[pkg-lxc-devel] Bug#911806: Please provide a way to opt out of AppArmor confinement when running tests

intrigeri intrigeri at debian.org
Sat Oct 27 09:20:15 BST 2018 

Hi LXC maintainers,

intrigeri:
>    Ideally, picking the best strategy and implementing it would be
>    a matter of coordination between LXC and systemd (ideally upstream,
>    but quite possibly distro maintainers will need to be involved
>    here). I'll raise this issue to the Ubuntu LXC and AppArmor folks.

Done. To sum up:

 - LX*D* apparently has the support needed to set up AppArmor policy
   in a way that should not be affected by the problem this thread
   is about (running systemd v240+ in a container). autopkgtest has
   a LXD backend but LXD is not in Debian yet (WIP, see #768073; I'm
   not counting on this being completed in time for the Buster freeze).

 - Similar support was added to LXC 3.x branch. It won't be backported
   to 2.x (that we currently have in testing/sid). I've asked about
   the timeline to release 3.x as stable and Stéphane Graber replied:
   "I think we were aiming towards February-ish originally but there's
   no real reason to wait that long either, so if Christian isn't
   waiting for some big changes to land before doing a non-LTS feature
   release, we should be able to tag one next month. It'd be worth
   someone make sure that current master with the apparmor work that
   was done by Wolfgang will do the right thing out of the box though,
   otherwise that wouldn't really achieve a whole lot."

So on the LXC + AppArmor vs. systemd v240+ front, I think the next
steps are:

1. Try running current systemd master branch and its autopkgtests
   inside a container managed by LXC 2.x on current testing/sid.
   Goal: confirm the issues Michael discovered and have a baseline
   to evaluate LXC 3.x against.

2. Try running current systemd master branch and its autopkgtests
   inside a container managed by LXC 3.x on current testing/sid.
   Report any issue so they're fixed before 3.x becomes stable
   and is hopefully included in Buster.

For details, see:
https://lists.ubuntu.com/archives/apparmor/2018-October/011830.html
… except Stéphane Graber's messages are apparently held for moderation
so they don't appear in the list archives yet.

Cheers,
-- 
intrigeri

More information about the Pkg-lxc-devel mailing list