[lxc-devel] LXC 1.1 rc1 has been released

Stéphane Graber stgraber at ubuntu.com
Thu Jan 22 21:36:15 UTC 2015


On Thu, Jan 22, 2015 at 09:32:50PM +0000, Serge Hallyn wrote:
> Quoting Johannes Kastl (mail at ojkastl.de):
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > 
> > On 21.01.2015 Stéphane Graber wrote:
> > 
> > > That means that from now on, we won't be taking new features and
> > > will instead work on fixing any remaining rough edges with 1.1.
> > 
> > I just tested the packages from my repository on the openSUSE build
> > service, and I can't start any container on my openSUSE Tumbleweed host:
> > 
> > > $ sudo lxc-start -n DEBIAN lxc-start: lxc_start.c: main: 345 The
> > > container failed to start. lxc-start: lxc_start.c: main: 347 To get
> > > more details, run the container in foreground mode. lxc-start:
> > > lxc_start.c: main: 349 Additional information can be obtained by
> > > setting the --logfile and --logpriority options.
> > 
> > Apparently this is an issue with apparmor:
> > > lxc-start 1421956341.455 ERROR    lxc_apparmor -
> > > lsm/apparmor.c:apparmor_process_label_set:171 - If you really want
> > > to start this container, set lxc-start 1421956341.455 ERROR
> > > lxc_apparmor - lsm/apparmor.c:apparmor_process_label_set:172 -
> > > lxc.aa_allow_incomplete = 1 lxc-start 1421956341.455 ERROR
> > > lxc_apparmor - lsm/apparmor.c:apparmor_process_label_set:173 - in
> > > your container configuration file
> > 
> > Adding lxc.aa_allow_incomplete = 1 allows me to start the container.
> > 
> > How to solve this for the 1.1 release? I am not familiar with
> > apparmor, and I have no idea where the error is. Apparmor profile? lxc?
> 
> Your kernel doesn't have the patches for apparmor mount restrictions.
> (You can verify this by looking for the file
> /sys/kernel/security/apparmor/features/mount/mask )
> 
> (The patches to provide that are not yet upstream, unfortunately,
> but hopefully that'll be fixed soon)
> 
> The three possible workarounds are:
> 
> 1. get the apparmor mount feature patchset into your kernel (probably
> not very feasible?)
> 2. run containers unconfined by default
> 3. add lxc.aa_allow_incomplete = 1 to  /usr/share/lxc/config/common.conf
> or (perhaps better) a file under /usr/share/lxc/config/common.conf.d
> 
> The lack of mount restrictions significantly weakens the security
> guarantees apparmor can provide, so unless you will default to
> unprivileged containers, (1) may be the hardest but would be the
> best solution.

Or just comment those lines?

> 
> > Regards,
> > Johannes
> > 
> > BTW: What happened to the nice output of lxc-ls --fancy? Is there any
> > replacement for it? Apart from listing the directories I found no use
> > for it anymore. The old one showed stuff about autostart, IPs, etc.
> > 
> > 
> > - -- 
> > The problem with the world is stupidity. Not saying there should be a
> > capital punishment for stupidity, but why don't we just take the
> > safety labels off of everything and let the problem solve itself?
> > (Frank Zappa)
> > -----BEGIN PGP SIGNATURE-----
> > Comment: Using GnuPG with SeaMonkey - http://www.enigmail.net/
> > 
> > iEYEARECAAYFAlTBVsAACgkQzi3gQ/xETbLmzwCfQDiRqvyYxiTF5aW96+mBIm4E
> > 3uAAn1DdijN5qOHq2PHhWl2FNYVCByPV
> > =4mXJ
> > -----END PGP SIGNATURE-----
> > 
> > _______________________________________________
> > lxc-devel mailing list
> > lxc-devel at lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-devel
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20150122/d3647c7b/attachment-0001.sig>


More information about the lxc-devel mailing list