Ubuntu
lxc package

Ubuntu containers fails to start on UEFI-enabled hosts

Bug #1117589 reported by Stéphane Graber
28
This bug affects 3 people
Affects Status Importance Assigned to Milestone
lxc (Ubuntu)
Fix Released
Undecided
Unassigned
Precise
Fix Released
Undecided
Stéphane Graber
Quantal
Fix Released
Undecided
Stéphane Graber

Bug Description

== Rationale ==
Ubuntu introduced the use of the efivars filesystem for UEFI hosts and it's been backported to current stable releases.
On machines running UEFI, mountall will attempt to mount the efivars filesystem, even in containers.

Unfortunately our apparmor profile prevents that and as a result the container completely fails to boot.
The problem was easily fixed in raring but we need to have this backported to precise and quantal.

== Test case ==
1) Find a system running Ubuntu on UEFI
2) lxc-create -t ubuntu -n p1
3) lxc-start -n p1
4) Just boot fine where it used to fail prior to the update.

== Regression potential ==
None that I can think of, the change only allows the extra filesystem in apparmor and prevent any actual access to it, so from a user perspective, they don't actually get access to anything new.

Stéphane Graber (stgraber)
Changed in lxc (Ubuntu):
status: New → Fix Released
Stéphane Graber (stgraber)
Changed in lxc (Ubuntu Precise):
assignee: nobody → Stéphane Graber (stgraber)
status: New → In Progress
Changed in lxc (Ubuntu Quantal):
assignee: nobody → Stéphane Graber (stgraber)
Stéphane Graber (stgraber)
Changed in lxc (Ubuntu Quantal):
status: New → In Progress
Revision history for this message
Clint Byrum (clint-fewbar) wrote : Please test proposed package

Hello Stéphane, or anyone else affected,

Accepted lxc into quantal-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/lxc/0.8.0~rc1-4ubuntu39.12.10.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in lxc (Ubuntu Quantal):
status: In Progress → Fix Committed
tags: added: verification-needed
Changed in lxc (Ubuntu Precise):
status: In Progress → Fix Committed
Revision history for this message
Clint Byrum (clint-fewbar) wrote :

Hello Stéphane, or anyone else affected,

Accepted lxc into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/lxc/0.7.5-3ubuntu67 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Revision history for this message
Stéphane Graber (stgraber) wrote :

Tested on both precise and quantal UEFI.

tags: added: verification-done
removed: verification-needed
Revision history for this message
Nicolas Thomas (thomnico) wrote :

Works for me ..

Revision history for this message
Colin Watson (cjwatson) wrote : Update Released

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lxc - 0.7.5-3ubuntu67

---------------
lxc (0.7.5-3ubuntu67) precise-proposed; urgency=low

  * Don't directly write/remove /etc/dnsmasq.d/lxc as that's causing problems
    when removing and reinstalling lxc.
    Instead have dnsmasq ship /etc/dnsmasq.d-available/lxc and create/remove
    a symlink in /etc/dnsmasq.d/. (LP: #1113821)
  * Bump debhelper dependency and add Pre-Depends on newer dpkg for above fix.
  * Allow the container to mount efivars on /sys/firmware/efi/efivars.
    efivars is automatically mounted by mountall on UEFI systems, failure to
    do so leads to a complete boot failure. (LP: #1117589)
  * 0221-make-nonflush-upgrades-robust: be more robust about out of date
    container caches. (LP: #942862)
  * 0207-ubuntu-cloud-fixes.patch: cleanups to lxc-ubuntu-cloud.in
    fix for quantal images that do not have user 'ubuntu' present
    (LP: #1045955)
  * 0301-debian-copy-config: Pass all the arguments to copy_configuration.
    (LP: #1111613)
 -- Stephane Graber <email address hidden> Thu, 07 Feb 2013 13:08:07 -0500

Changed in lxc (Ubuntu Precise):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lxc - 0.8.0~rc1-4ubuntu39.12.10.2

---------------
lxc (0.8.0~rc1-4ubuntu39.12.10.2) quantal-proposed; urgency=low

  * Don't directly write/remove /etc/dnsmasq.d/lxc as that's causing problems
    when removing and reinstalling lxc.
    Instead have dnsmasq ship /etc/dnsmasq.d-available/lxc and create/remove
    a symlink in /etc/dnsmasq.d/. (LP: #1113821)
  * Allow the container to mount efivars on /sys/firmware/efi/efivars.
    efivars is automatically mounted by mountall on UEFI systems, failure to
    do so leads to a complete boot failure. (LP: #1117589)
 -- Stephane Graber <email address hidden> Thu, 07 Feb 2013 14:26:22 -0500

Changed in lxc (Ubuntu Quantal):
status: Fix Committed → Fix Released
Revision history for this message
Epi Vou (pimenas) wrote :

The exact same problem also affects raring. Should I open a new bug?

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

The fix is in raring, so the precise cause for your bug is likely different (even if related).

Please file a new bug (preferably using 'ubuntu-bug lxc') and append both any relevent syslog output and the file 'debug.log' after doing 'lxc-start -n <container> -l info -o debug.log'.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.