[pkg-lxc-devel] Bug#916639: LXC AppArmor confinement breaks systemd v240
intrigeri
intrigeri at debian.org
Sun Feb 24 14:25:45 GMT 2019
Hi,
Pierre-Elliott Bécue:
> Please review and comment:
> - https://salsa.debian.org/lxc-team/lxc/commit/1e8ca3640eec0b82297314d10435b68918907fc8
> (patch inclusion)
> - https://salsa.debian.org/lxc-team/lxc/commit/84df6216317542961bbad08a08e159f38e623de7
> (minimalist default.conf)
Looks good to me, thanks!
> Could you also provide me with a paragraph I could put in README.Debian
> and NEWS regarding what end users should know about these profiles.
> You dived in it more than me and I don't rely on apparmor, so it'd be
> better if you write it.
> Otherwise I can try to write a relevant thing.
Now that /etc/lxc/default.conf has permissive enough settings, I'm not
sure whether we should tell users anything particular about these
profiles: things should work out of the box.
Unfortunately, even on the upstream master branch,
lxc.container.conf(5) does not document our new default settings
("lxc.apparmor.profile = generated" and "lxc.apparmor.allow_nesting"),
which is a bit inconvenient. But thankfully, in case AppArmor breaks
LXC things for users, that manpage documents how to specify that
a given container should run unconfined, i.e. rollback to how things
were by default on Stretch, so perhaps that's good enough?
Cheers!
--
intrigeri
More information about the Pkg-lxc-devel
mailing list