| 2013-11-21 14:55:29 |
Sebastian Wendland |
bug |
|
|
added bug |
| 2013-11-21 14:55:29 |
Sebastian Wendland |
attachment added |
|
lxc-execute debug output https://bugs.launchpad.net/bugs/1253669/+attachment/3914176/+files/foo.txt |
|
| 2013-11-21 18:06:57 |
Serge Hallyn |
lxc (Ubuntu): status |
New |
Incomplete |
|
| 2013-11-22 13:47:46 |
Sebastian Wendland |
attachment added |
|
lxc configuration https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1253669/+attachment/3915022/+files/lxc_foo.txt |
|
| 2013-11-22 15:28:41 |
Sebastian Wendland |
attachment added |
|
debug.out https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1253669/+attachment/3915061/+files/debug.out |
|
| 2013-11-22 15:38:44 |
Sebastian Wendland |
attachment added |
|
foo https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1253669/+attachment/3915063/+files/foo |
|
| 2013-11-22 16:56:45 |
Sebastian Wendland |
attachment added |
|
lxc-execute debug output https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1253669/+attachment/3915084/+files/lxc_debug |
|
| 2013-11-22 21:42:14 |
Serge Hallyn |
lxc (Ubuntu): importance |
Undecided |
Medium |
|
| 2013-11-22 21:42:14 |
Serge Hallyn |
lxc (Ubuntu): status |
Incomplete |
Confirmed |
|
| 2013-11-22 21:54:25 |
Serge Hallyn |
lxc (Ubuntu): status |
Confirmed |
Fix Committed |
|
| 2013-11-22 22:11:32 |
Serge Hallyn |
nominated for series |
|
Ubuntu Precise |
|
| 2013-11-22 22:11:32 |
Serge Hallyn |
bug task added |
|
lxc (Ubuntu Precise) |
|
| 2013-11-22 22:11:32 |
Serge Hallyn |
nominated for series |
|
Ubuntu Quantal |
|
| 2013-11-22 22:11:32 |
Serge Hallyn |
bug task added |
|
lxc (Ubuntu Quantal) |
|
| 2013-11-22 22:11:32 |
Serge Hallyn |
nominated for series |
|
Ubuntu Saucy |
|
| 2013-11-22 22:11:32 |
Serge Hallyn |
bug task added |
|
lxc (Ubuntu Saucy) |
|
| 2013-11-22 22:11:32 |
Serge Hallyn |
nominated for series |
|
Ubuntu Raring |
|
| 2013-11-22 22:11:32 |
Serge Hallyn |
bug task added |
|
lxc (Ubuntu Raring) |
|
| 2013-11-22 22:11:44 |
Serge Hallyn |
nominated for series |
|
Ubuntu Lucid |
|
| 2013-11-22 22:19:56 |
Serge Hallyn |
description |
Using the 0.8.0~rc1 lxc release, it was possible to start an application container with the lxc.cap.drop=sys_admin option (# lxc-execute -n foo -s lxc.cap.drop=sys_admin -- /bin/bash). Since the new 1.0.0~alpha1 release, this is not possible anymore; the application immediately crashes upon being called by lxc-init, thus killing the container. When any other capability (or combination of capabilities) is dropped, the container still starts up however, only dropping cap_sys_admin results in an error.
I've attached the debug output of # lxc-execute -o foo -l DEBUG -n foo -s lxc.cap.drop=sys_admin -- /bin/bash for reference.
Release: 12.04.3 with HWE, Kernel 3.8.0-32-generic #47~precise1-Ubuntu SMP Wed Oct 2 16:19:35 UTC 2013 x86_64
LXC version: 1.0.0~alpha1-0ubuntu13~ubuntu12.04.1 |
========================================
SRU Justification
1. Impact: cannot lxc-execute a container without cap_sys_admin
2. Development fix: don't fail if lxc-init cannot mount /proc
3. Stable fix: same as development fix.
4. Test case:
5. Regression potential: none
========================================
Using the 0.8.0~rc1 lxc release, it was possible to start an application container with the lxc.cap.drop=sys_admin option (# lxc-execute -n foo -s lxc.cap.drop=sys_admin -- /bin/bash). Since the new 1.0.0~alpha1 release, this is not possible anymore; the application immediately crashes upon being called by lxc-init, thus killing the container. When any other capability (or combination of capabilities) is dropped, the container still starts up however, only dropping cap_sys_admin results in an error.
I've attached the debug output of # lxc-execute -o foo -l DEBUG -n foo -s lxc.cap.drop=sys_admin -- /bin/bash for reference.
Release: 12.04.3 with HWE, Kernel 3.8.0-32-generic #47~precise1-Ubuntu SMP Wed Oct 2 16:19:35 UTC 2013 x86_64
LXC version: 1.0.0~alpha1-0ubuntu13~ubuntu12.04.1 |
|
| 2013-11-22 22:25:11 |
Serge Hallyn |
description |
========================================
SRU Justification
1. Impact: cannot lxc-execute a container without cap_sys_admin
2. Development fix: don't fail if lxc-init cannot mount /proc
3. Stable fix: same as development fix.
4. Test case:
5. Regression potential: none
========================================
Using the 0.8.0~rc1 lxc release, it was possible to start an application container with the lxc.cap.drop=sys_admin option (# lxc-execute -n foo -s lxc.cap.drop=sys_admin -- /bin/bash). Since the new 1.0.0~alpha1 release, this is not possible anymore; the application immediately crashes upon being called by lxc-init, thus killing the container. When any other capability (or combination of capabilities) is dropped, the container still starts up however, only dropping cap_sys_admin results in an error.
I've attached the debug output of # lxc-execute -o foo -l DEBUG -n foo -s lxc.cap.drop=sys_admin -- /bin/bash for reference.
Release: 12.04.3 with HWE, Kernel 3.8.0-32-generic #47~precise1-Ubuntu SMP Wed Oct 2 16:19:35 UTC 2013 x86_64
LXC version: 1.0.0~alpha1-0ubuntu13~ubuntu12.04.1 |
========================================
SRU Justification
1. Impact: cannot lxc-execute a container without cap_sys_admin
2. Development fix: don't fail if lxc-init cannot mount /proc
3. Stable fix: same as development fix.
4. Test case:
sudo lxc-create -t ubuntu-cloud -n c1
sudo lxc-start -n c1
(log in)
sudo apt-get -y install --no-install-recommends lxc
sudo poweroff
sudo lxc-execcute -n c1 -s lxc.cap.drop=sys_admin /bin/bash
5. Regression potential: none
========================================
Using the 0.8.0~rc1 lxc release, it was possible to start an application container with the lxc.cap.drop=sys_admin option (# lxc-execute -n foo -s lxc.cap.drop=sys_admin -- /bin/bash). Since the new 1.0.0~alpha1 release, this is not possible anymore; the application immediately crashes upon being called by lxc-init, thus killing the container. When any other capability (or combination of capabilities) is dropped, the container still starts up however, only dropping cap_sys_admin results in an error.
I've attached the debug output of # lxc-execute -o foo -l DEBUG -n foo -s lxc.cap.drop=sys_admin -- /bin/bash for reference.
Release: 12.04.3 with HWE, Kernel 3.8.0-32-generic #47~precise1-Ubuntu SMP Wed Oct 2 16:19:35 UTC 2013 x86_64
LXC version: 1.0.0~alpha1-0ubuntu13~ubuntu12.04.1 |
|
| 2013-11-22 23:26:03 |
Launchpad Janitor |
lxc (Ubuntu): status |
Fix Committed |
Fix Released |
|
| 2013-11-30 00:47:24 |
Launchpad Janitor |
branch linked |
|
lp:~ubuntu-branches/ubuntu/trusty/lxc/trusty |
|
| 2014-12-05 05:06:39 |
Rolf Leggewie |
lxc (Ubuntu Quantal): status |
New |
Won't Fix |
|
| 2014-12-05 06:19:30 |
Rolf Leggewie |
lxc (Ubuntu Raring): status |
New |
Won't Fix |
|
| 2014-12-05 07:00:53 |
Rolf Leggewie |
lxc (Ubuntu Saucy): status |
New |
Won't Fix |
|
| 2015-11-09 23:41:15 |
Stéphane Graber |
lxc (Ubuntu Precise): status |
New |
Won't Fix |
|
