| 2013-09-27 20:34:34 |
Serge Hallyn |
description |
The lxc-start package reads its apparmor profile from /proc/$PID/attr/current but does not remove the trailing newline character. When trying to run an unconfined container, this causes comparisons with the "unconfined" string in the source code to fail, and the apparmor profile is set, even when there's no need to do so. This, in turn, makes it impossible to run containers with a read-only /proc filesystem.
Ubuntu release:
Description: Ubuntu 13.04
Release: 13.04
Package being used:
lxc:
Installed: 0.9.0-0ubuntu3.5
Candidate: 0.9.0-0ubuntu3.5
Version table:
*** 0.9.0-0ubuntu3.5 0
500 http://archive.ubuntu.com/ubuntu/ raring-proposed/universe amd64 Packages
100 /var/lib/dpkg/status
0.9.0-0ubuntu3.4 0
500 ftp://repos.mz.digirati.com.br/ubuntu/ raring-updates/universe amd64 Packages
0.9.0-0ubuntu3 0
500 ftp://repos.mz.digirati.com.br/ubuntu/ raring/universe amd64 Packages
What is expected to happen:
A container with a read-only /proc filesystem should start successfully.
What happened instead:
lxc-start fails with "Read-only file system - failed to change apparmor profile to unconfined" |
=========================================
SRU Justification:
1. Impact: cannot start containers with read-only proc
2. Development fix: remove \n from /proc/pid/attr/current contents.
3. Stable fix: cherrypick development fix.
4. Test case:
a. lxc-create -t ubuntu -n u1
b. sudo sed -i '/proc/s/nosuid/&,ro/' /var/lib/lxc/u1/fstab
c. echo "lxc.aa_profile = unconfined" | sudo tee -a /var/lib/lxc/u1/config
d. apparmor_parser -R /etc/apparmor.d/usr.bin.lxc-start
e. sudo lxc-start -n u1
5. Regression potential: none, this only makes us ignore the \n at end of /proc/pid/attr/current file
=========================================
The lxc-start package reads its apparmor profile from /proc/$PID/attr/current but does not remove the trailing newline character. When trying to run an unconfined container, this causes comparisons with the "unconfined" string in the source code to fail, and the apparmor profile is set, even when there's no need to do so. This, in turn, makes it impossible to run containers with a read-only /proc filesystem.
Ubuntu release:
Description: Ubuntu 13.04
Release: 13.04
Package being used:
lxc:
Installed: 0.9.0-0ubuntu3.5
Candidate: 0.9.0-0ubuntu3.5
Version table:
*** 0.9.0-0ubuntu3.5 0
500 http://archive.ubuntu.com/ubuntu/ raring-proposed/universe amd64 Packages
100 /var/lib/dpkg/status
0.9.0-0ubuntu3.4 0
500 ftp://repos.mz.digirati.com.br/ubuntu/ raring-updates/universe amd64 Packages
0.9.0-0ubuntu3 0
500 ftp://repos.mz.digirati.com.br/ubuntu/ raring/universe amd64 Packages
What is expected to happen:
A container with a read-only /proc filesystem should start successfully.
What happened instead:
lxc-start fails with "Read-only file system - failed to change apparmor profile to unconfined" |
|
