Hi Lukas,
yes, we know about that problem and yes, it's our priority to fix that.
We've combined our forces with AppArmor team to fix the issue on the AppArmor
side:
https://gitlab.com/apparmor/apparmor/-/merge_requests/333
This is waiting to be merged:
https://github.com/lxc/lxc/pull/4295
We
This is apparently related to Ubuntu's apparmor confinement of the LXC
process. Running containers unconfined seems to help:
```
sudo apparmor_parser -R /etc/apparmor.d/usr.bin.lxc-start
sudo ln -s /etc/apparmor.d/usr.bin.lxc-start /etc/apparmor.d/disable/
echo "lxc.apparmor.profile = unconfined"
** Changed in: systemd (Ubuntu)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1950787
Title:
systemd-sysusers cannot mount /d
I've implemented the workaround in systemd's debian/test/tests-in-lxd.
** Changed in: systemd (Ubuntu)
Status: New => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launch
Closing the LXD task as there's not really anything we can do there.
The options here are pretty much:
- Do nothing, if it's just privileged containers, it's usually not a big deal
- Significantly rework apparmor mount handling logic and policies so this can
be safely allowed
- Ship unit overr
If this only fails in privileged containers, then I probably wouldn't
worry about it too much, those aren't the default and a LOT of things
break in privileged containers, so I don't think it's worth doing distro
changes to accommodate this, assuming the container otherwise still
boots.
For cases
Privileged containers have a much stricter apparmor policy applied than
unprivileged containers.
That's because unprivileged containers primarily rely on the user namespace to
prevent breakout and taking over of the host whereas privileged containers rely
entirely on apparmor.
As apparmor isn't
This commit seems to be related:
https://github.com/lxc/distrobuilder/commit/33a4302ca5a62ed9eb9009dcc5059aecfb55ba41
But why does it not work in privileged containers?
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd i
** Attachment added: "debug.log"
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1950787/+attachment/5540415/+files/debug.log
** Description changed:
systemd-sysusers.service/systemd.exec fails to start in privileged
containers, due to being unable to properly mount /dev for passing
9 matches
Mail list logo
