[pkg-lxc-devel] Bug#925899: lxc: Unprivileged containers fail to start after recent updates
Pierre-Elliott Bécue
peb at debian.org
Sat Mar 30 13:51:47 GMT 2019
Le mercredi 27 mars 2019 à 22:08:49-0700, Regis Smith a écrit :
> Package: lxc
> Version: 1:3.1.0+really3.0.3-6
> Severity: important
>
> Dear Maintainer,
>
> * What led up to the situation?
>
> apt update; apt upgrade
>
> * What exactly did you do (or not do) that was effective (or
> ineffective)?
>
> As a normal user:
> $ lxc-start -n test
>
> * What was the outcome of this action?
>
> lxc-start: test: lxccontainer.c: wait_on_daemonized_start: 833 No such file or directory - Failed to receive the container state
> lxc-start: test: tools/lxc_start.c: main: 330 The container failed to start
> lxc-start: test: tools/lxc_start.c: main: 333 To get more details, run the container in foreground mode
> lxc-start: test: tools/lxc_start.c: main: 336 Additional information can be obtained by setting the --logfile and --logpriority options
>
> If I run it in the foreground instead I get
>
> $ lxc-start -n test -F
> lxc-start: test: lsm/apparmor.c: apparmor_prepare: 974 Cannot use generated profile: apparmor_parser not available
> lxc-start: test: start.c: lxc_init: 899 Failed to initialize LSM
> lxc-start: test: start.c: __lxc_start: 1917 Failed to initialize container "test"
> lxc-start: test: tools/lxc_start.c: main: 330 The container failed to start
> lxc-start: test: tools/lxc_start.c: main: 336 Additional information can be obtained by setting the --logfile and --logpriority options
>
> * What outcome did you expect instead?
>
> A running container. These used to work up until recently. Now I can't stop
> already running containers because I won't be able to restart them.
Hi,
Thanks for submitting this bug.
As you can see, it is possible to get more debug via the --logfile and
the --logpriority options.
That said, the first line with the -F option says it all:
> lxc-start: test: lsm/apparmor.c: apparmor_prepare: 974 Cannot use
> generated profile: apparmor_parser not available
It means that you're lacking the apparmor_parser command, which is
shipped by apparmor. It probably means that you refused to install
apparmor on your host.
You have multiple choices. The first one being installing apparmor, and
the second one being to edit your container's configuration (or the
/etc/lxc/default.conf file) to change the lxc.apparmor.profile
parameter.
This bugreport raises an interesting question regarding the tradeoff
between the solution we implemented to fix bug #916639.
Cc-ing intrigeri: I'm reconsidering the /etc/lxc/default.conf setting
regarding apparmor.profile. Putting generated breaks many unpriv
containers as they have no apparmor.profile set in their configuration.
[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=916639
--
Pierre-Elliott Bécue
GPG: 9AE0 4D98 6400 E3B6 7528 F493 0D44 2664 1949 74E2
It's far easier to fight for one's principles than to live up to them.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-lxc-devel/attachments/20190330/bcaac99d/attachment.sig>
More information about the Pkg-lxc-devel
mailing list