[Bug 1319525] Re: juju-local LXC containers hang due to AppArmor denial of rpc_pipefs mount with local charms
Been incomplete for years, closing. ** Changed in: lxc (Ubuntu) Status: Incomplete => Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1319525 Title: juju-local LXC containers hang due to AppArmor denial of rpc_pipefs mount with local charms To manage notifications about this bug go to: https://bugs.launchpad.net/juju-core/+bug/1319525/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1319525] Re: juju-local LXC containers hang due to AppArmor denial of rpc_pipefs mount with local charms
** Changed in: juju-core Status: New = Invalid -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1319525 Title: juju-local LXC containers hang due to AppArmor denial of rpc_pipefs mount with local charms To manage notifications about this bug go to: https://bugs.launchpad.net/juju-core/+bug/1319525/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1319525] Re: juju-local LXC containers hang due to AppArmor denial of rpc_pipefs mount with local charms
Marking this bug as valid against lxc and invalid against juju-core suggests that you think it is valid to have containers allow this mount by default. Is that the case? ** Changed in: lxc (Ubuntu) Status: Confirmed = Incomplete -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1319525 Title: juju-local LXC containers hang due to AppArmor denial of rpc_pipefs mount with local charms To manage notifications about this bug go to: https://bugs.launchpad.net/juju-core/+bug/1319525/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1319525] Re: juju-local LXC containers hang due to AppArmor denial of rpc_pipefs mount with local charms
I do think it is fine for the mount be allowed. By Invalid, I mean there is no change we can make to the juju-core code to solve this issue. If there is work for the juju-core developers, then I will change the status for juju-core to triages and get it scheduled to be fixed in time for the trusty fix. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1319525 Title: juju-local LXC containers hang due to AppArmor denial of rpc_pipefs mount with local charms To manage notifications about this bug go to: https://bugs.launchpad.net/juju-core/+bug/1319525/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 1319525] Re: juju-local LXC containers hang due to AppArmor denial of rpc_pipefs mount with local charms
Sorry, I was asking Tyler for a position as a security team member. If he doesn't know offhand then I'll go look at the implementation, but I'm not familiar with it myself. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1319525 Title: juju-local LXC containers hang due to AppArmor denial of rpc_pipefs mount with local charms To manage notifications about this bug go to: https://bugs.launchpad.net/juju-core/+bug/1319525/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1319525] Re: juju-local LXC containers hang due to AppArmor denial of rpc_pipefs mount with local charms
Hi Serge - I'm still wanting a little more information. I tried to reproduce the bug myself and can't hit the AppArmor denial. I assume that it must be specific to Charles' local trusty/wordpress charm. Charles and/or Curtis, can you explain what change occurred in juju-core that has caused the need to mount rpc_pipefs filesystems inside the container? Serge, as far as allowing rpc_pipefs inside the container, I don't know how safe that would be off the top of my head. I looked at the other filesystems that are allowed by the container-base abstraction and was surprised to see debugfs was allowed. I can't imagine that allowing rpc_pipefs could be more dangerous that debugfs, but that also doesn't mean that we should allow rpc_pipefs. I need to spend some time today understanding more about rpc_pipefs. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1319525 Title: juju-local LXC containers hang due to AppArmor denial of rpc_pipefs mount with local charms To manage notifications about this bug go to: https://bugs.launchpad.net/juju-core/+bug/1319525/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 1319525] Re: juju-local LXC containers hang due to AppArmor denial of rpc_pipefs mount with local charms
Good point about debugfs. I wonder if we should drop that. I find it hard to believe there are container workloads which need that. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1319525 Title: juju-local LXC containers hang due to AppArmor denial of rpc_pipefs mount with local charms To manage notifications about this bug go to: https://bugs.launchpad.net/juju-core/+bug/1319525/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1319525] Re: juju-local LXC containers hang due to AppArmor denial of rpc_pipefs mount with local charms
wasn't debugfs allowed only because mountall required it? I thought we allowed it and then had apparmor restrict where it can be mounted and then block any actual access to it (as we've been doing with any fs that's required by mountall). -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1319525 Title: juju-local LXC containers hang due to AppArmor denial of rpc_pipefs mount with local charms To manage notifications about this bug go to: https://bugs.launchpad.net/juju-core/+bug/1319525/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 1319525] Re: juju-local LXC containers hang due to AppArmor denial of rpc_pipefs mount with local charms
Thank you, yes. We only allow it to be mounted under /sys/fs/debugfs, and do not allow writes under that. phew. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1319525 Title: juju-local LXC containers hang due to AppArmor denial of rpc_pipefs mount with local charms To manage notifications about this bug go to: https://bugs.launchpad.net/juju-core/+bug/1319525/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1319525] Re: juju-local LXC containers hang due to AppArmor denial of rpc_pipefs mount with local charms
** Changed in: juju-core Status: New = Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1319525 Title: juju-local LXC containers hang due to AppArmor denial of rpc_pipefs mount with local charms To manage notifications about this bug go to: https://bugs.launchpad.net/juju-core/+bug/1319525/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1319525] Re: juju-local LXC containers hang due to AppArmor denial of rpc_pipefs mount with local charms
Marking this bug as valid against lxc and invalid against juju-core suggests that you think it is valid to have containers allow this mount by default. Is that the case? ** Changed in: lxc (Ubuntu) Status: Confirmed = Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1319525 Title: juju-local LXC containers hang due to AppArmor denial of rpc_pipefs mount with local charms To manage notifications about this bug go to: https://bugs.launchpad.net/juju-core/+bug/1319525/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1319525] Re: juju-local LXC containers hang due to AppArmor denial of rpc_pipefs mount with local charms
I do think it is fine for the mount be allowed. By Invalid, I mean there is no change we can make to the juju-core code to solve this issue. If there is work for the juju-core developers, then I will change the status for juju-core to triages and get it scheduled to be fixed in time for the trusty fix. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1319525 Title: juju-local LXC containers hang due to AppArmor denial of rpc_pipefs mount with local charms To manage notifications about this bug go to: https://bugs.launchpad.net/juju-core/+bug/1319525/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1319525] Re: juju-local LXC containers hang due to AppArmor denial of rpc_pipefs mount with local charms
Sorry, I was asking Tyler for a position as a security team member. If he doesn't know offhand then I'll go look at the implementation, but I'm not familiar with it myself. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1319525 Title: juju-local LXC containers hang due to AppArmor denial of rpc_pipefs mount with local charms To manage notifications about this bug go to: https://bugs.launchpad.net/juju-core/+bug/1319525/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1319525] Re: juju-local LXC containers hang due to AppArmor denial of rpc_pipefs mount with local charms
Hi Serge - I'm still wanting a little more information. I tried to reproduce the bug myself and can't hit the AppArmor denial. I assume that it must be specific to Charles' local trusty/wordpress charm. Charles and/or Curtis, can you explain what change occurred in juju-core that has caused the need to mount rpc_pipefs filesystems inside the container? Serge, as far as allowing rpc_pipefs inside the container, I don't know how safe that would be off the top of my head. I looked at the other filesystems that are allowed by the container-base abstraction and was surprised to see debugfs was allowed. I can't imagine that allowing rpc_pipefs could be more dangerous that debugfs, but that also doesn't mean that we should allow rpc_pipefs. I need to spend some time today understanding more about rpc_pipefs. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1319525 Title: juju-local LXC containers hang due to AppArmor denial of rpc_pipefs mount with local charms To manage notifications about this bug go to: https://bugs.launchpad.net/juju-core/+bug/1319525/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1319525] Re: juju-local LXC containers hang due to AppArmor denial of rpc_pipefs mount with local charms
Good point about debugfs. I wonder if we should drop that. I find it hard to believe there are container workloads which need that. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1319525 Title: juju-local LXC containers hang due to AppArmor denial of rpc_pipefs mount with local charms To manage notifications about this bug go to: https://bugs.launchpad.net/juju-core/+bug/1319525/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1319525] Re: juju-local LXC containers hang due to AppArmor denial of rpc_pipefs mount with local charms
wasn't debugfs allowed only because mountall required it? I thought we allowed it and then had apparmor restrict where it can be mounted and then block any actual access to it (as we've been doing with any fs that's required by mountall). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1319525 Title: juju-local LXC containers hang due to AppArmor denial of rpc_pipefs mount with local charms To manage notifications about this bug go to: https://bugs.launchpad.net/juju-core/+bug/1319525/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1319525] Re: juju-local LXC containers hang due to AppArmor denial of rpc_pipefs mount with local charms
Thank you, yes. We only allow it to be mounted under /sys/fs/debugfs, and do not allow writes under that. phew. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1319525 Title: juju-local LXC containers hang due to AppArmor denial of rpc_pipefs mount with local charms To manage notifications about this bug go to: https://bugs.launchpad.net/juju-core/+bug/1319525/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1319525] Re: juju-local LXC containers hang due to AppArmor denial of rpc_pipefs mount with local charms
** Summary changed: - juju-local LXC containers hang due to App Armor Denial of rpc_fsbind request with local charms + juju-local LXC containers hang due to AppArmor denial of rpc_pipefs mount with local charms -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1319525 Title: juju-local LXC containers hang due to AppArmor denial of rpc_pipefs mount with local charms To manage notifications about this bug go to: https://bugs.launchpad.net/juju-core/+bug/1319525/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1319525] Re: juju-local LXC containers hang due to AppArmor denial of rpc_pipefs mount with local charms
** Summary changed: - juju-local LXC containers hang due to App Armor Denial of rpc_fsbind request with local charms + juju-local LXC containers hang due to AppArmor denial of rpc_pipefs mount with local charms -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1319525 Title: juju-local LXC containers hang due to AppArmor denial of rpc_pipefs mount with local charms To manage notifications about this bug go to: https://bugs.launchpad.net/juju-core/+bug/1319525/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
