Fix lxc-execute without rootfs failing apparmor transitions
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
lxc (Ubuntu) |
Fix Released
|
Medium
|
Serge Hallyn | ||
Precise |
Fix Released
|
Undecided
|
Unassigned | ||
Quantal |
Fix Released
|
Medium
|
Serge Hallyn |
Bug Description
=======
SRU Justification:
1. impact: lxc-execute fails when apparmor transition is requested (as it is by default)
2. development fix: make sure the container's own proc is mounted before attempting apparmor context transition
3. stable fix: same as development fix
4. test case:
lxc-execute -n foo /bin/bash
5. Regression potential: apparmor transitions could break for containers if this is done wrong. However, the lxc testsuite passed with these patches
=======
On a Precise system, LXC is no longer working:
# lxc-execute -n foo /bin/bash
lxc-execute: Permission denied - failed to change apparmor profile to lxc-container-
lxc-execute: invalid sequence number 1. expected 2
lxc-execute: failed to spawn 'foo'
#
At a minimum, I'm guessing lxc-execute needs a profile similar to lxc-start, but trying to run lxc-start failed with the same error.
AfC
tags: | added: precise |
Changed in lxc (Ubuntu): | |
assignee: | nobody → Serge Hallyn (serge-hallyn) |
summary: |
- Add a lxc-execute profile (apparmor preventing lxc-execute from running) + Fix lxc-execute without rootfs failing apparmor transitions |
tags: | added: needssru |
description: | updated |
tags: | removed: needssru |
thanks for reporting this bug. It is a duplicate of bug 981955. The workaround documented there is to do:
cat > test.conf << EOF
lxc.aa_profile = unconfined
lxc.rootfs = /
EOF
lxc-execute -n test -f test.conf -- /bin/echo hi