[pkg-lxc-devel] Bug#926925: lxc: please do not depend on apparmor
Mattia Rizzolo
mattia at debian.org
Fri Apr 12 10:44:49 BST 2019
Package: lxc
Version: 1:3.1.0+really3.0.3-7
Please do not hard depend on apparmor.
The other day I brought this matter on #debian-devel and also others
agreed that it's not a good idea do hard depend on apparmor.
Even the kernel, at most it recommends it.
From the #d-d conversation:
[03:27:59 PM] <peb> adding apparmor as a dependency was a suggestion from intrigeri, and I did not find any real reason to not do so
[03:28:42 PM] <peb> kibi: lxc upon startup tries to load the forementioned profile and thus needs apparmor to enforce it
[03:28:53 PM] <peb> so the alternative is to remove the config in default.conf
[03:30:00 PM] <jcristau> wat
[03:30:48 PM] <peb> jcristau: without apparmor, a container with the generated profile won't be able to start
[03:30:58 PM] <peb> "generated" (it's the name of the profile)
[03:31:16 PM] <jcristau> sounds like a silly design
[03:31:24 PM] <peb> so if we don't drag apparmor, I need to comment out/remove the profile = generated in /etc/lxc/default.conf
[03:31:36 PM] <peb> I'll do some tests
[03:31:48 PM] <peb> but ack, the current situation is probably not the appropriate one for stable
[03:31:56 PM] <peb> I'll find a way before asking for an unblock
[03:31:57 PM] <jcristau> it should be able to confine containers if you have apparmor, and not if not.
[03:32:17 PM] <peb> my previous tests shown otherwise, but maybe I missed something
[03:32:47 PM] <peb> i'll redo some tests during the weekend
I'm making this into a bug to ease tracking.
--
regards,
Mattia Rizzolo
GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`.
more about me: https://mapreri.org : :' :
Launchpad user: https://launchpad.net/~mapreri `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia `-
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-lxc-devel/attachments/20190412/5d6134c3/attachment.sig>
More information about the Pkg-lxc-devel
mailing list