Bug#927759: unblock: lxc/1:3.1.0+really3.0.3-8

To: 927759@bugs.debian.org
Subject: Bug#927759: unblock: lxc/1:3.1.0+really3.0.3-8
From: Pierre-Elliott Bécue <peb@debian.org>
Date: Mon, 22 Apr 2019 21:47:23 +0200
Message-id: <[🔎] 20190422194723.gbex5vtw6bpjnbub@pimeys.fr>
Reply-to: Pierre-Elliott Bécue <peb@debian.org>, 927759@bugs.debian.org
In-reply-to: <[🔎] 20190422194031.e7dilgb3ektax5th@pimeys.fr>
References: <[🔎] 20190422194031.e7dilgb3ektax5th@pimeys.fr> <[🔎] 20190422194031.e7dilgb3ektax5th@pimeys.fr>

Le lundi 22 avril 2019 à 21:40:31+0200, Pierre-Elliott Bécue a écrit :
> Subject: unblock: lxc/1:3.1.0+really3.0.3-8
> Package: release.debian.org
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> Severity: normal
> X-Debbugs-Cc: pkg-lxc-devel@lists.alioth.debian.org
> 
> Dear release team,
> 
> Please unblock package lxc 1:3.1.0+really3.0.3-8 from unstable to
> testing.
> 
> This release fixes the important bug 925899[0] and introduces a little
> more documentation regarding unprivileged containers which behave differently
> from the privileged ones.
> 
> As the changes made in -7 release were not actually appropriate (I sed a
> dependency on apparmor, which is quite strong), I had to do another
> release to revert some of these. The whole diff is attached and remains
> quite decent.
> 
> Thanks a lot for considering. :)
> 
> unblock lxc/1:3.1.0+really3.0.3-8
> 
> [0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925899
> 
> -- System Information:
> Debian Release: buster/sid
>   APT prefers testing
>   APT policy: (990, 'testing'), (500, 'unstable')
> Architecture: amd64 (x86_64)
> 
> Kernel: Linux 4.18.0-2-amd64 (SMP w/8 CPU cores)
> Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to fr_FR.UTF-8), LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to fr_FR.UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
> LSM: AppArmor: enabled

*grmbl* forgotten attachment *grmbl*

-- 
Pierre-Elliott Bécue
GPG: 9AE0 4D98 6400 E3B6 7528  F493 0D44 2664 1949 74E2
It's far easier to fight for one's principles than to live up to them.

diff -Nru lxc-3.1.0+really3.0.3/debian/changelog lxc-3.1.0+really3.0.3/debian/changelog
--- lxc-3.1.0+really3.0.3/debian/changelog	2019-03-09 15:49:21.000000000 +0100
+++ lxc-3.1.0+really3.0.3/debian/changelog	2019-04-14 15:46:47.000000000 +0200
@@ -1,3 +1,24 @@
+lxc (1:3.1.0+really3.0.3-8) unstable; urgency=medium
+
+  * d/control:
+    - bin:lxc sets AppArmor as a Recommend instead of a Dependency
+  * d/README.Debian:
+    - Update the documentation to explain how to manage containers not
+      starting if AppArmor is missing.
+
+ -- Pierre-Elliott Bécue <peb@debian.org>  Sun, 14 Apr 2019 15:46:47 +0200
+
+lxc (1:3.1.0+really3.0.3-7) unstable; urgency=medium
+
+  * d/ccontrol:
+    - Add a dependency to AppArmor for lxc package as the default.conf file
+      includes an AppArmor profile.
+  * d/{NEWS,README.Debian}:
+    - Add appropriate documentation for unprivileged containers
+      (Closes: #925899)
+
+ -- Pierre-Elliott Bécue <peb@debian.org>  Tue, 09 Apr 2019 02:03:05 +0200
+
 lxc (1:3.1.0+really3.0.3-6) unstable; urgency=medium
 
   * d/patches/0005: Tweaks the 0004 patch for CVE-2019-5736 (Closes: #923932)
diff -Nru lxc-3.1.0+really3.0.3/debian/control lxc-3.1.0+really3.0.3/debian/control
--- lxc-3.1.0+really3.0.3/debian/control	2019-01-10 23:26:17.000000000 +0100
+++ lxc-3.1.0+really3.0.3/debian/control	2019-04-14 15:27:01.000000000 +0200
@@ -33,7 +33,8 @@
          ${misc:Depends},
          ${shlibs:Depends},
          lsb-base (>= 3.0-6)
-Recommends: bridge-utils,
+Recommends: apparmor,
+            bridge-utils,
             debootstrap,
             dirmngr,
             dnsmasq-base,
@@ -46,7 +47,7 @@
             openssl,
             rsync,
             uidmap
-Suggests: apparmor, btrfs-progs, lvm2, python3-lxc
+Suggests: btrfs-progs, lvm2, python3-lxc
 Description: Linux Containers userspace tools
  Containers are insulated areas inside a system, which have their own namespace
  for filesystem, network, PID, IPC, CPU and memory allocation and which can be
diff -Nru lxc-3.1.0+really3.0.3/debian/NEWS lxc-3.1.0+really3.0.3/debian/NEWS
--- lxc-3.1.0+really3.0.3/debian/NEWS	2019-03-09 15:49:19.000000000 +0100
+++ lxc-3.1.0+really3.0.3/debian/NEWS	2019-04-09 02:02:51.000000000 +0200
@@ -6,7 +6,7 @@
       lxc-update-config is available to update automatically your
       configuration files. An automatic update is possible and offered by
       debconf during the upgrade of lxc version < 3.0.2 to lxc version >=
-      3.0.2. Mind that this update will only work for priviledged containers
+      3.0.2. Mind that this update will only work for privileged containers
       with configurations present in /var/lib/lxc/*/config and any other
       container will not be updated.
    2. AppArmor support in Debian has increased, thus preventing some systemd
@@ -20,7 +20,13 @@
 
       These parameters are provided in the `/etc/lxc/default.conf` file
       shipped with LXC 3. Hence, any newly created container will have these
-      parameters set properly, execpt if you alter the forementionned file.
+      parameters set properly, except if you alter the aforementioned file.
+
+      WARNING: Note that with these parameters, unprivileged containers won't
+      be able to start. lxc.apparmor.profile must be set to either
+      'unconfined' or to 'lxc-container-default-cgns'. This can be done either
+      in the unprivileged container configuration file or in the user's
+      .config/lxc/default.conf file.
    3. lxc-templates is deprecated by upstream. The new way of building
       containers is via their distrobuilder software. This software isn't in
       Debian Buster, and thus, we still provide lxc-templates. If you relied
diff -Nru lxc-3.1.0+really3.0.3/debian/README.Debian lxc-3.1.0+really3.0.3/debian/README.Debian
--- lxc-3.1.0+really3.0.3/debian/README.Debian	2018-12-22 22:49:44.000000000 +0100
+++ lxc-3.1.0+really3.0.3/debian/README.Debian	2019-04-14 15:46:45.000000000 +0200
@@ -12,4 +12,37 @@
  lxc-attach -n <container> sed -i '/root/ s/:\*:/::/' /etc/shadow
 After either of these you will be again able to login via lxc-console.
 
+Starting LXC containers
+-----------------------
+
+Should you meet troubles to start a container, a first thing to do is to check
+whether apparmor is installed (it is a Recommend of the package, hence it can
+be absent if you disabled the installation of recommends).  If not, you have
+two options:
+
+ 1. Install it
+ 2. Alter the lxc.apparmor.profile entry in `/etc/lxc/default.conf`, and in
+    your containers configurations. `lxc.apparmor.profile = unconfined` is the
+    appropriate option. Mind also to remove the `lxc.apparmor.allow_nesting`
+    entry.
+
+If AppArmor is present and you still have issues, follow the advice by setting
+--logfile and --logpriority options and you'll get more intel on why your
+containers won't start.
+
+Unprivileged containers
+-----------------------
+
+To be able to start a user (unprivileged) container, one needs to change the
+'/etc/sysctl.conf' file to append kernel.unprivileged_userns_clone=1 and run
+`sysctl -p`.
+
+One would also need to also set an AppArmor profile adapted to these, either in
+their `.config/lxc/default.conf` or in the newly created container's
+configuration for it to start.
+
+Both 'lxc.apparmor.profile = lxc-container-default-cgns' and
+'lxc.apparmor.profile = unconfined' are appropriate configurations for it to
+start.
+
  -- Evgeni Golov <evgeni@debian.org>  Sat, 16 Jul 2016 11:49:16 +0200

Attachment: signature.asc
Description: PGP signature

Reply to:

References:
- Bug#927759: unblock: lxc/1:3.1.0+really3.0.3-8
  - From: Pierre-Elliott Bécue <peb@debian.org>

Prev by Date: Bug#927759: unblock: lxc/1:3.1.0+really3.0.3-8
Next by Date: Bug#927378: stretch-pu: package node-superagent/0.20.0+dfsg-1+deb9u1
Previous by thread: Bug#927759: unblock: lxc/1:3.1.0+really3.0.3-8
Next by thread: Bug#927759: marked as done (unblock: lxc/1:3.1.0+really3.0.3-8)
Index(es):
- Date
- Thread