Ubuntu
lxc package

  1. Bug #1227313
  2. Comment #0

Comment 0 for bug 1227313

Revision history for this message
Andre Nathan (andre-digirati) wrote :

The lxc-start package reads its apparmor profile from /proc/$PID/attr/current but does not remove the trailing newline character. When trying to run an unconfined container, this causes comparisons with the "unconfined" string in the source code to fail, and the apparmor profile is set, even when there's no need to do so. This, in turn, makes it impossible to run containers with a read-only /proc filesystem.

Ubuntu release:
Description: Ubuntu 13.04
Release: 13.04

Package being used:
lxc:
  Installed: 0.9.0-0ubuntu3.5
  Candidate: 0.9.0-0ubuntu3.5
  Version table:
 *** 0.9.0-0ubuntu3.5 0
        500 http://archive.ubuntu.com/ubuntu/ raring-proposed/universe amd64 Packages
        100 /var/lib/dpkg/status
     0.9.0-0ubuntu3.4 0
        500 ftp://repos.mz.digirati.com.br/ubuntu/ raring-updates/universe amd64 Packages
     0.9.0-0ubuntu3 0
        500 ftp://repos.mz.digirati.com.br/ubuntu/ raring/universe amd64 Packages

What is expected to happen:
A container with a read-only /proc filesystem should start successfully.

What happened instead:
lxc-start fails with "Read-only file system - failed to change apparmor profile to unconfined"