[Bug 1204069] Re: lxc dhcp fails
I can confirm that on an up-to-date Saucy system, a brand new container with the ubuntu template network doesn't work. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1204069 Title: lxc dhcp fails To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1204069/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1244713] Re: invalid syntax for check_ssh plugin
Please be so kind and merge 1.4.16-3 from Debian, which fixes this issue (beside some small other once): nagios-plugins (1.4.16-3) unstable; urgency=medium * Fixed check_squid* command definitions * Add double threshold to check_smtp (LP: #318703) - 12_check_smtp_double_threshold.dpatch * Remove the additional argument from check_ssh and check_proc (Closes: #717229, 720580) You can fetch the package from http://snapshot.debian.org/package /nagios-plugins/1.4.16-3/ ** Bug watch added: Debian Bug tracker #717229 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=717229 ** Also affects: nagios-plugins (Debian) via http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=717229 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to nagios-plugins in Ubuntu. https://bugs.launchpad.net/bugs/1244713 Title: invalid syntax for check_ssh plugin To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios-plugins/+bug/1244713/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 318703] Re: nagios check_smtp expects integer instead of double
This is fixed in version 1.5 of nagios-plugins ** Changed in: nagios-plugins Importance: Unknown = Undecided ** Changed in: nagios-plugins Status: Unknown = New ** Changed in: nagios-plugins Remote watch: SourceForge.net Tracker #2555775 = None ** Changed in: nagios-plugins Importance: Undecided = Unknown ** Changed in: nagios-plugins Status: New = Unknown ** Changed in: nagios-plugins Remote watch: None = SourceForge.net Tracker #2555775 ** Changed in: nagios-plugins Importance: Unknown = Undecided ** Changed in: nagios-plugins Status: Unknown = New ** Changed in: nagios-plugins Remote watch: SourceForge.net Tracker #2555775 = None ** Changed in: nagios-plugins Status: New = In Progress -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to nagios-plugins in Ubuntu. https://bugs.launchpad.net/bugs/318703 Title: nagios check_smtp expects integer instead of double To manage notifications about this bug go to: https://bugs.launchpad.net/nagios-plugins/+bug/318703/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1244635] Re: setuid executables in a container may compromise security on the host
I also don't feel that this is a high priority bug since, so far, we do not recommend allowing unprivileged users to use containers. Agreed. Especially because (currently) it's fairly easy to escape from LXC when you have root access to the container. I don't believe it would be a serious loss of functionality to chmod 0700 /var/lib/lxc. ... So I think a regular update in trusty with SRUs to all previous releases is ok. I've used this functionality many times in the past. While I can do without it in exchange for security, some people may have written scripts that depend on this functionality, hence a SRU would be nasty for them. My personal opinion is: LXC is insecure and it does not deserve potentially dangerous security updates in stable releases. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1244635 Title: setuid executables in a container may compromise security on the host To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1244635/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1244713] Re: invalid syntax for check_ssh plugin
** Changed in: nagios-plugins (Debian) Status: Unknown = Fix Released -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to nagios-plugins in Ubuntu. https://bugs.launchpad.net/bugs/1244713 Title: invalid syntax for check_ssh plugin To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios-plugins/+bug/1244713/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 918543] Re: vbox build fails with NameMapper.NotFound: cannot find 'mac'
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: vm-builder (Ubuntu) Status: New = Confirmed -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to vm-builder in Ubuntu. https://bugs.launchpad.net/bugs/918543 Title: vbox build fails with NameMapper.NotFound: cannot find 'mac' To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/vm-builder/+bug/918543/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1244713] Re: invalid syntax for check_ssh plugin
Wow, that was quick, good job guys =) Thanks, Tom -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to nagios-plugins in Ubuntu. https://bugs.launchpad.net/bugs/1244713 Title: invalid syntax for check_ssh plugin To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios-plugins/+bug/1244713/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1234880] Re: HP ilo4 consoles default to autodetect protocol, which doesn't work
** Changed in: maas Status: Triaged = Fix Committed -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to maas in Ubuntu. https://bugs.launchpad.net/bugs/1234880 Title: HP ilo4 consoles default to autodetect protocol, which doesn't work To manage notifications about this bug go to: https://bugs.launchpad.net/maas/+bug/1234880/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1244635] Re: setuid executables in a container may compromise security on the host
For those users, getting back to the old way would be a chmod away and I asked Serge to make sure permissions would only be changed once and not with every update, so it should be a one time thing. As for security, while we don't currently say LXC is secure on Ubuntu, we're not aware of any way to escape a default container (Ubuntu on Ubuntu) starting with 12.04 when running with all default settings (specifically, under apparmor). If you know of a way to do so, I'd love to hear about it so we can adapt our apparmor profile to prevent it. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1244635 Title: setuid executables in a container may compromise security on the host To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1244635/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1234880] Re: HP ilo4 consoles default to autodetect protocol, which doesn't work
** Branch linked: lp:~andreserl/maas/fix_ipmi_lp1234880_1.4 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to maas in Ubuntu. https://bugs.launchpad.net/bugs/1234880 Title: HP ilo4 consoles default to autodetect protocol, which doesn't work To manage notifications about this bug go to: https://bugs.launchpad.net/maas/+bug/1234880/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 1204069] Re: lxc dhcp fails
Quoting Ross Patterson (m...@rpatterson.net): I can confirm that on an up-to-date Saucy system, a brand new container with the ubuntu template network doesn't work. Did you make sure that the brand new container was created with a flushed cache? (Either rm -rf /var/cache/lxc/* or add '-- -F' to the lxc-create arguments) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1204069 Title: lxc dhcp fails To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1204069/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1244635] Re: setuid executables in a container may compromise security on the host
Hi Stéphane, I can see at least three ways of escaping. The first is using LXC through libvirt. I see that there's an Apparmor profile for usr.bin.lxc-start, but AFAIK libvirt does not use lxc-start. Also, libvirt does not load the lxc-containers profile (AFAIK). This is proven by the fact that `cat /sys/kernel/security/apparmor/profiles` does not fail when done from within my LXC+libvirt guest. Also, reading /etc/apparmor.d/abstractions/lxc/container-base I see that there are many deny rules, but you are missing at least two: /sys/kernel/uevent_helper and /sys/class/mem/null/uevent. See http://blog.bofh.it/debian/id_413 for a way for escaping using these two files. Finally, while there are rules that deny read and writes to /sys, but there are no rules that deny me to e.g. `mount -t sysfs sysfs /tmp/sys` or bind-mount /sys to an another location. (I'm not sure about this point because, you know, I'm using libvirt and I cannot test.) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1244635 Title: setuid executables in a container may compromise security on the host To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1244635/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1245043] Re: package squid3 3.3.8-1ubuntu3 failed to install/upgrade: ErrorMessage: subprocess installed post-installation script returned error exit status 1
*** This bug is a duplicate of bug 1241957 *** https://bugs.launchpad.net/bugs/1241957 Thank you for taking the time to report this crash and helping to make this software better. This particular crash has already been reported and is a duplicate of bug #1241957, so is being marked as such. Please look at the other bug report to see if there is any missing information that you can provide, or to see if there is a workaround for the bug. Additionally, any further discussion regarding the bug should occur in the other report. Please continue to report any other bugs you may find. ** Tags removed: need-duplicate-check ** This bug has been marked a duplicate of bug 1241957 package squid3 3.3.8-1ubuntu3 failed to install/upgrade: ErrorMessage: subprocess installed post-installation script returned error exit status 1 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to squid3 in Ubuntu. https://bugs.launchpad.net/bugs/1245043 Title: package squid3 3.3.8-1ubuntu3 failed to install/upgrade: ErrorMessage: subprocess installed post-installation script returned error exit status 1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/squid3/+bug/1245043/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1245043] [NEW] package squid3 3.3.8-1ubuntu3 failed to install/upgrade: ErrorMessage: subprocess installed post-installation script returned error exit status 1
*** This bug is a duplicate of bug 1241957 *** https://bugs.launchpad.net/bugs/1241957 Public bug reported: I did do-dist-upgrade and this is what it showed me. ProblemType: Package DistroRelease: Ubuntu 13.10 Package: squid3 3.3.8-1ubuntu3 ProcVersionSignature: Ubuntu 3.8.0-32.47-generic 3.8.13.10 Uname: Linux 3.8.0-32-generic i686 ApportVersion: 2.12.5-0ubuntu2.1 Architecture: i386 Date: Sat Oct 26 08:41:06 2013 DuplicateSignature: package:squid3:3.3.8-1ubuntu3:ErrorMessage: subprocess installed post-installation script returned error exit status 1 ErrorMessage: ErrorMessage: subprocess installed post-installation script returned error exit status 1 InstallationDate: Installed on 2013-01-23 (275 days ago) InstallationMedia: Ubuntu-Server 12.04 LTS Precise Pangolin - Release i386 (20120424.1) MarkForUpload: True SourcePackage: squid3 Title: package squid3 3.3.8-1ubuntu3 failed to install/upgrade: ErrorMessage: subprocess installed post-installation script returned error exit status 1 UpgradeStatus: Upgraded to saucy on 2013-10-26 (0 days ago) mtime.conffile..etc.squid3.squid.conf: 2013-10-16T12:34:16.750369 ** Affects: squid3 (Ubuntu) Importance: Undecided Status: New ** Tags: apport-package i386 saucy -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to squid3 in Ubuntu. https://bugs.launchpad.net/bugs/1245043 Title: package squid3 3.3.8-1ubuntu3 failed to install/upgrade: ErrorMessage: subprocess installed post-installation script returned error exit status 1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/squid3/+bug/1245043/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1244635] Re: setuid executables in a container may compromise security on the host
Right, libvirt-lxc isn't LXC (even though they sort of stole the name) and is indeed completely unsafe... As for the rest, I'm happy to report that you misread the apparmor profile and that we thought of and blocked all of those from the beginning as is shown below: root@lxc-dev:/# echo abc /sys/kernel/uevent_helper bash: /sys/kernel/uevent_helper: Permission denied root@lxc-dev:/# echo abc /sys/class/mem/null/uevent bash: /sys/class/mem/null/uevent: Permission denied root@lxc-dev:/# mount -t sysfs syfs /mnt mount: block device syfs is write-protected, mounting read-only mount: cannot mount block device syfs read-only root@lxc-dev:/# mount --bind /sys /mnt mount: block device /sys is write-protected, mounting read-only mount: cannot mount block device /sys read-only -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1244635 Title: setuid executables in a container may compromise security on the host To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1244635/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1244635] Re: setuid executables in a container may compromise security on the host
Good news. However I must say that the documentation on LXC does not say that libvirt is less secure than the official LXC: https://help.ubuntu.com/13.10/serverguide/lxc.html#lxc-libvirt So either libvirt should ship with an Apparmor profile for LXC, or a warning should be added to the relevant places of the documentation -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1244635 Title: setuid executables in a container may compromise security on the host To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1244635/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1231182] Re: kpartx-boot: Typo in package description: availible
** Branch linked: lp:~hjd/ubuntu/trusty/multipath-tools/bug1231182 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to multipath-tools in Ubuntu. https://bugs.launchpad.net/bugs/1231182 Title: kpartx-boot: Typo in package description: availible To manage notifications about this bug go to: https://bugs.launchpad.net/ddtp-ubuntu/+bug/1231182/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1231182] Re: kpartx-boot: Typo in package description: availible
Thanks for taking your time to report this issue and help making Ubuntu better. I have created a patch for this and submitted it for review. ** Changed in: multipath-tools (Ubuntu) Status: New = In Progress ** Changed in: multipath-tools (Ubuntu) Assignee: (unassigned) = Hans Joachim Desserud (hjd) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to multipath-tools in Ubuntu. https://bugs.launchpad.net/bugs/1231182 Title: kpartx-boot: Typo in package description: availible To manage notifications about this bug go to: https://bugs.launchpad.net/ddtp-ubuntu/+bug/1231182/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1228649] Re: noVNC doesn't work when offloaded to port 80 or 443
This should be backported for 12.04, since most should be running LTS. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to nova in Ubuntu. https://bugs.launchpad.net/bugs/1228649 Title: noVNC doesn't work when offloaded to port 80 or 443 To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1228649/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
