Am 31.08.23 um 19:54 schrieb Christian Boltz:
Hello,

Am Donnerstag, 31. August 2023, 08:41:59 CEST schrieb Michael Biebl:
What we found so far is, that the AppArmor policy of lxc breaks any
systemd service using PrivateNetwork=yes or PrivateIPC=yes when being
  run under lxc (running under bookworm using the bookworm kernel).
I wonder what the best course of action is here.
Should we disable the AA policy of lxc via a stable upload of the lxc
  package until the root cause is found?

Unfortunately I know too little about AppArmor and lxc's AppArmor
policy  and my attempts to ask around for help weren't successful so
far.

Two quick hints, but let me warn you that I'm not familiar with lxc and
also didn't check the content of the lxc-autopkgtest-lxc-iomhit_*
profile.

https://github.com/lxc/lxc/issues/4333 indicates that this issue was
fixed in (much) a newer kernel - but that's probably not news to you
since you wrote that comment ;-)


That said - the DENIED log entry translates to

     unix send type=dgram,

You could try if adding this rule to the lxc-autopkgtest-lxc-iomhit_*
profile helps - but if the issue is really on the kernel side, my hope is
limited).

For testing, you could also try with a more broad
     unix send,
or even
     unix,
rule - but please don't add these broader rules to the production
profile.

I have no idea, where to add that and what specific syntax I should use.
The profile above seems to be autogenerated and I only found a binary file with that name in /var/cache/apparmor.

The only way to fix the container was to use the aforementioned `lxc.apparmor.profile = unconfined`. I think we should do that as the breakage is rather widespread and I already see individual packages trying to work around that to at least keep debci afloat.

See e.g.:
https://salsa.debian.org/systemd-team/systemd/-/merge_requests/211
https://salsa.debian.org/debian/pdns/-/commit/637e54ef73386541086da430553b82db78266bac

or disabling the systemd hardening options completely_
https://salsa.debian.org/utopia-team/polkit/-/blob/master/debian/patches/debian/Don-t-use-PrivateNetwork-yes-for-the-systemd-unit.patch

This is not a good outcome of this and the problem will become more apparent with debci running on bookworm now.


Regards,
Michael

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

Reply via email to