[pkg-lxc-devel] Bug#925899: lxc: Unprivileged containers fail to start after recent updates

Pierre-Elliott Bécue peb at debian.org
Sat Mar 30 15:06:49 GMT 2019


Le 30 mars 2019 15:29:52 GMT+01:00, intrigeri <intrigeri at debian.org> a écrit :
>Hi,
>
>Pierre-Elliott Bécue:
>> This bugreport raises an interesting question regarding the tradeoff
>> between the solution we implemented to fix bug #916639.
>
>> Cc-ing intrigeri: I'm reconsidering the /etc/lxc/default.conf setting
>> regarding apparmor.profile. Putting generated breaks many unpriv
>> containers as they have no apparmor.profile set in their
>configuration.
>
>I'd love to help but I'll need more info to understand why the current
>setup breaks "many unpriv containers", e.g.:
>
> - Is this specific to unprivileged containers?
>
> - Is it because "apparmor.profile = generated" is not suitable
>   for unprivileged containers?
>
>Finally, I wonder if "Suggests: apparmor" expresses strongly enough
>the current status of the LXC + AppArmor integration in Debian.
>Thankfully the Linux images will pull apparmor via Recommends…
>except on systems where the administrator has disabled installation
>of Recommends.
>
>Cheers,

It is specific to unpriviledged containers and due to the fact that non root users don't seem to have the ability to use the generated profile. 
PEB (from my phone) 



More information about the Pkg-lxc-devel mailing list