I had been considering splitting the lxc apparmor profile loading to its
own upstart job so it would happen sooner, but that will only make the
container start weirdly due to lxc-net not having started. What we need
is a way for lxc-start to know that it shouldn't run yet.
I propose we add a
This bug was fixed in the package lxc - 1.0.0~alpha2-0ubuntu5
---
lxc (1.0.0~alpha2-0ubuntu5) trusty; urgency=low
[ Serge Hallyn]
* debian/rules and debian/lxc.postinst: set /var/lib/lxc and /var/cache/lxc
to be perms 700. That prevents unprivileged users from running
As mentioned, this was is on an Ubuntu Touch system and it happens on
boot. It is still the case as of today. I don't know much about the
container flip on Touch devices, but right now, the apparmor profile is
not in effect on these systems. I can confirm this on the Nexus 7
(grouper) and Nexus 4
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: lxc-android-config (Ubuntu)
Status: New = Confirmed
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to lxc in Ubuntu.
Ah, so this is a bug in the lxc-android-config package. Its upstart
job, which does an lxc-start, needs to wait for the lxc upstart job to
complete, since lxc is the one to load the apparmor profiles.
** Also affects: lxc-android-config (Ubuntu)
Importance: Undecided
Status: New
--
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: lxc (Ubuntu)
Status: New = Confirmed
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1227937
@Serge: I encounter the issue in
http://10.97.0.1:8080/job/autopilot-saucy-daily_release/label=autopilot-
intel/2465/console
which runs on intel. I will try to reproduce locally (this happened in
the ci lab).
--
You received this bug notification because you are a member of Ubuntu
Server Team,
Or it can manually load the lxc apparmor profiles the same way
/etc/lxc/lxc.conf does.
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1227937
Title:
lxc-start is unconfined but has a
The LXC container on touch has always been lxc.aa_profile=unconfined so
whether apparmor is ready or not shouldn't matter since it's configured
not to use it.
If we did want apparmor to protect the container, then we'd indeed have
a race at the moment, but since we don't, I'm pretty confused as
Here is my understanding:
1. so long as a container has a profile specified, then if the apparmor
policies have not been loaded, the container start will fail.
2. In the lxc-android-config case, the container has lxc.aa_profile =
unconfined. Therefore it is possible for lxc-start (which
** Changed in: lxc (Ubuntu)
Importance: Undecided = High
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1227937
Title:
lxc-start is unconfined but has a profile defined
To manage
11 matches
Mail list logo
