Ubuntu
lxc package

autostart containers must be started after apparmor profiles are loaded

Bug #989853 reported by Serge Hallyn
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
lxc (Ubuntu)
Fix Released
High
Serge Hallyn
Precise
Fix Released
Undecided
Unassigned
Quantal
Fix Released
High
Serge Hallyn

Bug Description

lxc.conf currently does the container autostarts before it loads the apparmor profiles. That is wrong. Those must be reversed.

==========================
SRU Justification
1. Impact: auto-start containers could be started without apparmor enforcement
2. Development fix: start auto-start containers after apparmor policy loads
3. Stable fix: same as development fix
4. Test case:
   unload apparmor profiles (sudo /etc/init.d/apparmor stop; sudo /etc/init.d/apparmor teardown;), and create an auto-start container. stop and restart lxc (sudo stop lxc; sudo start lxc) Check for the running container (sudo lxc-ls). It will not be running without this fix.
5. Regression potential: none.
==========================

See original description
Serge Hallyn (serge-hallyn)
Changed in lxc (Ubuntu):
status: New → Confirmed
importance: Undecided → High
Serge Hallyn (serge-hallyn)
Changed in lxc (Ubuntu Quantal):
assignee: nobody → Serge Hallyn (serge-hallyn)
tags: added: needssru
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lxc - 0.8.0~rc1-4ubuntu5

---------------
lxc (0.8.0~rc1-4ubuntu5) quantal; urgency=low

  * 0082-umount-old-proc: fix proc auto-mount. If /proc is already mounted,
    make sure that /proc/self points to 1, since we are container init.
    Otherwise, assume proc is an old one, and umount it and remount our own.
    If we keep the old proc mounted, apparmor transitions will by tried for
    wrong task and fail. Also move check for whether apparmor is enabled so
    that it is called by lxc-execute. (LP: #993706)
  * update 0074-lxc-execute-find-init to look for lxc-init in
    LXCINITDIR/lxc/lxc-init
  * debian/control: add cloud-utils to lxc Recommends, as lxc-ubuntu-cloud
    needs it. (LP: 995361)
  * debian/lxc.upstart: load apparmor profiles before auto-starting containers.
    (LP: #989853)
  * pop 06-bash.patch and 0075-lxc-ls-bash. lxc-clone also has bashims, just
    stick to using bash until upstream is also converted (so we are safe
    against patches).
 -- Serge Hallyn <email address hidden> Mon, 07 May 2012 21:22:26 +0000

Changed in lxc (Ubuntu Quantal):
status: Confirmed → Fix Released
Serge Hallyn (serge-hallyn)
description: updated
Serge Hallyn (serge-hallyn)
description: updated
Revision history for this message
Martin Pitt (pitti) wrote : Please test proposed package

Hello Serge, or anyone else affected,

Accepted lxc into precise-proposed. The package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in lxc (Ubuntu Precise):
status: New → Fix Committed
tags: added: verification-needed
Revision history for this message
Stéphane Graber (stgraber) wrote :

Fix confirmed here, stop/start of lxc after the update loads the needed apparmor profile and starts the container as expected.

tags: added: verification-done
removed: verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lxc - 0.7.5-3ubuntu56

---------------
lxc (0.7.5-3ubuntu56) precise-proposed; urgency=low

  * Fix Ubuntu template to install the host architecture of the required
    mutli-arch packages (when using qemu-user-static) instead of hardcoded
    "amd64" version. (LP: #999187)

lxc (0.7.5-3ubuntu55) precise-proposed; urgency=low

  * 0082-umount-old-proc: fix proc auto-mount. If /proc is already mounted,
    make sure that /proc/self points to 1, since we are container init.
    Otherwise, assume proc is an old one, and umount it and remount our own.
    If we keep the old proc mounted, apparmor transitions will by tried for
    wrong task and fail. Also move check for whether apparmor is enabled so
    that it is called by lxc-execute. (LP: #993706)
  * debian/control: add cloud-utils to lxc Recommends, as lxc-ubuntu-cloud
    needs it. (LP: #995361)
  * debian/lxc.upstart: load apparmor profiles before auto-starting containers.
    (LP: #989853)
  * debian/control: add apparmor to lxc Depends (LP: #997681)
  * debian/local/lxc-start-ephemeral: quote $line so its contents don't get
    expanded (LP: #997687)
 -- Stephane Graber <email address hidden> Tue, 15 May 2012 12:00:18 -0400

Changed in lxc (Ubuntu Precise):
status: Fix Committed → Fix Released
Serge Hallyn (serge-hallyn)
tags: removed: needssru
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.