[pkg-lxc-devel] Bug#880502: [pkg-apparmor] Bug#880502: lxc: cannot start container with kernel 4.13.10

[intrigeri]

Hi!

Sorry for the delay, I didn't expect AppArmor to be enabled in the
kernel a week ago (I thought I would coordinate this with Ben)
and I was busy with the Reproducible Builds summit this week.

Thanks Felix & Antonio for being on top of things. I'm glad the
immediate RC issue was fixed.

Felix Geyer:
> There are two issues:

> lxc expects mount mediation to be present in AppArmor. This isn't upstream (yet) so it's missing
> from the Debian kernel too.

FYI mount mediation is upstream since some time in the 4.14 cycle.
We have it in Debian experimental (Linux 4.14.0-rc7).

But for now I've disabled it on Debian even when running Linux 4.14.
It'll be enabled at some point in the future, not sure when exactly
(#880078).

> More fundamentally lxc makes the assumption that the AppArmor userspace tools are available if
> AppArmor is active in the kernel.
> When starting a container lxc detects that AppArmor is active and tries to transition to a
> profile. This fails if the apparmor package hasn't been installed as lxc has no way to load profiles.

I believe libvirt implements the exact same logic… minus the bug.
This might provide inspiration to whoever wants to fix this bug in
LXC :)

If these bugs are not tracked upstream yet: Felix, you seem to be the
one of us with the best understanding of the problem and you know
AppArmor pretty well, so perhaps you would be the best person to
report them?

Cheers,
-- 
intrigeri