[lxc-devel] LXC 1.1 rc1 has been released

Stéphane Graber stgraber at ubuntu.com
Fri Jan 23 00:14:12 UTC 2015 

On Thu, Jan 22, 2015 at 10:36:50PM +0000, Serge Hallyn wrote:
> Quoting Stéphane Graber (stgraber at ubuntu.com):
> > On Thu, Jan 22, 2015 at 09:32:50PM +0000, Serge Hallyn wrote:
> > > Quoting Johannes Kastl (mail at ojkastl.de):
> > > > -----BEGIN PGP SIGNED MESSAGE-----
> > > > Hash: SHA1
> > > > 
> > > > On 21.01.2015 Stéphane Graber wrote:
> > > > 
> > > > > That means that from now on, we won't be taking new features and
> > > > > will instead work on fixing any remaining rough edges with 1.1.
> > > > 
> > > > I just tested the packages from my repository on the openSUSE build
> > > > service, and I can't start any container on my openSUSE Tumbleweed host:
> > > > 
> > > > > $ sudo lxc-start -n DEBIAN lxc-start: lxc_start.c: main: 345 The
> > > > > container failed to start. lxc-start: lxc_start.c: main: 347 To get
> > > > > more details, run the container in foreground mode. lxc-start:
> > > > > lxc_start.c: main: 349 Additional information can be obtained by
> > > > > setting the --logfile and --logpriority options.
> > > > 
> > > > Apparently this is an issue with apparmor:
> > > > > lxc-start 1421956341.455 ERROR    lxc_apparmor -
> > > > > lsm/apparmor.c:apparmor_process_label_set:171 - If you really want
> > > > > to start this container, set lxc-start 1421956341.455 ERROR
> > > > > lxc_apparmor - lsm/apparmor.c:apparmor_process_label_set:172 -
> > > > > lxc.aa_allow_incomplete = 1 lxc-start 1421956341.455 ERROR
> > > > > lxc_apparmor - lsm/apparmor.c:apparmor_process_label_set:173 - in
> > > > > your container configuration file
> > > > 
> > > > Adding lxc.aa_allow_incomplete = 1 allows me to start the container.
> > > > 
> > > > How to solve this for the 1.1 release? I am not familiar with
> > > > apparmor, and I have no idea where the error is. Apparmor profile? lxc?
> > > 
> > > Your kernel doesn't have the patches for apparmor mount restrictions.
> > > (You can verify this by looking for the file
> > > /sys/kernel/security/apparmor/features/mount/mask )
> > > 
> > > (The patches to provide that are not yet upstream, unfortunately,
> > > but hopefully that'll be fixed soon)
> > > 
> > > The three possible workarounds are:
> > > 
> > > 1. get the apparmor mount feature patchset into your kernel (probably
> > > not very feasible?)
> > > 2. run containers unconfined by default
> > > 3. add lxc.aa_allow_incomplete = 1 to  /usr/share/lxc/config/common.conf
> > > or (perhaps better) a file under /usr/share/lxc/config/common.conf.d
> > > 
> > > The lack of mount restrictions significantly weakens the security
> > > guarantees apparmor can provide, so unless you will default to
> > > unprivileged containers, (1) may be the hardest but would be the
> > > best solution.
> > 
> > Or just comment those lines?
> 
> You mean the lines in src/lxc/lsm/apparmor.c?

I mean the mount, or socket or whatever lines in the apparmor profile
isn't understood by the apparmor parser on the system.

Basically what we do with the Ubuntu package where we strip any apparmor
profile stanza which the parser on the given release doesn't support.

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20150122/a62182bc/attachment.sig>

More information about the lxc-devel mailing list