[pkg-lxc-devel] Bug#916639: LXC AppArmor confinement breaks systemd v240

Pierre-Elliott Bécue peb at debian.org
Thu Jan 10 23:58:09 GMT 2019

Le dimanche 16 décembre 2018 à 20:22:05+0100, intrigeri at debian.org a écrit :
> Package: lxc
> Version: 1:3.0.3-1
> Severity: normal
> Tags: patch
> X-Debbugs-Cc: Michael Biebl <biebl at debian.org>, Wolfgang Bumiller <w.bumiller at proxmox.com>
> User: pkg-apparmor-team at lists.alioth.debian.org
> Usertags: buggy-profile
> Hi,
> as discussed on https://bugs.debian.org/911806 the current LXC
> AppArmor support breaks systemd v240, which now refuses to start units
> if it can't set up various sandboxing features, while previously it
> would merely start the units without the configured sandboxing.
> Michael Biebl originally reported this failure in the context of the
> systemd autopkgtests but I expect the same problem will affect regular
> full-system containers as well.
> Testing confirms that this problem is fixed by backporting 3 commits
> (e6ec0a9, e7311a84 and 1800f92) from LXC 3.1.0. I'm attaching the
> resulting backported patches. Credit goes to Wolfgang Bumiller who did
> the work upstream and to Michael Biebl who reported the problem in
> great details.
> If Buster is going to be released with LXC 3.0.x, IMO we need to
> either apply these patches or disable AppArmor by default for new LXC
> containers. And if we're going to ship with LXC 3.1.0 or newer, then
> feel free to disregard this request and close this bug with the first
> upload of LXC 3.1.0+ :)


Cc-ing Christian to improve the delay of replies.

At first I released 3.1.0 in unstable, but it seems unwise to rely on this
one when 3.0 is the LTS and 3.1 support won't last for long.

Hence I did a 3.1.0+really3.0.3 release today, rollbacking to 3.0.3.

This means this bug is no longer fixed.

Christian, would you consider releasing a 3.0.4 containing the patchset
mentioned in this bug?


Pierre-Elliott Bécue
GPG: 9AE0 4D98 6400 E3B6 7528  F493 0D44 2664 1949 74E2
It's far easier to fight for one's principles than to live up to them.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-lxc-devel/attachments/20190111/882fce36/attachment.sig>

More information about the Pkg-lxc-devel mailing list