[pkg-lxc-devel] Bug#911806: Please provide a way to opt out of AppArmor confinement when running tests

intrigeri intrigeri at debian.org
Sun Dec 16 19:01:28 GMT 2018 

Hi,

Michael Biebl:
> $ ./make-dsc
> <this will create a systemd_$version+upstream$date-0.master.dsc>

It took me a while to get back to this thread; obviously upstream
master has moved on since you wrote this, so:

I had to update Use-Debian-specific-config-files.patch to make it
apply and use helper functions in a way that's compatible with their
current API. Updated patch attached, in case it may save you
some time.

I've also added two patches to BLACKLIST (refreshing them seemed
non-trivial as I'm not a C developer):
Revert-udev-network-device-renaming-immediately-give.patch
fsckd-daemon-for-inter-fsckd-communication.patch

> lxc.aa_profile = unconfined

FTR with LXC 3.x that's now:

  lxc.apparmor.profile = unconfined

> There are currently two, known failures with AA turned off:
> - dnsmasq 2.80 introduced a regression in networkd-test.py
> - test-bpf failing

Confirmed with lxc 1:3.0.3-1 from sid.

> With AA turned on, the list of failing tests is too long to list here.

Confirmed with lxc 1:3.0.3-1 from sid: the exact same tests pass/fail
as in your logs. I see lots of mount operations denied by AppArmor.
That's expected because the AppArmor vs. systemd fixes are in LXC
3.1.0, that was released a few days ago, but not in LXC 3.0.3.

Then I've cherry-picked on top of lxc 3.0.3-1 the 3 upstream commits
that implement the nested containers vs. AppArmor fixes; and in the
config of the LXC container I use for autopkgtests I've set:

  lxc.apparmor.profile = generated
  lxc.apparmor.allow_nesting = 1

With this configuration, the systemd autopkgtests work just as well
as unconfined \o/

My current plan is thus:

1. Ask the src:lxc maintainers to apply these 3 upstream patches
   until they upgrade the package to 3.1.0+.

2. Ask the debci maintainers to use the config described above
   for LXC containers used to run autopkgtests, once they upgrade
   to Buster.

3. Let you decide what to do with the request this bug report was
   originally about.

> Hope this helpful.

This was *very* helpful and saved me lots of time :)

Thanks for your patience,
cheers,
-- 
intrigeri

-------------- next part --------------
A non-text attachment was scrubbed...
Name: Use-Debian-specific-config-files.patch
Type: text/x-diff
Size: 16131 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-lxc-devel/attachments/20181216/f7db3fd5/attachment.patch>

More information about the Pkg-lxc-devel mailing list