[pkg-lxc-devel] Bug#1037303: lxc sets the wrong broadcast address on containers after upgrade to bookworm

Matthew Darwin bugs at mdarwin.ca
Sat Jun 10 18:34:50 BST 2023 

Package: lxc
Version: 1:5.0.2-1
Severity: normal

Dear Maintainer,

   * What led up to the situation?

Upgraded from bullseye to bookworm.
The broadcast address changed within the container

$ ip route show table local dev eth0 scope link
broadcast 0.0.127.255 proto kernel src 172.21.3.113
broadcast 172.21.127.255 proto kernel src 172.21.3.113

using this configuration:

lxc.net.0.type = veth
lxc.net.0.flags = up
lxc.net.0.link = br0
lxc.net.0.veth.pair = p_dav-test
lxc.net.0.name = eth0
lxc.net.0.ipv4.address = 172.21.3.113/17
lxc.net.0.ipv4.gateway = 172.21.1.1

Expection is that everything works the same as the previous version of lxc. that we get the following:

$ ip route show table local dev eth0 scope link
broadcast 172.21.0.0 proto kernel src 172.21.3.113
broadcast 172.21.127.255 proto kernel src 172.21.3.113

   * What exactly did you do (or not do) that was effective (or
     ineffective)?

Upgrade debian 11 to debian 12 and reboot the server.

   * What was the outcome of this action?
   * What outcome did you expect instead?

Everything work exactly the same.

-- System Information:
Debian Release: 12.0
  APT prefers testing-security
  APT policy: (500, 'testing-security'), (500, 'testing'), (90, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-9-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages lxc depends on:
ii  debconf [debconf-2.0]        1.5.82
ii  dnsmasq-base [dnsmasq-base]  2.89-1
ii  iproute2                     6.1.0-3
ii  iptables                     1.8.9-2
ii  libapparmor1                 3.0.8-3
ii  libc6                        2.36-9
ii  libcap2                      1:2.66-4
ii  libgcc-s1                    12.2.0-14
ii  liblxc-common                1:5.0.2-1
ii  liblxc1                      1:5.0.2-1
ii  libseccomp2                  2.5.4-1+b3
ii  libselinux1                  3.4-1+b6
ii  lsb-base                     11.6
ii  sysvinit-utils [lsb-base]    3.06-4

Versions of packages lxc recommends:
ii  apparmor       3.0.8-3
pn  debootstrap    <none>
pn  dirmngr        <none>
pn  gnupg          <none>
pn  libpam-cgfs    <none>
pn  lxc-templates  <none>
ii  lxcfs          5.0.3-1
ii  openssl        3.0.9-1
pn  rsync          <none>
pn  uidmap         <none>
pn  wget           <none>

Versions of packages lxc suggests:
pn  btrfs-progs  <none>
pn  lvm2         <none>
pn  python3-lxc  <none>

-- Configuration Files:
/etc/apparmor.d/abstractions/lxc/start-container changed:
  network,
  capability,
  file,
  # The following 3 entries are only supported by recent apparmor versions.
  # Comment them if the apparmor parser doesn't recognize them.
  dbus,
  signal,
  ptrace,
  # currently blocked by apparmor bug
  mount -> /usr/lib*/*/lxc/{**,},
  mount -> /usr/lib*/lxc/{**,},
  mount -> /usr/lib/x86_64-linux-gnu/lxc/rootfs/{,**},
  mount fstype=devpts -> /dev/pts/,
  mount options=bind /dev/pts/ptmx/ -> /dev/ptmx/,
  mount options=bind /dev/pts/** -> /dev/**,
  mount options=(rw, make-slave) -> **,
  mount options=(rw, make-rslave) -> **,
  mount options=(rw, make-shared) -> **,
  mount options=(rw, make-rshared) -> **,
  mount fstype=debugfs,
  # allow pre-mount hooks to stage mounts under /var/lib/lxc/<container>/
  mount -> /var/lib/lxc/{**,},
  mount /dev/.lxc-boot-id -> /proc/sys/kernel/random/boot_id,
  mount options=(ro, nosuid, nodev, noexec, remount, bind) -> /proc/sys/kernel/random/boot_id,
  # required for some pre-mount hooks
  mount fstype=overlayfs,
  mount fstype=aufs,
  mount fstype=ecryptfs,
  # all umounts are under the original root's /mnt, but right now we
  # can't allow those umounts after pivot_root.  So allow all umounts
  # right now.  They'll be restricted for the container at least.
  umount,
  #umount /mnt/{**,},
  # This may look a bit redundant, however it appears we need all of
  # them if we want things to work properly on all combinations of kernel
  # and userspace parser...
  pivot_root /usr/lib*/lxc/,
  pivot_root /usr/lib*/*/lxc/,
  pivot_root /usr/lib*/lxc/**,
  pivot_root /usr/lib*/*/lxc/**,
  pivot_root /usr/lib/x86_64-linux-gnu/lxc/rootfs/{,**},
  change_profile -> lxc-*,
  change_profile -> lxc-**,
  change_profile -> unconfined,
  change_profile -> :lxc-*:unconfined,

/etc/apparmor.d/lxc/lxc-default-cgns changed:
profile lxc-container-default-cgns flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/lxc/container-base>
  # the container may never be allowed to mount devpts.  If it does, it
  # will remount the host's devpts.  We could allow it to do it with
  # the newinstance option (but, right now, we don't).
  deny mount fstype=devpts,
  mount fstype=cgroup -> /sys/fs/cgroup/**,
  mount fstype=cgroup2 -> /sys/fs/cgroup/**,
  mount fstype=overlay,
}

/etc/apparmor.d/lxc/lxc-default-with-nesting changed:
profile lxc-container-default-with-nesting flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/lxc/container-base>
  #include <abstractions/lxc/start-container>
  deny /dev/.lxc/proc/** rw,
  deny /dev/.lxc/sys/** rw,
  mount fstype=proc -> /var/cache/lxc/**,
  mount fstype=sysfs -> /var/cache/lxc/**,
  mount options=(rw,bind),
  mount options=(rw,rbind) -> /run/systemd/unit-root/,
  mount options=(rw,rbind) -> /run/systemd/unit-root/**,
  mount options=(rw,rshared) -> /,
  mount options=(rw,nosuid,nodev,noexec) proc -> /run/systemd/unit-root/proc/,
  mount fstype=cgroup -> /sys/fs/cgroup/**,
  mount fstype=cgroup2 -> /sys/fs/cgroup/**,
}


-- debconf information:
  lxc/auto_update_config:

More information about the Pkg-lxc-devel mailing list