Bug#1049897: lxc: since upgrade from Bullseye to Bookworm I am no longer able to use lxc-console

Wed, 16 Aug 2023 08:03:17 -0700 

Package: lxc
Version: 1:5.0.2-1
Severity: normal

When starting lxc-console it does not contain to the container but is hanging.
lxc-attach works fine as a replacement, but it makes the use of unprivileged
containers more complicate because each container has its own uids and I want
to enter the container as normal user not as root.


-- System Information:
Debian Release: 12.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-11-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages lxc depends on:
ii  debconf [debconf-2.0]        1.5.82
ii  dnsmasq-base [dnsmasq-base]  2.89-1
ii  iproute2                     6.1.0-3
ii  iptables                     1.8.9-2
ii  libapparmor1                 3.0.8-3
ii  libc6                        2.36-9+deb12u1
ii  libcap2                      1:2.66-4
ii  libgcc-s1                    12.2.0-14
ii  liblxc-common                1:5.0.2-1
ii  liblxc1                      1:5.0.2-1
ii  libseccomp2                  2.5.4-1+b3
ii  libselinux1                  3.4-1+b6
ii  lsb-base                     11.6
ii  sysvinit-utils [lsb-base]    3.06-4

Versions of packages lxc recommends:
ii  apparmor       3.0.8-3
ii  debootstrap    1.0.128+nmu2
ii  dirmngr        2.2.40-1.1
ii  gnupg          2.2.40-1.1
ii  libpam-cgfs    1:5.0.2-1
ii  lxc-templates  3.0.4.48.g4765da8-1
ii  lxcfs          5.0.3-1
ii  openssl        3.0.9-1
ii  rsync          3.2.7-1
ii  uidmap         1:4.13+dfsg1-1+b1
ii  wget           1.21.3-1+b2

Versions of packages lxc suggests:
ii  btrfs-progs  6.2-1
ii  lvm2         2.03.16-2
pn  python3-lxc  <none>

-- Configuration Files:
/etc/apparmor.d/abstractions/lxc/start-container changed:
  network,
  capability,
  file,
  # The following 3 entries are only supported by recent apparmor versions.
  # Comment them if the apparmor parser doesn't recognize them.
  dbus,
  signal,
  ptrace,
  # currently blocked by apparmor bug
  mount -> /usr/lib*/*/lxc/{**,},
  mount -> /usr/lib*/lxc/{**,},
  mount -> /usr/lib/x86_64-linux-gnu/lxc/rootfs/{,**},
  mount fstype=devpts -> /dev/pts/,
  mount options=bind /dev/pts/ptmx/ -> /dev/ptmx/,
  mount options=bind /dev/pts/** -> /dev/**,
  mount options=(rw, make-slave) -> **,
  mount options=(rw, make-rslave) -> **,
  mount options=(rw, make-shared) -> **,
  mount options=(rw, make-rshared) -> **,
  mount fstype=debugfs,
  # allow pre-mount hooks to stage mounts under /var/lib/lxc/<container>/
  mount -> /var/lib/lxc/{**,},
  mount /dev/.lxc-boot-id -> /proc/sys/kernel/random/boot_id,
  mount options=(ro, nosuid, nodev, noexec, remount, bind) -> 
/proc/sys/kernel/random/boot_id,
  # required for some pre-mount hooks
  mount fstype=overlayfs,
  mount fstype=aufs,
  mount fstype=ecryptfs,
  # all umounts are under the original root's /mnt, but right now we
  # can't allow those umounts after pivot_root.  So allow all umounts
  # right now.  They'll be restricted for the container at least.
  umount,
  #umount /mnt/{**,},
  # This may look a bit redundant, however it appears we need all of
  # them if we want things to work properly on all combinations of kernel
  # and userspace parser...
  pivot_root /usr/lib*/lxc/,
  pivot_root /usr/lib*/*/lxc/,
  pivot_root /usr/lib*/lxc/**,
  pivot_root /usr/lib*/*/lxc/**,
  pivot_root /usr/lib/x86_64-linux-gnu/lxc/rootfs/{,**},
  change_profile -> lxc-*,
  change_profile -> lxc-**,
  change_profile -> unconfined,
  change_profile -> :lxc-*:unconfined,

/etc/apparmor.d/lxc/lxc-default-cgns changed:
profile lxc-container-default-cgns flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/lxc/container-base>
  # the container may never be allowed to mount devpts.  If it does, it
  # will remount the host's devpts.  We could allow it to do it with
  # the newinstance option (but, right now, we don't).
  deny mount fstype=devpts,
  mount fstype=cgroup -> /sys/fs/cgroup/**,
  mount fstype=cgroup2 -> /sys/fs/cgroup/**,
  mount fstype=overlay,
}

/etc/apparmor.d/lxc/lxc-default-with-nesting changed:
profile lxc-container-default-with-nesting 
flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/lxc/container-base>
  #include <abstractions/lxc/start-container>
  deny /dev/.lxc/proc/** rw,
  deny /dev/.lxc/sys/** rw,
  mount fstype=proc -> /var/cache/lxc/**,
  mount fstype=sysfs -> /var/cache/lxc/**,
  mount options=(rw,bind),
  mount options=(rw,rbind) -> /run/systemd/unit-root/,
  mount options=(rw,rbind) -> /run/systemd/unit-root/**,
  mount options=(rw,rshared) -> /,
  mount options=(rw,nosuid,nodev,noexec) proc -> /run/systemd/unit-root/proc/,
  mount fstype=cgroup -> /sys/fs/cgroup/**,
  mount fstype=cgroup2 -> /sys/fs/cgroup/**,
}

/etc/lxc/default.conf changed:
lxc.net.0.type = veth
lxc.net.0.link = lxcbr0
lxc.net.0.flags = up
lxc.apparmor.profile = generated
lxc.apparmor.allow_nesting = 1


-- debconf information:
  lxc/auto_update_config:

Reply via email to