On Fri, Jan 11, 2019 at 03:56:02PM +0100, Pierre-Elliott Bécue wrote: > Le 11/01/2019 à 15:01, Christian Brauner a écrit : > > On Fri, Jan 11, 2019 at 12:58:09AM +0100, Pierre-Elliott Bécue wrote: > >> Le dimanche 16 décembre 2018 à 20:22:05+0100, intrig...@debian.org a écrit > >> : > >>> Package: lxc > >>> Version: 1:3.0.3-1 > >>> Severity: normal > >>> Tags: patch > >>> X-Debbugs-Cc: Michael Biebl <bi...@debian.org>, Wolfgang Bumiller > >>> <w.bumil...@proxmox.com> > >>> User: pkg-apparmor-t...@lists.alioth.debian.org > >>> Usertags: buggy-profile > >>> > >>> Hi, > >>> > >>> as discussed on https://bugs.debian.org/911806 the current LXC > >>> AppArmor support breaks systemd v240, which now refuses to start units > >>> if it can't set up various sandboxing features, while previously it > >>> would merely start the units without the configured sandboxing. > >>> Michael Biebl originally reported this failure in the context of the > >>> systemd autopkgtests but I expect the same problem will affect regular > >>> full-system containers as well. > >>> > >>> Testing confirms that this problem is fixed by backporting 3 commits > >>> (e6ec0a9, e7311a84 and 1800f92) from LXC 3.1.0. I'm attaching the > >>> resulting backported patches. Credit goes to Wolfgang Bumiller who did > >>> the work upstream and to Michael Biebl who reported the problem in > >>> great details. > >>> > >>> If Buster is going to be released with LXC 3.0.x, IMO we need to > >>> either apply these patches or disable AppArmor by default for new LXC > >>> containers. And if we're going to ship with LXC 3.1.0 or newer, then > >>> feel free to disregard this request and close this bug with the first > >>> upload of LXC 3.1.0+ :) > >> > >> Hi, > >> > >> Cc-ing Christian to improve the delay of replies. > >> > >> At first I released 3.1.0 in unstable, but it seems unwise to rely on this > >> one when 3.0 is the LTS and 3.1 support won't last for long. > >> > >> Hence I did a 3.1.0+really3.0.3 release today, rollbacking to 3.0.3. > >> > >> This means this bug is no longer fixed. > >> > >> Christian, would you consider releasing a 3.0.4 containing the patchset > >> mentioned in this bug? > > > > The three commits you linked would be a feature backport which we can't > > do into a stable branch. Wolfgang could however send a custom patch. I > > Cced him. If he does it we can push this into the next release. :) > > Do you mean a 3.0.x release? > > Would it be possible to have it before the end of the month? Otherwise
Hm, unlikely. Can you carry a separate patch on top of 3.0.3 until we release 3.0.4? Thanks! Christian
