[pkg-lxc-devel] Bug#925899: lxc: Unprivileged containers fail to start after recent updates

intrigeri intrigeri at debian.org
Sat Mar 30 14:29:52 GMT 2019


Hi,

Pierre-Elliott BĂ©cue:
> This bugreport raises an interesting question regarding the tradeoff
> between the solution we implemented to fix bug #916639.

> Cc-ing intrigeri: I'm reconsidering the /etc/lxc/default.conf setting
> regarding apparmor.profile. Putting generated breaks many unpriv
> containers as they have no apparmor.profile set in their configuration.

I'd love to help but I'll need more info to understand why the current
setup breaks "many unpriv containers", e.g.:

 - Is this specific to unprivileged containers?

 - Is it because "apparmor.profile = generated" is not suitable
   for unprivileged containers?

Finally, I wonder if "Suggests: apparmor" expresses strongly enough
the current status of the LXC + AppArmor integration in Debian.
Thankfully the Linux images will pull apparmor via Recommends…
except on systems where the administrator has disabled installation
of Recommends.

Cheers,
-- 
intrigeri



More information about the Pkg-lxc-devel mailing list