[lxc-devel] LXC 1.1 rc1 has been released

Thu Jan 22 22:36:50 UTC 2015

Quoting Stéphane Graber (stgraber at ubuntu.com):
> On Thu, Jan 22, 2015 at 09:32:50PM +0000, Serge Hallyn wrote:
> > Quoting Johannes Kastl (mail at ojkastl.de):
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA1
> > > 
> > > On 21.01.2015 Stéphane Graber wrote:
> > > 
> > > > That means that from now on, we won't be taking new features and
> > > > will instead work on fixing any remaining rough edges with 1.1.
> > > 
> > > I just tested the packages from my repository on the openSUSE build
> > > service, and I can't start any container on my openSUSE Tumbleweed host:
> > > 
> > > > $ sudo lxc-start -n DEBIAN lxc-start: lxc_start.c: main: 345 The
> > > > container failed to start. lxc-start: lxc_start.c: main: 347 To get
> > > > more details, run the container in foreground mode. lxc-start:
> > > > lxc_start.c: main: 349 Additional information can be obtained by
> > > > setting the --logfile and --logpriority options.
> > > 
> > > Apparently this is an issue with apparmor:
> > > > lxc-start 1421956341.455 ERROR    lxc_apparmor -
> > > > lsm/apparmor.c:apparmor_process_label_set:171 - If you really want
> > > > to start this container, set lxc-start 1421956341.455 ERROR
> > > > lxc_apparmor - lsm/apparmor.c:apparmor_process_label_set:172 -
> > > > lxc.aa_allow_incomplete = 1 lxc-start 1421956341.455 ERROR
> > > > lxc_apparmor - lsm/apparmor.c:apparmor_process_label_set:173 - in
> > > > your container configuration file
> > > 
> > > Adding lxc.aa_allow_incomplete = 1 allows me to start the container.
> > > 
> > > How to solve this for the 1.1 release? I am not familiar with
> > > apparmor, and I have no idea where the error is. Apparmor profile? lxc?
> > 
> > Your kernel doesn't have the patches for apparmor mount restrictions.
> > (You can verify this by looking for the file
> > /sys/kernel/security/apparmor/features/mount/mask )
> > 
> > (The patches to provide that are not yet upstream, unfortunately,
> > but hopefully that'll be fixed soon)
> > 
> > The three possible workarounds are:
> > 
> > 1. get the apparmor mount feature patchset into your kernel (probably
> > not very feasible?)
> > 2. run containers unconfined by default
> > 3. add lxc.aa_allow_incomplete = 1 to  /usr/share/lxc/config/common.conf
> > or (perhaps better) a file under /usr/share/lxc/config/common.conf.d
> > 
> > The lack of mount restrictions significantly weakens the security
> > guarantees apparmor can provide, so unless you will default to
> > unprivileged containers, (1) may be the hardest but would be the
> > best solution.
> 
> Or just comment those lines?

You mean the lines in src/lxc/lsm/apparmor.c?