[pkg-lxc-devel] Bug#1050256: [pkg-apparmor] Bug#1050256: autopkgtest fails on debci

Michael Biebl biebl at debian.org
Fri Sep 1 12:23:24 BST 2023 

Am 31.08.23 um 19:54 schrieb Christian Boltz:
> Hello,
> 
> Am Donnerstag, 31. August 2023, 08:41:59 CEST schrieb Michael Biebl:
>> What we found so far is, that the AppArmor policy of lxc breaks any
>> systemd service using PrivateNetwork=yes or PrivateIPC=yes when being
>>   run under lxc (running under bookworm using the bookworm kernel).
>> I wonder what the best course of action is here.
>> Should we disable the AA policy of lxc via a stable upload of the lxc
>>   package until the root cause is found?
>>
>> Unfortunately I know too little about AppArmor and lxc's AppArmor
>> policy  and my attempts to ask around for help weren't successful so
>> far.
> 
> Two quick hints, but let me warn you that I'm not familiar with lxc and
> also didn't check the content of the lxc-autopkgtest-lxc-iomhit_*
> profile.
> 
> https://github.com/lxc/lxc/issues/4333 indicates that this issue was
> fixed in (much) a newer kernel - but that's probably not news to you
> since you wrote that comment ;-)
> 
> 
> That said - the DENIED log entry translates to
> 
>      unix send type=dgram,
> 
> You could try if adding this rule to the lxc-autopkgtest-lxc-iomhit_*
> profile helps - but if the issue is really on the kernel side, my hope is
> limited).
> 
> For testing, you could also try with a more broad
>      unix send,
> or even
>      unix,
> rule - but please don't add these broader rules to the production
> profile.

I have no idea, where to add that and what specific syntax I should use.
The profile above seems to be autogenerated and I only found a binary 
file with that name in /var/cache/apparmor.

The only way to fix the container was to use the aforementioned 
`lxc.apparmor.profile = unconfined`.
I think we should do that as the breakage is rather widespread and I 
already see individual packages trying to work around that to at least 
keep debci afloat.

See e.g.:
https://salsa.debian.org/systemd-team/systemd/-/merge_requests/211
https://salsa.debian.org/debian/pdns/-/commit/637e54ef73386541086da430553b82db78266bac

or disabling the systemd hardening options completely_
https://salsa.debian.org/utopia-team/polkit/-/blob/master/debian/patches/debian/Don-t-use-PrivateNetwork-yes-for-the-systemd-unit.patch

This is not a good outcome of this and the problem will become more 
apparent with debci running on bookworm now.


Regards,
Michael

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-lxc-devel/attachments/20230901/9b18d5f8/attachment.sig>

More information about the Pkg-lxc-devel mailing list