[lxc-devel] LXC 1.1 rc1 has been released

Serge Hallyn serge.hallyn at ubuntu.com
Thu Jan 22 21:32:50 UTC 2015 

Quoting Johannes Kastl (mail at ojkastl.de):
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 21.01.2015 Stéphane Graber wrote:
> 
> > That means that from now on, we won't be taking new features and
> > will instead work on fixing any remaining rough edges with 1.1.
> 
> I just tested the packages from my repository on the openSUSE build
> service, and I can't start any container on my openSUSE Tumbleweed host:
> 
> > $ sudo lxc-start -n DEBIAN lxc-start: lxc_start.c: main: 345 The
> > container failed to start. lxc-start: lxc_start.c: main: 347 To get
> > more details, run the container in foreground mode. lxc-start:
> > lxc_start.c: main: 349 Additional information can be obtained by
> > setting the --logfile and --logpriority options.
> 
> Apparently this is an issue with apparmor:
> > lxc-start 1421956341.455 ERROR    lxc_apparmor -
> > lsm/apparmor.c:apparmor_process_label_set:171 - If you really want
> > to start this container, set lxc-start 1421956341.455 ERROR
> > lxc_apparmor - lsm/apparmor.c:apparmor_process_label_set:172 -
> > lxc.aa_allow_incomplete = 1 lxc-start 1421956341.455 ERROR
> > lxc_apparmor - lsm/apparmor.c:apparmor_process_label_set:173 - in
> > your container configuration file
> 
> Adding lxc.aa_allow_incomplete = 1 allows me to start the container.
> 
> How to solve this for the 1.1 release? I am not familiar with
> apparmor, and I have no idea where the error is. Apparmor profile? lxc?

Your kernel doesn't have the patches for apparmor mount restrictions.
(You can verify this by looking for the file
/sys/kernel/security/apparmor/features/mount/mask )

(The patches to provide that are not yet upstream, unfortunately,
but hopefully that'll be fixed soon)

The three possible workarounds are:

1. get the apparmor mount feature patchset into your kernel (probably
not very feasible?)
2. run containers unconfined by default
3. add lxc.aa_allow_incomplete = 1 to  /usr/share/lxc/config/common.conf
or (perhaps better) a file under /usr/share/lxc/config/common.conf.d

The lack of mount restrictions significantly weakens the security
guarantees apparmor can provide, so unless you will default to
unprivileged containers, (1) may be the hardest but would be the
best solution.

> Regards,
> Johannes
> 
> BTW: What happened to the nice output of lxc-ls --fancy? Is there any
> replacement for it? Apart from listing the directories I found no use
> for it anymore. The old one showed stuff about autostart, IPs, etc.
> 
> 
> - -- 
> The problem with the world is stupidity. Not saying there should be a
> capital punishment for stupidity, but why don't we just take the
> safety labels off of everything and let the problem solve itself?
> (Frank Zappa)
> -----BEGIN PGP SIGNATURE-----
> Comment: Using GnuPG with SeaMonkey - http://www.enigmail.net/
> 
> iEYEARECAAYFAlTBVsAACgkQzi3gQ/xETbLmzwCfQDiRqvyYxiTF5aW96+mBIm4E
> 3uAAn1DdijN5qOHq2PHhWl2FNYVCByPV
> =4mXJ
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel

More information about the lxc-devel mailing list