[Bug 989853] Re: autostart containers must be started after apparmor profiles are loaded
** Tags removed: needssru -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/989853 Title: autostart containers must be started after apparmor profiles are loaded To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/989853/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 989853] Re: autostart containers must be started after apparmor profiles are loaded
This bug was fixed in the package lxc - 0.7.5-3ubuntu56 --- lxc (0.7.5-3ubuntu56) precise-proposed; urgency=low * Fix Ubuntu template to install the host architecture of the required mutli-arch packages (when using qemu-user-static) instead of hardcoded amd64 version. (LP: #999187) lxc (0.7.5-3ubuntu55) precise-proposed; urgency=low * 0082-umount-old-proc: fix proc auto-mount. If /proc is already mounted, make sure that /proc/self points to 1, since we are container init. Otherwise, assume proc is an old one, and umount it and remount our own. If we keep the old proc mounted, apparmor transitions will by tried for wrong task and fail. Also move check for whether apparmor is enabled so that it is called by lxc-execute. (LP: #993706) * debian/control: add cloud-utils to lxc Recommends, as lxc-ubuntu-cloud needs it. (LP: #995361) * debian/lxc.upstart: load apparmor profiles before auto-starting containers. (LP: #989853) * debian/control: add apparmor to lxc Depends (LP: #997681) * debian/local/lxc-start-ephemeral: quote $line so its contents don't get expanded (LP: #997687) -- Stephane Graber stgra...@ubuntu.com Tue, 15 May 2012 12:00:18 -0400 ** Changed in: lxc (Ubuntu Precise) Status: Fix Committed = Fix Released -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/989853 Title: autostart containers must be started after apparmor profiles are loaded To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/989853/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 989853] Re: autostart containers must be started after apparmor profiles are loaded
Fix confirmed here, stop/start of lxc after the update loads the needed apparmor profile and starts the container as expected. ** Tags removed: verification-needed ** Tags added: verification-done -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/989853 Title: autostart containers must be started after apparmor profiles are loaded To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/989853/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 989853] Re: autostart containers must be started after apparmor profiles are loaded
** Branch linked: lp:ubuntu/precise-proposed/lxc -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/989853 Title: autostart containers must be started after apparmor profiles are loaded To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/989853/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 989853] Re: autostart containers must be started after apparmor profiles are loaded
Hello Serge, or anyone else affected, Accepted lxc into precise-proposed. The package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance! ** Changed in: lxc (Ubuntu Precise) Status: New = Fix Committed ** Tags added: verification-needed -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/989853 Title: autostart containers must be started after apparmor profiles are loaded To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/989853/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 989853] Re: autostart containers must be started after apparmor profiles are loaded
** Changed in: lxc (Ubuntu Quantal) Assignee: (unassigned) = Serge Hallyn (serge-hallyn) ** Tags added: needssru -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/989853 Title: autostart containers must be started after apparmor profiles are loaded To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/989853/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 989853] Re: autostart containers must be started after apparmor profiles are loaded
This bug was fixed in the package lxc - 0.8.0~rc1-4ubuntu5 --- lxc (0.8.0~rc1-4ubuntu5) quantal; urgency=low * 0082-umount-old-proc: fix proc auto-mount. If /proc is already mounted, make sure that /proc/self points to 1, since we are container init. Otherwise, assume proc is an old one, and umount it and remount our own. If we keep the old proc mounted, apparmor transitions will by tried for wrong task and fail. Also move check for whether apparmor is enabled so that it is called by lxc-execute. (LP: #993706) * update 0074-lxc-execute-find-init to look for lxc-init in LXCINITDIR/lxc/lxc-init * debian/control: add cloud-utils to lxc Recommends, as lxc-ubuntu-cloud needs it. (LP: 995361) * debian/lxc.upstart: load apparmor profiles before auto-starting containers. (LP: #989853) * pop 06-bash.patch and 0075-lxc-ls-bash. lxc-clone also has bashims, just stick to using bash until upstream is also converted (so we are safe against patches). -- Serge Hallyn serge.hal...@ubuntu.com Mon, 07 May 2012 21:22:26 + ** Changed in: lxc (Ubuntu Quantal) Status: Confirmed = Fix Released -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/989853 Title: autostart containers must be started after apparmor profiles are loaded To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/989853/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 989853] Re: autostart containers must be started after apparmor profiles are loaded
** Branch linked: lp:ubuntu/lxc -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/989853 Title: autostart containers must be started after apparmor profiles are loaded To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/989853/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 989853] Re: autostart containers must be started after apparmor profiles are loaded
** Description changed: lxc.conf currently does the container autostarts before it loads the - apparmor profiles. That is wrong. + apparmor profiles. That is wrong. Those must be reversed. - Perhaps the container autostart should be done from start and not pre- - start? But at least those must be reversed. + == + SRU Justification + 1. Impact: auto-start containers could be started without apparmor enforcement + 2. Development fix: start auto-start containers after apparmor policy loads + 3. Stable fix: same as development fix + 4. Test case: +Delay /etc/init.d/apparmor (add a sleep 10 to its start section), and create an auto-start container. Reboot the system. Check /proc/pid/attr/current for the container init - if broken, it will be unconfined rather than lxc-container-default + 5. Regression potential: none. + == -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/989853 Title: autostart containers must be started after apparmor profiles are loaded To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/989853/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 989853] Re: autostart containers must be started after apparmor profiles are loaded
** Description changed: lxc.conf currently does the container autostarts before it loads the apparmor profiles. That is wrong. Those must be reversed. == SRU Justification 1. Impact: auto-start containers could be started without apparmor enforcement 2. Development fix: start auto-start containers after apparmor policy loads 3. Stable fix: same as development fix 4. Test case: -Delay /etc/init.d/apparmor (add a sleep 10 to its start section), and create an auto-start container. Reboot the system. Check /proc/pid/attr/current for the container init - if broken, it will be unconfined rather than lxc-container-default + unload apparmor profiles (sudo /etc/init.d/apparmor stop; sudo /etc/init.d/apparmor teardown;), and create an auto-start container. stop and restart lxc (sudo stop lxc; sudo start lxc) Check for the running container (sudo lxc-ls). It will not be running without this fix. 5. Regression potential: none. == -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/989853 Title: autostart containers must be started after apparmor profiles are loaded To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/989853/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
