[lxc-devel] Getting back to the app armour profile subject...

Michael H. Warfield mhw at WittsEnd.com
Thu Jun 19 13:59:12 UTC 2014 

Over on the users list was a thread started by Flo, Subject: Fedory 20
LXC fails to start on Ubuntu 14.04 host?

This gist of it was that systemd was segfaulting in a Fedora 20
container when run under Ubuntu 14.04 unless we set this:

lxc.aa_profile = unconfined

Thread got changed to Subject: "apparmor profile for systemd containers
(WAS: Fedora container thinks it is not running)"

Then someone tried some restricted profiles for systemd and had that
working.  There was also some discussion about working around the
problem using certain mount sets.  I think Serge expressed a reluctance
for using an unconfined profile but I also confirmed that setting an
aa_profile on a non-apparmour host will just be ignored and we could do
that with no harm done.

The gist of those threads is that the current app armour profile and
default configuration can lead to systemd segfaulting on container start
up.  Those threads did not seem to end with a resolution but a comment "
This appears to be a rather nasty bug..." wrt lxc-attach.

My immediate inclination wrt system in Fedora, CentOS, and openSUSE
would be to unconditionally set "lxc.aa_profile = unconfined" until we
have a resolution, even though that's a (cough) suboptimal choice.  A
"systemd" aa_profile would be better albeit not best if it can be
handled with proper mounts.

Any thoughts on what direction and what solution we should opt for here?

As I'm running on a Fedora 20 host, I really can't test out these
choices, since I'm not experiencing these problems.

I AM, however, now experiencing an inverse problem running an Ubuntu
container on a Fedora host that I'll detail out in another thread.

Regards,
Mike
-- 
Michael H. Warfield (AI4NB) | (770) 978-7061 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20140619/fc3ebe2e/attachment.sig>

More information about the lxc-devel mailing list