Your message dated Sat, 07 Mar 2026 09:47:07 +0000
with message-id <[email protected]>
and subject line Bug#1111087: fixed in lxc 1:6.0.4-4+deb13u2
has caused the Debian Bug report #1111087,
regarding Namespaces are unavailable for non-root containers
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1111087: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1111087
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: liblxc-common
Version: 1:6.0.4-4+b3
It seems the fix for #1098521 (0003-apparmor-4x-userns.patch) is
incomplete and a hunk for config/apparmor/abstractions/container-base
(without .in) is missed.
I have experienced issues with non-root unprivileged containers after
upgrade to Debian 13 trixie. Systemd units with User=... directive fail
(trixie container, download template, e.g. systemd-networkd.service),
applications can not create namespaces for additional isolation even in
Debian 12 bookworm containers.
Container:
systemd[1]: systemd-resolved.service: Main process exited,
code=exited, status=217/USER
Host:
audit: type=1400 audit(1766123064.132:280): apparmor="DENIED"
operation="userns_create" class="namespace"
profile="lxc-container-default-cgns"
I have found #1098521 that is fixed, but "userns," line is missed in
/etc/apparmor.d/abstractions/lxc/container-base. Accordingly to
config/apparmor/README the file needs explicit manual update after
modification of the ".in" template. I expect that the applied fix is
enough for "generated" AppArmor profile for containers running by root,
but not for non-root containers.
I have noticed #1111087, but the related merge requests modifies mount
rules.
I hope, adding "userns," to container-base will not ruin isolation of
privileged containers.
The following workaround allows avoid issues for non-root fully
unprivileged containers:
Add "userns," line in the beginning of /etc/apparmor.d/abstractions/lxc/
container-base and run
apparmor_parser -r -W -T /etc/apparmor.d/lxc-containers
Alternatively if namespaces are not necessary for applications running
inside containers then isolation of specific systemd units with User=
directives may be relaxed for trixie guests
/etc/systemd/system/systemd-networkd.service.d/disable-namesplaces.conf
LockPersonality=no
MemoryDenyWriteExecute=no
ProtectClock=no
ProtectKernelLogs=no
ProtectKernelModules=no
RestrictAddressFamilies=
RestrictNamespaces=no
RestrictRealtime=no
RestrictSUIDSGID=no
SystemCallArchitectures=
SystemCallFilter=
# E.g. systemd-networkd should have it
PrivateDevices=no
PrivateTmp=no
# for polkit.service
ProtectHostname=no
# Added by recent versions lxc generator
# for "download" template,
# it may be necessary for upgraded containers.
ImportCredential=
PrivateNetwork=no
Unless constant troubles with kernel and AppArmor bugs causing issues
with non-root containers I would set higher priority to this issue.
Please, consider update of 0003-apparmor-4x-userns.patch to add a hunk with
userns,
for the config/apparmor/abstractions/container-base file.
--- End Message ---
--- Begin Message ---
Source: lxc
Source-Version: 1:6.0.4-4+deb13u2
Done: Mathias Gibbens <[email protected]>
We believe that the bug you reported is fixed in the latest version of
lxc, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mathias Gibbens <[email protected]> (supplier of updated lxc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 02 Mar 2026 19:05:00 +0000
Source: lxc
Architecture: source
Version: 1:6.0.4-4+deb13u2
Distribution: trixie
Urgency: medium
Maintainer: pkg-lxc <[email protected]>
Changed-By: Mathias Gibbens <[email protected]>
Closes: 1111087
Changes:
lxc (1:6.0.4-4+deb13u2) trixie; urgency=medium
.
* Cherry-pick upstream fix for data corruption during heavy IO on PTS
* Update lxc-default-with-nesting apparmor profile (Closes: #1111087)
Checksums-Sha1:
3366780d7352de9575a9fac15041cd97a712e211 2704 lxc_6.0.4-4+deb13u2.dsc
08dec36d0076aa803e1bcafb1a7ed1e9e5d629c3 964064 lxc_6.0.4.orig.tar.gz
931d3be0f134cbc418bbc78e2013efbce49e2609 60924
lxc_6.0.4-4+deb13u2.debian.tar.xz
90062ac15cba537cc797c6612a6653a84f2f5d28 14453
lxc_6.0.4-4+deb13u2_amd64.buildinfo
Checksums-Sha256:
36d3b53371f2e20acb35128684d19ee30474aad51d470f833f1ea5427835fe32 2704
lxc_6.0.4-4+deb13u2.dsc
872d26ce8512b9f993d194816e336bf9f3ad8326f22dc24ef0f01f85599fa8b9 964064
lxc_6.0.4.orig.tar.gz
46e5011ab7ae72c7a89b57fdb0e757a94355a9988e398b1d117549e2df79a70e 60924
lxc_6.0.4-4+deb13u2.debian.tar.xz
50a549afb846b31c949be2c30831e4948bbd3777f3ea5505ce03d1026da6f376 14453
lxc_6.0.4-4+deb13u2_amd64.buildinfo
Files:
911e1dc31ae3e6ddeec37750e10b920e 2704 admin optional lxc_6.0.4-4+deb13u2.dsc
8ddebe17ef04044cfb66a89ede43dd72 964064 admin optional lxc_6.0.4.orig.tar.gz
a31fbc5447cce9a3a3c07cf7043c65c5 60924 admin optional
lxc_6.0.4-4+deb13u2.debian.tar.xz
c2e99dded4fb6b20a9a0c2c2eec23450 14453 admin optional
lxc_6.0.4-4+deb13u2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJGBAEBCgAwFiEE1Bp60H32xfynSJ8cKe7i1uz0QvkFAmmrPL4SHGdpYm1hdEBk
ZWJpYW4ub3JnAAoJECnu4tbs9EL5CXwP/iJbqrpLT71TgOqAUTdCQUsmYnrgOcPv
t7PIVDBRLbtniahq1J6LYgHyzkjcPl8br7mNp3SZY4ZorN/DxJZwXNHVRTCaJh+y
5ArN+RSzJ7tv91uwHICxx4MODXYC1COpbPjiNz6XM6Mp8KrZstGTjMW0Lu4jd9gs
ZRO/sZtHbHKAg1yCaqrJ7/LwDM93lsgiP3GnHFUqHRgaPSzXIDa/YmAAbUKIOqlq
WUJZzweD//TORoKBBzC9+XeMwwcAohOcTkqUj/Enf5PGyXrQ/zwRiVhRDJQiLK9X
1XtFp3JEaqChv0ee6iKlv3qvoNyIZHGbi7mUxbTzCGF0cmve+xduiMJYNgaJi43F
dfJAR9pr8ewcV0mPVusJorIGmUm9MCOhvk6lFlo0xlIPBQSIhj3WjTXVcxOCaLfk
o1+/18GY8G+E6v3/LF/C+0ZR8i6FZRgp8s5vqUc0a5v2Ju/XLvJXe5sEzPFzLFyG
bQDkyHM4s5+9Pc7kJ5msTHDHTZEq2JIOJZTwb5FoSeCfAlLDTmgy01kIot6X3c90
LNQ/fOD1p23dRSSFuh6Mg1LY1AKA6/pwMLoNQA6xs7LDpxWvcPZCSryrNidFo7y8
3k4dFtkrPkMQGN/UODVCYaKGu0rd+KI3BigDDAtk1LNOBukP0XhzZ4nbk9AGnBG6
2HYo+vdzxc3H
=4Gv0
-----END PGP SIGNATURE-----
pgp89x1ielUBI.pgp
Description: PGP signature
--- End Message ---
