Ubuntu
lxc package

Allow fstype=fuse.*, for all containers

Bug #1021421 reported by Stéphane Graber
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
lxc (Ubuntu)
Fix Released
Undecided
Unassigned
Precise
Fix Released
Wishlist
Stéphane Graber
Quantal
Fix Released
Undecided
Unassigned

Bug Description

It's been reported that quite a few juju charms require mounting fuse filesystems.
lxc-ubuntu's default template already allows access to /dev/fuse but the apparmor profile doesn't currently allow mounting these filesystems.

After discussing it with Serge, we don't think there's any additional risk to allowing fuse filesystem mounts in the container, any concern with fuse should be resolved by blocking /dev/fuse in the container's config instead of preventing mounts in apparmor.

[rational]
Quite a few juju charms rely on fuse to mount some filesystems (sshfs, glusterfs, ...). These are currently blocked by apparmor even though /dev/fuse itself is allowed by default.

[test case]
1) lxc-create -t ubuntu -n p1
2) lxc-start -n p1
 2a) apt-get install sshfs
 2b) sshfs <host> <path>

2b) should succeed (would be permission denied in the past)

[regression potential]
The change is limited to allowing fstype=fuse.* in apparmor. The profile has already been tested on precise and quantal, so we know the apparmor parser will compile the profile just fine. The worst case I can see happening is some fuse filesystems not being allowed by this expression, but it'd be no worse than what we have today (none of them being allowed).

Stéphane Graber (stgraber)
Changed in lxc (Ubuntu Quantal):
status: New → Fix Released
Changed in lxc (Ubuntu Precise):
status: New → In Progress
importance: Undecided → Wishlist
assignee: nobody → Stéphane Graber (stgraber)
Revision history for this message
Brian Murray (brian-murray) wrote : Please test proposed package

Hello Stéphane, or anyone else affected,

Accepted lxc into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/lxc/0.7.5-3ubuntu60 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please change the bug tag from verification-needed to verification-done. If it does not, change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in lxc (Ubuntu Precise):
status: In Progress → Fix Committed
tags: added: verification-needed
Revision history for this message
Stéphane Graber (stgraber) wrote :

Fix verified.

tags: added: verification-done
removed: verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lxc - 0.7.5-3ubuntu60

---------------
lxc (0.7.5-3ubuntu60) precise-proposed; urgency=low

  * Update lxc-ubuntu template to use "dpkg --add-architecture" in containers
    running dpkg >= 1.16.2. (LP: #1017862)
  * Patch lxc-clone to stop messing with dhclient.conf when it contains a
    placeholder (<hostname> or gethostname()). Fixes cases where dpkg will
    prompt for modified config file on upgrade. (LP: #1021416)
  * Allow write access to /proc/sys/kernel/shm* as these are namespaced (IPC).
    (LP: #1021411)
  * Allow fstype=fuse.*, for all containers. (LP: #1021421)
  * Rebase lxc-list on quantal's, properly shows FROZEN containers and prints
    error messages on stderr. (LP: #1021429)
  * Only run dh_apparmor against the lxc package. (LP: #1021428)
  * Depend on adduser as it's being used in postinst.
  * Fix lintian-overrides syntax.
 -- Stephane Graber <email address hidden> Thu, 05 Jul 2012 12:18:47 -0400

Changed in lxc (Ubuntu Precise):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.