[lxc-users] lxc.aa_allow_incomplete in vivid containers
Mark Constable
markc at renta.net
Fri May 8 06:33:11 UTC 2015
On Fri, 8 May 2015 12:49:37 PM Fajar A. Nugraha wrote:
> > I thought I'd try going back to normal privileged containers which
> > will at least (or did pre-systemd) autostart.
>
> Unprivileged (i.e. container root uid is non 0) can also autostart if
> it is owned by root (i.e. located on /var/lib/lxc)
Thanks I'll try some more variations.
> > Do I really have to add "lxc.aa_allow_incomplete = 1" to
> > /var/lib/lxc/test/config?
It works when I add the above but I'd like to know if I really need to
add the above.
> Works for me with vivid and lxc 1.1.2+master~20150505-1
Yep, same here...
liblxc1 1.1.2+master~20150505-1736-0ubuntu1~vivid
lxc 1.1.2+master~20150505-1736-0ubuntu1~vivid
lxc-templates 1.1.2+master~20150505-1736-0ubuntu1~vivid
lxcfs 0.7-0ubuntu4
> What does aa-status show?
~ aa-status
apparmor module is loaded.
20 profiles are loaded.
20 profiles are in enforce mode.
/sbin/dhclient
/usr/bin/lxc-start
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/NetworkManager/nm-dhcp-helper
/usr/lib/connman/scripts/dhclient-script
/usr/lib/cups/backend/cups-pdf
/usr/lib/telepathy/mission-control-5
/usr/lib/telepathy/telepathy-*
/usr/lib/telepathy/telepathy-*//pxgsettings
/usr/lib/telepathy/telepathy-*//sanitized_helper
/usr/lib/telepathy/telepathy-ofono
/usr/sbin/cups-browsed
/usr/sbin/cupsd
/usr/sbin/cupsd//third_party
/usr/sbin/mysqld-akonadi
/usr/sbin/mysqld-akonadi///usr/sbin/mysqld
/usr/sbin/tcpdump
lxc-container-default
lxc-container-default-with-mounting
lxc-container-default-with-nesting
0 profiles are in complain mode.
4 processes have profiles defined.
4 processes are in enforce mode.
/usr/lib/telepathy/mission-control-5 (1355)
/usr/sbin/cups-browsed (862)
/usr/sbin/cupsd (743)
/usr/sbin/mysqld-akonadi///usr/sbin/mysqld (1524)
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
More information about the lxc-users
mailing list