[Lxc-users] current status of LXC in Ubuntu precise? (WAS: Problem mounting Host directory in guest)
Serge Hallyn
serge.hallyn at canonical.com
Thu May 10 15:06:31 UTC 2012
Quoting Fajar A. Nugraha (list at fajar.net):
> On Tue, May 8, 2012 at 12:40 PM, Fajar A. Nugraha <list at fajar.net> wrote:
> > On Tue, May 8, 2012 at 12:28 PM, Serge Hallyn
> > <serge.hallyn at canonical.com> wrote:
>
>
> >>> Also, a quick test on my setup (ubuntu precise amd64,
> >>> linux-image-3.2.0-24-generic 3.2.0-24.37, lxc 0.7.5-3ubuntu53) shows
> >>> freshly created container from templates (e.g. lxc-create -t ...,
> >>> tested with sshd and ubuntu templates) will fail to start with the
> >>> same error message that Xavier mentioned:
> >>>
> >>> lxc-start: No such file or directory - failed to change apparmor
> >>> profile to lxc-container-default
> >>
> >> I don't get that problem. Is your host a stock precise image?
> >
> > yes.
>
> I think I found the problem.
>
> Depending on what you meant by "stock precise image", then my host
> might not be one, since it's not installed using the live cd
> installer. It was created using debootstrap, and later "apt-get
> install ubuntu-desktop lxc".
>
> The problem with that approach is:
> - the default lxc guest container setup created using templates will
> try to change apparmor profile to lxc-container-default. That
> operation apparently requires apparmor package to be installed
> - neither ubuntu-desktop, lxc, or the packages it depends on has any
> dependecy for apparmor. lxc only depends on libapparmor1, which
> apparently is not enough
> - using "lxc.aa_profile = unconfined" removes the need to change
> apparmor profile, thus removes the need for apparmor package
>
> So I'm guessing the correct fix would be to either:
> - include apparmor as dependecy for lxc, OR
> - use "lxc.aa_profile = unconfined" uncommented by default for
> template-created containers.
Awesome, thanks Fajar. That's clearly a bug in the lxc package.
I *think* none of the code in lxc needs the apparmor package itself,
but it looks like the profile abstractions belong to it, so what
may be happening is that the loading of the lxc profiles is actually
failing due to lack of abstractions? Not sure... In any case I'll
open a bug and get that fixed! Thanks.
-serge
More information about the lxc-users
mailing list