@fnordahl Hi! Let's keep the discussion about bug 1701297 in that bug
since it is focused on the change in behavior between the Xenial release
kernel and the HWE kernel. That's not what this bug is about. John is
investigating the change in behavior issue. Jamie's previous
investigations of
@andreserl
There are severe security implications of doing 2) from now until all
future, and unfortunately I have seen that this is being done in the
wild.
I would be much more comfortable by actually finding the root cause of
the issue at hand and fixing that.
This is what I am currently
@Frode,
Users running 2.2 *already* have the apparmor=0 work around for
*ephemeral* environments only.
For users running previous versions, we recommend you upgrade
immediately, provided that 2.0 and 2.1 are out of support. If you decide
not to upgrade, your options are:
1. Use a HWE kernel
@Frode, I can yes, when I file them. I need to do a bit of work for
simple reproducers/etc/etc to file them. I've added an item to add a
comment to this bug when I do.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
This problem has surfaced again with recent MAAS Ubuntu images. One
report in bug 1701297. I have information about at least two other end
users hit by the problem.
Adding a workaround by setting apparmor=0 kernel parameter in MAAS 2.2
will not help users that are running previous versions.
Closing the MAAS task as it the referenced bug is marked Fix Release. If
there are issues there still, please see my previous comment and look at
the code in that snap-- there are viable ways to use overlayfs with
chroot and an apparmor alias rule, or overlayfs with private mount,
chroot and
Actually, I marked the MAAS task as incomplete in case people want to
give feedback.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1408106
Title:
attach_disconnected not sufficient for
Ok, I spent quite a bit of time evaluating this and believe this bug can
be closed, but other bugs open.
In looking at this I created https://code.launchpad.net/~jdstrand/+git
/test-overlay (to build simply git clone, run 'snapcraft', install the
snap and then run 'test-overlay' for instructions
@lamont does this need to have a MAAS task? Are we going to address it
somehow in MAAS?
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1408106
Title:
attach_disconnected not sufficient
** Tags removed: kernel-da-key
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1408106
Title:
attach_disconnected not sufficient for overlayfs
Status in AppArmor:
In Progress
Status
This bug causes maas testing to fail (at least the ntp test, because of
overlayfs and apparmor and ntp having a profile.) See
https://bugs.launchpad.net/maas/+bug/1677336
Hardware testing is a requirement for MAAS 2.2.
--
You received this bug notification because you are a member of Kernel
** Also affects: maas
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1408106
Title:
attach_disconnected not sufficient for overlayfs
Status
Hi! What kind of (realistic) timeline can we expect here? (With the move
to ZFS for containers, I wonder :)
E.g. is this part of your goals for 16.10? (I mean: for the AppArmor
/Ubuntu-specific parts, as I've learnt to be patient wrt. the
upstreaming to Linux mainline.)
Thanks for your work on
** Changed in: linux (Ubuntu)
Status: Confirmed => Triaged
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1408106
Title:
attach_disconnected not sufficient for overlayfs
Status
** Description changed:
With the following use of overlayfs, we get a disconnected path:
$ cat ./profile
#include tunables/global
profile foo {
#include abstractions/base
capability sys_admin,
capability sys_chroot,
mount,
pivot_root,
}
$ cat ./overlay.c
** Description changed:
With the following use of overlayfs, we get a disconnected path:
$ cat ./profile
#include tunables/global
profile foo {
#include abstractions/base
capability sys_admin,
capability sys_chroot,
mount,
pivot_root,
}
$ cat ./overlay.c
** Tags removed: kernel-key
** Tags added: kernel-da-key
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1408106
Title:
attach_disconnected not sufficient for overlayfs
Status in
** Summary changed:
- allow defining the attach root for attach_disconnected
+ attach_disconnected not sufficient for overlayfs
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1408106
18 matches
Mail list logo
