Package: lxc Version: 1:5.0.2-1 Severity: normal Dear Maintainer,
* What led up to the situation? Upgraded from bullseye to bookworm. The broadcast address changed within the container $ ip route show table local dev eth0 scope link broadcast 0.0.127.255 proto kernel src 172.21.3.113 broadcast 172.21.127.255 proto kernel src 172.21.3.113 using this configuration: lxc.net.0.type = veth lxc.net.0.flags = up lxc.net.0.link = br0 lxc.net.0.veth.pair = p_dav-test lxc.net.0.name = eth0 lxc.net.0.ipv4.address = 172.21.3.113/17 lxc.net.0.ipv4.gateway = 172.21.1.1 Expection is that everything works the same as the previous version of lxc. that we get the following: $ ip route show table local dev eth0 scope link broadcast 172.21.0.0 proto kernel src 172.21.3.113 broadcast 172.21.127.255 proto kernel src 172.21.3.113 * What exactly did you do (or not do) that was effective (or ineffective)? Upgrade debian 11 to debian 12 and reboot the server. * What was the outcome of this action? * What outcome did you expect instead? Everything work exactly the same. -- System Information: Debian Release: 12.0 APT prefers testing-security APT policy: (500, 'testing-security'), (500, 'testing'), (90, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 6.1.0-9-amd64 (SMP w/4 CPU threads; PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages lxc depends on: ii debconf [debconf-2.0] 1.5.82 ii dnsmasq-base [dnsmasq-base] 2.89-1 ii iproute2 6.1.0-3 ii iptables 1.8.9-2 ii libapparmor1 3.0.8-3 ii libc6 2.36-9 ii libcap2 1:2.66-4 ii libgcc-s1 12.2.0-14 ii liblxc-common 1:5.0.2-1 ii liblxc1 1:5.0.2-1 ii libseccomp2 2.5.4-1+b3 ii libselinux1 3.4-1+b6 ii lsb-base 11.6 ii sysvinit-utils [lsb-base] 3.06-4 Versions of packages lxc recommends: ii apparmor 3.0.8-3 pn debootstrap <none> pn dirmngr <none> pn gnupg <none> pn libpam-cgfs <none> pn lxc-templates <none> ii lxcfs 5.0.3-1 ii openssl 3.0.9-1 pn rsync <none> pn uidmap <none> pn wget <none> Versions of packages lxc suggests: pn btrfs-progs <none> pn lvm2 <none> pn python3-lxc <none> -- Configuration Files: /etc/apparmor.d/abstractions/lxc/start-container changed: network, capability, file, # The following 3 entries are only supported by recent apparmor versions. # Comment them if the apparmor parser doesn't recognize them. dbus, signal, ptrace, # currently blocked by apparmor bug mount -> /usr/lib*/*/lxc/{**,}, mount -> /usr/lib*/lxc/{**,}, mount -> /usr/lib/x86_64-linux-gnu/lxc/rootfs/{,**}, mount fstype=devpts -> /dev/pts/, mount options=bind /dev/pts/ptmx/ -> /dev/ptmx/, mount options=bind /dev/pts/** -> /dev/**, mount options=(rw, make-slave) -> **, mount options=(rw, make-rslave) -> **, mount options=(rw, make-shared) -> **, mount options=(rw, make-rshared) -> **, mount fstype=debugfs, # allow pre-mount hooks to stage mounts under /var/lib/lxc/<container>/ mount -> /var/lib/lxc/{**,}, mount /dev/.lxc-boot-id -> /proc/sys/kernel/random/boot_id, mount options=(ro, nosuid, nodev, noexec, remount, bind) -> /proc/sys/kernel/random/boot_id, # required for some pre-mount hooks mount fstype=overlayfs, mount fstype=aufs, mount fstype=ecryptfs, # all umounts are under the original root's /mnt, but right now we # can't allow those umounts after pivot_root. So allow all umounts # right now. They'll be restricted for the container at least. umount, #umount /mnt/{**,}, # This may look a bit redundant, however it appears we need all of # them if we want things to work properly on all combinations of kernel # and userspace parser... pivot_root /usr/lib*/lxc/, pivot_root /usr/lib*/*/lxc/, pivot_root /usr/lib*/lxc/**, pivot_root /usr/lib*/*/lxc/**, pivot_root /usr/lib/x86_64-linux-gnu/lxc/rootfs/{,**}, change_profile -> lxc-*, change_profile -> lxc-**, change_profile -> unconfined, change_profile -> :lxc-*:unconfined, /etc/apparmor.d/lxc/lxc-default-cgns changed: profile lxc-container-default-cgns flags=(attach_disconnected,mediate_deleted) { #include <abstractions/lxc/container-base> # the container may never be allowed to mount devpts. If it does, it # will remount the host's devpts. We could allow it to do it with # the newinstance option (but, right now, we don't). deny mount fstype=devpts, mount fstype=cgroup -> /sys/fs/cgroup/**, mount fstype=cgroup2 -> /sys/fs/cgroup/**, mount fstype=overlay, } /etc/apparmor.d/lxc/lxc-default-with-nesting changed: profile lxc-container-default-with-nesting flags=(attach_disconnected,mediate_deleted) { #include <abstractions/lxc/container-base> #include <abstractions/lxc/start-container> deny /dev/.lxc/proc/** rw, deny /dev/.lxc/sys/** rw, mount fstype=proc -> /var/cache/lxc/**, mount fstype=sysfs -> /var/cache/lxc/**, mount options=(rw,bind), mount options=(rw,rbind) -> /run/systemd/unit-root/, mount options=(rw,rbind) -> /run/systemd/unit-root/**, mount options=(rw,rshared) -> /, mount options=(rw,nosuid,nodev,noexec) proc -> /run/systemd/unit-root/proc/, mount fstype=cgroup -> /sys/fs/cgroup/**, mount fstype=cgroup2 -> /sys/fs/cgroup/**, } -- debconf information: lxc/auto_update_config: