[apparmor] LXC + AppArmor vs. upcoming systemd v240
intrigeri
intrigeri at debian.org
Fri Oct 26 15:26:28 UTC 2018
Hi,
it's been brought to my attention [1] that the systemd master branch,
that should become v240 soonish, includes changes to its namespacing
behavior that may break a great number of services when run in a LXC
container with AppArmor enabled.
[1] https://bugs.debian.org/911806
This has been discussed and worked on quite a bit in systemd upstream
in the last few months but AFAICT the focus has been on making the
systemd test suite pass inside containers, e.g. by skipping specific
tests when the privileges systemd needs to to set up its namespacing
are not available. Christian Brauner has been very helpful there.
My concern is that we may be missing another part of the problem, i.e.
if/how these changes will break real-world use cases outside of the
"run some CI jobs in LXC" context; skipping test cases won't help
there. I did not test this myself, but my understanding is that the
AppArmor policy we ship for LXC in Debian (the pristine 2.0.9 upstream
one) prevents systemd from setting up its namespacing inside a LXC
container, which used to be silently ignored but is now a fatal error.
If my hunch is correct, then this will break LXC containers that run
systemd v240+ in any distro that enables a similar AppArmor policy.
I don't use LXC myself, I know very little about Linux namespaces and
their interaction with AppArmor in a LXC context, so I'm not in
a position to do much about this. If the issue I'm wary of actually
exists and is not addressed in time for the Debian Buster freeze, the
best I will be able to do is to recommend the Debian LXC maintainers
to turn AppArmor confinement of containers off by default.
So here is a call for help to anyone who cares about running systemd
in LXC containers confined by AppArmor and has the skills to
investigate this further :) Thanks in advance!
For those who want to dive deeper, these should be good starting
points:
https://github.com/systemd/systemd/issues/10166
https://github.com/systemd/systemd/issues/9700
https://github.com/systemd/systemd/issues/10011
https://github.com/systemd/systemd/pull/10012
Cheers,
--
intrigeri
More information about the AppArmor
mailing list