Error parsing lxc-start apparmor profile

Bug #1227313 reported by Andre Nathan
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
lxc (Ubuntu)
Fix Released
Medium
Unassigned
Raring
Fix Released
Medium
Unassigned

Bug Description

=========================================
SRU Justification:
1. Impact: cannot start containers with read-only proc
2. Development fix: remove \n from /proc/pid/attr/current contents.
3. Stable fix: cherrypick development fix.
4. Test case:
     a. lxc-create -t ubuntu -n u1
     b. sudo sed -i '/proc/s/nosuid/&,ro/' /var/lib/lxc/u1/fstab
     c. echo "lxc.aa_profile = unconfined" | sudo tee -a /var/lib/lxc/u1/config
     d. apparmor_parser -R /etc/apparmor.d/usr.bin.lxc-start
     e. sudo lxc-start -n u1
5. Regression potential: none, this only makes us ignore the \n at end of /proc/pid/attr/current file
=========================================

The lxc-start package reads its apparmor profile from /proc/$PID/attr/current but does not remove the trailing newline character. When trying to run an unconfined container, this causes comparisons with the "unconfined" string in the source code to fail, and the apparmor profile is set, even when there's no need to do so. This, in turn, makes it impossible to run containers with a read-only /proc filesystem.

Ubuntu release:
Description: Ubuntu 13.04
Release: 13.04

Package being used:
lxc:
  Installed: 0.9.0-0ubuntu3.5
  Candidate: 0.9.0-0ubuntu3.5
  Version table:
 *** 0.9.0-0ubuntu3.5 0
        500 http://archive.ubuntu.com/ubuntu/ raring-proposed/universe amd64 Packages
        100 /var/lib/dpkg/status
     0.9.0-0ubuntu3.4 0
        500 ftp://repos.mz.digirati.com.br/ubuntu/ raring-updates/universe amd64 Packages
     0.9.0-0ubuntu3 0
        500 ftp://repos.mz.digirati.com.br/ubuntu/ raring/universe amd64 Packages

What is expected to happen:
A container with a read-only /proc filesystem should start successfully.

What happened instead:
lxc-start fails with "Read-only file system - failed to change apparmor profile to unconfined"

Related branches

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in lxc (Ubuntu):
status: New → Confirmed
Changed in lxc (Ubuntu):
importance: Undecided → Medium
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Note the medium priority is because this is an uncommon use case. There is no way around this though if you do need to do this, so perhaps it should be high priority.

description: updated
Changed in lxc (Ubuntu Raring):
status: New → In Progress
importance: Undecided → Medium
Changed in lxc (Ubuntu):
status: Confirmed → Fix Committed
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

(Fix pushed to saucy and to raring-proposed)

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Ah, actually pushing the fix for this bug to raring-proposed is hung on verification of bug 1215391.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lxc - 1.0.0~alpha1-0ubuntu5

---------------
lxc (1.0.0~alpha1-0ubuntu5) saucy; urgency=low

  * Cherrypicking bugfix from upstream (LP: #1227313)
    - 0001-apparmor.c-drop-newline-when-reading-current-profile.patch
 -- Serge Hallyn <email address hidden> Fri, 27 Sep 2013 15:14:24 -0500

Changed in lxc (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Andre Nathan (andre-digirati) wrote :

1215391 is fixed now. This can now be pushed to raring-proposed, right?

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Yes, I just pushed the package. It'll build as soon as the SRU team accepts the upload.

Revision history for this message
Brian Murray (brian-murray) wrote : Please test proposed package

Hello Andre, or anyone else affected,

Accepted lxc into raring-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/lxc/0.9.0-0ubuntu3.6 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in lxc (Ubuntu Raring):
status: In Progress → Fix Committed
tags: added: verification-needed
Revision history for this message
Andre Nathan (andre-digirati) wrote :

This package (0.9.0-0ubuntu3.6) fixes the bug for me.

tags: added: verification-done
removed: verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lxc - 0.9.0-0ubuntu3.6

---------------
lxc (0.9.0-0ubuntu3.6) raring-proposed; urgency=low

  * Cherrypicking bugfix from upstream (LP: #1227313)
    - 0016-apparmor.c-drop-newline-when-reading-current-profile.patch
 -- Serge Hallyn <email address hidden> Fri, 04 Oct 2013 09:08:38 -0500

Changed in lxc (Ubuntu Raring):
status: Fix Committed → Fix Released
Revision history for this message
Brian Murray (brian-murray) wrote : Update Released

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.