[pkg-apparmor] [pkg-lxc-devel] Bug#880502: lxc: cannot start container with kernel 4.13.10

Ben Hutchings ben at decadent.org.uk
Wed Nov 1 21:13:18 UTC 2017


On Wed, 2017-11-01 at 15:38 +0100, Evgeni Golov wrote:
> Ohai,
> 
> On Wed, Nov 01, 2017 at 12:00:12PM -0200, Antonio Terceiro wrote:
> > >       lxc-start 20171101123914.655 ERROR    lxc_apparmor - lsm/apparmor.c:apparmor_process_label_set:220 - If you really want to start this container, set
> > >       lxc-start 20171101123914.655 ERROR    lxc_apparmor - lsm/apparmor.c:apparmor_process_label_set:221 - lxc.aa_allow_incomplete = 1
> > >       lxc-start 20171101123914.655 ERROR    lxc_apparmor - lsm/apparmor.c:apparmor_process_label_set:222 - in your container configuration file
> > 
> > So, I tried downgrading the kernel to the one in testing, rebooted, and
> > now I can start containers again, So this is being caused by a change in
> > the kernel between 4.13.4-2 and 4.13.10-1
> > 
> > I still need to study the lxc code path that is being triggered to be
> > able to provide more useful information. Since the issue is definitively
> > related to apparmor, I am also copying the apparmor team in case they
> > have any input to provide.
> 
> Can you try to set "lxc.aa_allow_incomplete = 1" in your config?
> LXC expects Ubuntus patched kernels when it comes to AppArmor, not the
> upstream ones :(
> 
> And I think Debian enabled AppArmor by default in the latest kernels.

Yes, that's the change made in 4.13.10-1.

Ben.

-- 
Ben Hutchings
Make three consecutive correct guesses and you will be considered an
expert.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-apparmor-team/attachments/20171101/48e1d5c4/attachment.sig>


More information about the pkg-apparmor-team mailing list