[pkg-lxc-devel] Bug#916639: LXC AppArmor confinement breaks systemd v240

Christian Brauner christian.brauner at canonical.com
Fri Jan 11 15:02:26 GMT 2019


On Fri, Jan 11, 2019 at 03:56:02PM +0100, Pierre-Elliott Bécue wrote:
> Le 11/01/2019 à 15:01, Christian Brauner a écrit :
> > On Fri, Jan 11, 2019 at 12:58:09AM +0100, Pierre-Elliott Bécue wrote:
> >> Le dimanche 16 décembre 2018 à 20:22:05+0100, intrigeri at debian.org a écrit :
> >>> Package: lxc
> >>> Version: 1:3.0.3-1
> >>> Severity: normal
> >>> Tags: patch
> >>> X-Debbugs-Cc: Michael Biebl <biebl at debian.org>, Wolfgang Bumiller <w.bumiller at proxmox.com>
> >>> User: pkg-apparmor-team at lists.alioth.debian.org
> >>> Usertags: buggy-profile
> >>>
> >>> Hi,
> >>>
> >>> as discussed on https://bugs.debian.org/911806 the current LXC
> >>> AppArmor support breaks systemd v240, which now refuses to start units
> >>> if it can't set up various sandboxing features, while previously it
> >>> would merely start the units without the configured sandboxing.
> >>> Michael Biebl originally reported this failure in the context of the
> >>> systemd autopkgtests but I expect the same problem will affect regular
> >>> full-system containers as well.
> >>>
> >>> Testing confirms that this problem is fixed by backporting 3 commits
> >>> (e6ec0a9, e7311a84 and 1800f92) from LXC 3.1.0. I'm attaching the
> >>> resulting backported patches. Credit goes to Wolfgang Bumiller who did
> >>> the work upstream and to Michael Biebl who reported the problem in
> >>> great details.
> >>>
> >>> If Buster is going to be released with LXC 3.0.x, IMO we need to
> >>> either apply these patches or disable AppArmor by default for new LXC
> >>> containers. And if we're going to ship with LXC 3.1.0 or newer, then
> >>> feel free to disregard this request and close this bug with the first
> >>> upload of LXC 3.1.0+ :)
> >>
> >> Hi,
> >>
> >> Cc-ing Christian to improve the delay of replies.
> >>
> >> At first I released 3.1.0 in unstable, but it seems unwise to rely on this
> >> one when 3.0 is the LTS and 3.1 support won't last for long.
> >>
> >> Hence I did a 3.1.0+really3.0.3 release today, rollbacking to 3.0.3.
> >>
> >> This means this bug is no longer fixed.
> >>
> >> Christian, would you consider releasing a 3.0.4 containing the patchset
> >> mentioned in this bug?
> > 
> > The three commits you linked would be a feature backport which we can't
> > do into a stable branch. Wolfgang could however send a custom patch. I
> > Cced him. If he does it we can push this into the next release. :)
> 
> Do you mean a 3.0.x release?
> 
> Would it be possible to have it before the end of the month? Otherwise

Hm, unlikely. Can you carry a separate patch on top of 3.0.3 until we
release 3.0.4?

Thanks!
Christian



More information about the Pkg-lxc-devel mailing list