Allow fstype=fuse.*, for all containers
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
lxc (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Precise |
Fix Released
|
Wishlist
|
Stéphane Graber | ||
Quantal |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
It's been reported that quite a few juju charms require mounting fuse filesystems.
lxc-ubuntu's default template already allows access to /dev/fuse but the apparmor profile doesn't currently allow mounting these filesystems.
After discussing it with Serge, we don't think there's any additional risk to allowing fuse filesystem mounts in the container, any concern with fuse should be resolved by blocking /dev/fuse in the container's config instead of preventing mounts in apparmor.
[rational]
Quite a few juju charms rely on fuse to mount some filesystems (sshfs, glusterfs, ...). These are currently blocked by apparmor even though /dev/fuse itself is allowed by default.
[test case]
1) lxc-create -t ubuntu -n p1
2) lxc-start -n p1
2a) apt-get install sshfs
2b) sshfs <host> <path>
2b) should succeed (would be permission denied in the past)
[regression potential]
The change is limited to allowing fstype=fuse.* in apparmor. The profile has already been tested on precise and quantal, so we know the apparmor parser will compile the profile just fine. The worst case I can see happening is some fuse filesystems not being allowed by this expression, but it'd be no worse than what we have today (none of them being allowed).
Related branches
Changed in lxc (Ubuntu Quantal): | |
status: | New → Fix Released |
Changed in lxc (Ubuntu Precise): | |
status: | New → In Progress |
importance: | Undecided → Wishlist |
assignee: | nobody → Stéphane Graber (stgraber) |
Hello Stéphane, or anyone else affected,
Accepted lxc into precise-proposed. The package will build now and be available at http:// launchpad. net/ubuntu/ +source/ lxc/0.7. 5-3ubuntu60 in a few hours, and then in the -proposed repository.
Please help us by testing this new package. See https:/ /wiki.ubuntu. com/Testing/ EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.
If this package fixes the bug for you, please change the bug tag from verification-needed to verification-done. If it does not, change the tag to verification- failed. In either case, details of your testing will help us make a better decision.
Further information regarding the verification process can be found at https:/ /wiki.ubuntu. com/QATeam/ PerformingSRUVe rification . Thank you in advance!