[pkg-lxc-devel] Bug#916639: LXC AppArmor confinement breaks systemd v240

Pierre-Elliott Bécue peb at debian.org
Mon Feb 11 22:06:46 GMT 2019


Le dimanche 27 janvier 2019 à 19:47:59+0100, intrigeri a écrit :
> Hi,
> 
> Pierre-Elliott Bécue:
> > We have to decide what solution I will implement.
> 
> Right, thanks for following up.
> 
> > I'm open to suggestions, although I'm considering the "disable
> > apparmor profiles for lxc" solution for now.
> 
> I think that disabling AppArmor by default for new LXC containers for
> Buster would be an OK-ish fallback option, if nothing else can
> realistically be made to work in time for the freeze; that would be
> sad, but it would not be a regression vs. Stretch. I assume we are on
> the same page regarding this: by all means, let's not ship a known
> broken LXC + AppArmor default configuration in Buster :)
> 
> Apart of this fallback, I can propose two options:

Hi,

Please review and comment:

 - https://salsa.debian.org/lxc-team/lxc/commit/1e8ca3640eec0b82297314d10435b68918907fc8
   (patch inclusion)
 - https://salsa.debian.org/lxc-team/lxc/commit/84df6216317542961bbad08a08e159f38e623de7
   (minimalist default.conf)

Could you also provide me with a paragraph I could put in README.Debian
and NEWS regarding what end users should know about these profiles.

You dived in it more than me and I don't rely on apparmor, so it'd be
better if you write it.

Otherwise I can try to write a relevant thing.

Cheers!

-- 
Pierre-Elliott Bécue
GPG: 9AE0 4D98 6400 E3B6 7528  F493 0D44 2664 1949 74E2
It's far easier to fight for one's principles than to live up to them.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-lxc-devel/attachments/20190211/67141a13/attachment.sig>


More information about the Pkg-lxc-devel mailing list