[pkg-lxc-devel] Bug#925899: lxc: Unprivileged containers fail to start after recent updates
Pierre-Elliott Bécue
peb at debian.org
Sun Apr 7 19:36:23 BST 2019
Le dimanche 31 mars 2019 à 14:55:52+0200, intrigeri a écrit :
> Hi,
>
> Regis Smith:
> >> > lxc-start: test: lsm/apparmor.c: apparmor_prepare: 974 Cannot use
> > generated profile: apparmor_parser not available
>
> I've reproduced this problem and I could fix it with:
>
> lxc.apparmor.profile = unconfined
>
> Regis, can you please confirm this fix works for you as well?
>
> Pierre-Elliott Bécue:
> > Cc-ing intrigeri: I'm reconsidering the /etc/lxc/default.conf setting
> > regarding apparmor.profile. Putting generated breaks many unpriv
> > containers as they have no apparmor.profile set in their configuration.
>
> Considering kernel.unprivileged_userns_clone is disabled by default
> on Debian, IMO we should:
>
> - Optimize for the Debian defaults, i.e. privileged containers:
> - Keep the settings we added recently in /etc/lxc/default.conf
> - Replace "Suggests: apparmor" with "Depends: apparmor", because
> the default config will create containers that fail to start
> if the apparmor package is not installed.
>
> - Document how to use unprivileged containers on Debian. It's not as
> if they were previously working fine by default and AppArmor broke
> them — regardless of AppArmor, on current sid with the default
> kernel settings and lxc.apparmor.profile = unconfined, trying to
> start an unprivileged container fails in a very much user
> unfriendly way:
>
> conf.c: chown_mapped_root: 3250 lxc-usernsexec failed: Permission denied - Failed to open tt
>
> That's a first usability stumbling block. The new
> lxc.apparmor.profile default setting merely adds a second one.
>
> So I think README.Debian should document the need for
> kernel.unprivileged_userns_clone=1 and for
> lxc.apparmor.profile = unconfined
>
> - Take care of the Stretch→Buster upgrade path for unprivileged
> containers, by mentioning in NEWS.Debian that previously working
> unprivileged containers now need lxc.apparmor.profile = unconfined.
>
> Thoughts?
See the two latest commits for lxc:
https://salsa.debian.org/lxc-team/lxc/commits/master
Tell me what you think about them, and if needed don't hesitate to
submit a MR! :)
--
Pierre-Elliott Bécue
GPG: 9AE0 4D98 6400 E3B6 7528 F493 0D44 2664 1949 74E2
It's far easier to fight for one's principles than to live up to them.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-lxc-devel/attachments/20190407/a1c2f545/attachment.sig>
More information about the Pkg-lxc-devel
mailing list