[pkg-lxc-devel] Bug#925899: lxc: Unprivileged containers fail to start after recent updates

Pierre-Elliott Bécue peb at debian.org
Sun Apr 7 19:36:23 BST 2019 

Le dimanche 31 mars 2019 à 14:55:52+0200, intrigeri a écrit :
> Hi,
> 
> Regis Smith:
> >> > lxc-start: test: lsm/apparmor.c: apparmor_prepare: 974 Cannot use
> > generated profile: apparmor_parser not available
> 
> I've reproduced this problem and I could fix it with:
> 
>   lxc.apparmor.profile = unconfined
> 
> Regis, can you please confirm this fix works for you as well?
> 
> Pierre-Elliott Bécue:
> > Cc-ing intrigeri: I'm reconsidering the /etc/lxc/default.conf setting
> > regarding apparmor.profile. Putting generated breaks many unpriv
> > containers as they have no apparmor.profile set in their configuration.
> 
> Considering kernel.unprivileged_userns_clone is disabled by default
> on Debian, IMO we should:
> 
>  - Optimize for the Debian defaults, i.e. privileged containers:
>     - Keep the settings we added recently in /etc/lxc/default.conf
>     - Replace "Suggests: apparmor" with "Depends: apparmor", because
>       the default config will create containers that fail to start
>       if the apparmor package is not installed.
> 
>  - Document how to use unprivileged containers on Debian. It's not as
>    if they were previously working fine by default and AppArmor broke
>    them — regardless of AppArmor, on current sid with the default
>    kernel settings and lxc.apparmor.profile = unconfined, trying to
>    start an unprivileged container fails in a very much user
>    unfriendly way:
>    
>      conf.c: chown_mapped_root: 3250 lxc-usernsexec failed: Permission denied - Failed to open tt
> 
>    That's a first usability stumbling block. The new
>    lxc.apparmor.profile default setting merely adds a second one.
> 
>    So I think README.Debian should document the need for
>    kernel.unprivileged_userns_clone=1 and for
>    lxc.apparmor.profile = unconfined
> 
>  - Take care of the Stretch→Buster upgrade path for unprivileged
>    containers, by mentioning in NEWS.Debian that previously working
>    unprivileged containers now need lxc.apparmor.profile = unconfined.
> 
> Thoughts?

See the two latest commits for lxc:

https://salsa.debian.org/lxc-team/lxc/commits/master

Tell me what you think about them, and if needed don't hesitate to
submit a MR! :)

-- 
Pierre-Elliott Bécue
GPG: 9AE0 4D98 6400 E3B6 7528  F493 0D44 2664 1949 74E2
It's far easier to fight for one's principles than to live up to them.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-lxc-devel/attachments/20190407/a1c2f545/attachment.sig>

More information about the Pkg-lxc-devel mailing list