Le lundi 22 avril 2019 à 21:40:31+0200, Pierre-Elliott Bécue a écrit : > Subject: unblock: lxc/1:3.1.0+really3.0.3-8 > Package: release.debian.org > User: release.debian.org@packages.debian.org > Usertags: unblock > Severity: normal > X-Debbugs-Cc: pkg-lxc-devel@lists.alioth.debian.org > > Dear release team, > > Please unblock package lxc 1:3.1.0+really3.0.3-8 from unstable to > testing. > > This release fixes the important bug 925899[0] and introduces a little > more documentation regarding unprivileged containers which behave differently > from the privileged ones. > > As the changes made in -7 release were not actually appropriate (I sed a > dependency on apparmor, which is quite strong), I had to do another > release to revert some of these. The whole diff is attached and remains > quite decent. > > Thanks a lot for considering. :) > > unblock lxc/1:3.1.0+really3.0.3-8 > > [0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925899 > > -- System Information: > Debian Release: buster/sid > APT prefers testing > APT policy: (990, 'testing'), (500, 'unstable') > Architecture: amd64 (x86_64) > > Kernel: Linux 4.18.0-2-amd64 (SMP w/8 CPU cores) > Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to fr_FR.UTF-8), LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to fr_FR.UTF-8) > Shell: /bin/sh linked to /bin/dash > Init: systemd (via /run/systemd/system) > LSM: AppArmor: enabled *grmbl* forgotten attachment *grmbl* -- Pierre-Elliott Bécue GPG: 9AE0 4D98 6400 E3B6 7528 F493 0D44 2664 1949 74E2 It's far easier to fight for one's principles than to live up to them.
diff -Nru lxc-3.1.0+really3.0.3/debian/changelog lxc-3.1.0+really3.0.3/debian/changelog --- lxc-3.1.0+really3.0.3/debian/changelog 2019-03-09 15:49:21.000000000 +0100 +++ lxc-3.1.0+really3.0.3/debian/changelog 2019-04-14 15:46:47.000000000 +0200 @@ -1,3 +1,24 @@ +lxc (1:3.1.0+really3.0.3-8) unstable; urgency=medium + + * d/control: + - bin:lxc sets AppArmor as a Recommend instead of a Dependency + * d/README.Debian: + - Update the documentation to explain how to manage containers not + starting if AppArmor is missing. + + -- Pierre-Elliott Bécue <peb@debian.org> Sun, 14 Apr 2019 15:46:47 +0200 + +lxc (1:3.1.0+really3.0.3-7) unstable; urgency=medium + + * d/ccontrol: + - Add a dependency to AppArmor for lxc package as the default.conf file + includes an AppArmor profile. + * d/{NEWS,README.Debian}: + - Add appropriate documentation for unprivileged containers + (Closes: #925899) + + -- Pierre-Elliott Bécue <peb@debian.org> Tue, 09 Apr 2019 02:03:05 +0200 + lxc (1:3.1.0+really3.0.3-6) unstable; urgency=medium * d/patches/0005: Tweaks the 0004 patch for CVE-2019-5736 (Closes: #923932) diff -Nru lxc-3.1.0+really3.0.3/debian/control lxc-3.1.0+really3.0.3/debian/control --- lxc-3.1.0+really3.0.3/debian/control 2019-01-10 23:26:17.000000000 +0100 +++ lxc-3.1.0+really3.0.3/debian/control 2019-04-14 15:27:01.000000000 +0200 @@ -33,7 +33,8 @@ ${misc:Depends}, ${shlibs:Depends}, lsb-base (>= 3.0-6) -Recommends: bridge-utils, +Recommends: apparmor, + bridge-utils, debootstrap, dirmngr, dnsmasq-base, @@ -46,7 +47,7 @@ openssl, rsync, uidmap -Suggests: apparmor, btrfs-progs, lvm2, python3-lxc +Suggests: btrfs-progs, lvm2, python3-lxc Description: Linux Containers userspace tools Containers are insulated areas inside a system, which have their own namespace for filesystem, network, PID, IPC, CPU and memory allocation and which can be diff -Nru lxc-3.1.0+really3.0.3/debian/NEWS lxc-3.1.0+really3.0.3/debian/NEWS --- lxc-3.1.0+really3.0.3/debian/NEWS 2019-03-09 15:49:19.000000000 +0100 +++ lxc-3.1.0+really3.0.3/debian/NEWS 2019-04-09 02:02:51.000000000 +0200 @@ -6,7 +6,7 @@ lxc-update-config is available to update automatically your configuration files. An automatic update is possible and offered by debconf during the upgrade of lxc version < 3.0.2 to lxc version >= - 3.0.2. Mind that this update will only work for priviledged containers + 3.0.2. Mind that this update will only work for privileged containers with configurations present in /var/lib/lxc/*/config and any other container will not be updated. 2. AppArmor support in Debian has increased, thus preventing some systemd @@ -20,7 +20,13 @@ These parameters are provided in the `/etc/lxc/default.conf` file shipped with LXC 3. Hence, any newly created container will have these - parameters set properly, execpt if you alter the forementionned file. + parameters set properly, except if you alter the aforementioned file. + + WARNING: Note that with these parameters, unprivileged containers won't + be able to start. lxc.apparmor.profile must be set to either + 'unconfined' or to 'lxc-container-default-cgns'. This can be done either + in the unprivileged container configuration file or in the user's + .config/lxc/default.conf file. 3. lxc-templates is deprecated by upstream. The new way of building containers is via their distrobuilder software. This software isn't in Debian Buster, and thus, we still provide lxc-templates. If you relied diff -Nru lxc-3.1.0+really3.0.3/debian/README.Debian lxc-3.1.0+really3.0.3/debian/README.Debian --- lxc-3.1.0+really3.0.3/debian/README.Debian 2018-12-22 22:49:44.000000000 +0100 +++ lxc-3.1.0+really3.0.3/debian/README.Debian 2019-04-14 15:46:45.000000000 +0200 @@ -12,4 +12,37 @@ lxc-attach -n <container> sed -i '/root/ s/:\*:/::/' /etc/shadow After either of these you will be again able to login via lxc-console. +Starting LXC containers +----------------------- + +Should you meet troubles to start a container, a first thing to do is to check +whether apparmor is installed (it is a Recommend of the package, hence it can +be absent if you disabled the installation of recommends). If not, you have +two options: + + 1. Install it + 2. Alter the lxc.apparmor.profile entry in `/etc/lxc/default.conf`, and in + your containers configurations. `lxc.apparmor.profile = unconfined` is the + appropriate option. Mind also to remove the `lxc.apparmor.allow_nesting` + entry. + +If AppArmor is present and you still have issues, follow the advice by setting +--logfile and --logpriority options and you'll get more intel on why your +containers won't start. + +Unprivileged containers +----------------------- + +To be able to start a user (unprivileged) container, one needs to change the +'/etc/sysctl.conf' file to append kernel.unprivileged_userns_clone=1 and run +`sysctl -p`. + +One would also need to also set an AppArmor profile adapted to these, either in +their `.config/lxc/default.conf` or in the newly created container's +configuration for it to start. + +Both 'lxc.apparmor.profile = lxc-container-default-cgns' and +'lxc.apparmor.profile = unconfined' are appropriate configurations for it to +start. + -- Evgeni Golov <evgeni@debian.org> Sat, 16 Jul 2016 11:49:16 +0200
Attachment:
signature.asc
Description: PGP signature