[Bug 1227313] Re: Error parsing lxc-start apparmor profile

Serge Hallyn 1227313 at bugs.launchpad.net
Fri Sep 27 20:35:45 UTC 2013 

Note the medium priority is because this is an uncommon use case.  There
is no way around this though if you do need to do this, so perhaps it
should be high priority.

** Description changed:

+ =========================================
+ SRU Justification:
+ 1. Impact: cannot start containers with read-only proc
+ 2. Development fix: remove \n from /proc/pid/attr/current contents.
+ 3. Stable fix: cherrypick development fix.
+ 4. Test case:
+      a. lxc-create -t ubuntu -n u1
+      b. sudo sed -i '/proc/s/nosuid/&,ro/' /var/lib/lxc/u1/fstab
+      c. echo "lxc.aa_profile = unconfined" | sudo tee -a /var/lib/lxc/u1/config
+      d. apparmor_parser -R /etc/apparmor.d/usr.bin.lxc-start
+      e. sudo lxc-start -n u1
+ 5. Regression potential: none, this only makes us ignore the \n at end of /proc/pid/attr/current file
+ =========================================
+ 
  The lxc-start package reads its apparmor profile from
  /proc/$PID/attr/current but does not remove the trailing newline
  character. When trying to run an unconfined container, this causes
  comparisons with the "unconfined" string in the source code to fail, and
  the apparmor profile is set, even when there's no need to do so. This,
  in turn, makes it impossible to run containers with a read-only /proc
  filesystem.
  
  Ubuntu release:
  Description:	Ubuntu 13.04
  Release:	13.04
  
  Package being used:
  lxc:
-   Installed: 0.9.0-0ubuntu3.5
-   Candidate: 0.9.0-0ubuntu3.5
-   Version table:
-  *** 0.9.0-0ubuntu3.5 0
-         500 http://archive.ubuntu.com/ubuntu/ raring-proposed/universe amd64 Packages
-         100 /var/lib/dpkg/status
-      0.9.0-0ubuntu3.4 0
-         500 ftp://repos.mz.digirati.com.br/ubuntu/ raring-updates/universe amd64 Packages
-      0.9.0-0ubuntu3 0
-         500 ftp://repos.mz.digirati.com.br/ubuntu/ raring/universe amd64 Packages
+   Installed: 0.9.0-0ubuntu3.5
+   Candidate: 0.9.0-0ubuntu3.5
+   Version table:
+  *** 0.9.0-0ubuntu3.5 0
+         500 http://archive.ubuntu.com/ubuntu/ raring-proposed/universe amd64 Packages
+         100 /var/lib/dpkg/status
+      0.9.0-0ubuntu3.4 0
+         500 ftp://repos.mz.digirati.com.br/ubuntu/ raring-updates/universe amd64 Packages
+      0.9.0-0ubuntu3 0
+         500 ftp://repos.mz.digirati.com.br/ubuntu/ raring/universe amd64 Packages
  
  What is expected to happen:
  A container with a read-only /proc filesystem should start successfully.
  
  What happened instead:
  lxc-start fails with "Read-only file system - failed to change apparmor profile to unconfined"

** Changed in: lxc (Ubuntu Raring)
       Status: New => In Progress

** Changed in: lxc (Ubuntu Raring)
   Importance: Undecided => Medium

** Changed in: lxc (Ubuntu)
       Status: Confirmed => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1227313

Title:
  Error parsing lxc-start apparmor profile

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1227313/+subscriptions

More information about the Ubuntu-server-bugs mailing list