Shahab (github: ashahab-altiscale) Docker-DCO-1.1-Signed-off-by: Abin Shahab (github: ashahab-altiscale) --- daemon/execdriver/lxc/lxc_template.go | 4 ++-- daemon/execdriver/lxc/lxc_template_unit_test.go | 12 +++++++----- 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/daemon/execdriver/lxc/lxc_template.go b/daemon/execdriver/lxc/lxc_template.go index dafd525125..9de799dd52 100644 --- a/daemon/execdriver/lxc/lxc_template.go +++ b/daemon/execdriver/lxc/lxc_template.go @@ -75,8 +75,8 @@ lxc.aa_profile = unconfined # In non-privileged mode, lxc will automatically mount /proc and /sys in readonly mode # for security. See: http://man7.org/linux/man-pages/man5/lxc.container.conf.5.html lxc.mount.auto = proc sys - {{if .AppArmor}} -lxc.aa_profile = .AppArmorProfile + {{if .AppArmorProfile}} +lxc.aa_profile = {{.AppArmorProfile}} {{end}} {{end}} diff --git a/daemon/execdriver/lxc/lxc_template_unit_test.go b/daemon/execdriver/lxc/lxc_template_unit_test.go index e072f8dbb4..bb622d4bc5 100644 --- a/daemon/execdriver/lxc/lxc_template_unit_test.go +++ b/daemon/execdriver/lxc/lxc_template_unit_test.go @@ -248,7 +248,8 @@ func TestCustomLxcConfigMisc(t *testing.T) { } defer os.RemoveAll(root) os.MkdirAll(path.Join(root, "containers", "1"), 0777) - driver, err := NewDriver(root, "", false) + driver, err := NewDriver(root, "", true) + if err != nil { t.Fatal(err) } @@ -271,9 +272,10 @@ func TestCustomLxcConfigMisc(t *testing.T) { Bridge: "docker0", }, }, - ProcessConfig: processConfig, - CapAdd: []string{"net_admin", "syslog"}, - CapDrop: []string{"kill", "mknod"}, + ProcessConfig: processConfig, + CapAdd: []string{"net_admin", "syslog"}, + CapDrop: []string{"kill", "mknod"}, + AppArmorProfile: "lxc-container-default-with-nesting", } p, err := driver.generateLXCConfig(command) @@ -287,7 +289,7 @@ func TestCustomLxcConfigMisc(t *testing.T) { grepFile(t, p, "lxc.network.ipv4 = 10.10.10.10/24") grepFile(t, p, "lxc.network.ipv4.gateway = 10.10.10.1") grepFile(t, p, "lxc.network.flags = up") - + grepFile(t, p, "lxc.aa_profile = lxc-container-default-with-nesting") // hostname grepFile(t, p, "lxc.utsname = testhost") grepFile(t, p, "lxc.cgroup.cpuset.cpus = 0,1")