[Lxc-users] Read-only container /proc

Wed Sep 18 18:48:49 UTC 2013

Quoting Andre Nathan (andre at digirati.com.br):
> Hi Serge
> 
> On 09/18/2013 01:55 PM, Serge Hallyn wrote:
> > An unfortunate known bug - try the package in raring-proposed.
> > (You'll need lxc-start to be running unconfined as well, but if
> > that worked for you in precise I assume you already have that).
> 
> I am using that package (I reported those ipv6 and aa_profile bugs). I

d'oh.

> thought this could be a separate issue, but this behavior means it's
> still trying to change the profile even when it's unconfined right?

Double-d'oh.  The package in raring-proposed doesn't yet have the needed
fix, which is below.  It's in upstream git.  Do you mind opening a new
bug so we can SRU this?

commit c3cb8580407b6f6b49949e6c58e175eec81db692
Author: Serge Hallyn <serge.hallyn at ubuntu.com>
Date:   Tue Sep 10 17:23:22 2013 -0500

    apparmor.c: drop newline when reading current profile
    
    Otherwise we fail to recognize if we are already unconfined.  Then,
    if we want to *start* unconfined, and /proc is readonly, start fails
    even though it should be able to proceed.
    
    With this patch, that situation works.
    
    Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
    Reported-by: Andre nathan <andre at digirati.com.br>

diff --git a/src/lxc/apparmor.c b/src/lxc/apparmor.c
index 3941d3f..4dad801 100644
--- a/src/lxc/apparmor.c
+++ b/src/lxc/apparmor.c
@@ -77,6 +77,9 @@ again:
 		free(buf);
 		return NULL;
 	}
+	space = index(buf, '\n');
+	if (space)
+		*space = '\0';
 	space = index(buf, ' ');
 	if (space)
 		*space = '\0';


