Bug#926925: lxc: please do not depend on apparmor

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

Bug#926925: lxc: please do not depend on apparmor

Mattia Rizzolo-5
Package: lxc
Version: 1:3.1.0+really3.0.3-7

Please do not hard depend on apparmor.

The other day I brought this matter on #debian-devel and also others
agreed that it's not a good idea do hard depend on apparmor.

Even the kernel, at most it recommends it.

From the #d-d conversation:

[03:27:59 PM] <peb> adding apparmor as a dependency was a suggestion from intrigeri, and I did not find any real reason to not do so
[03:28:42 PM] <peb> kibi: lxc upon startup tries to load the forementioned profile and thus needs apparmor to enforce it
[03:28:53 PM] <peb> so the alternative is to remove the config in default.conf
[03:30:00 PM] <jcristau> wat
[03:30:48 PM] <peb> jcristau: without apparmor, a container with the generated profile won't be able to start
[03:30:58 PM] <peb> "generated" (it's the name of the profile)
[03:31:16 PM] <jcristau> sounds like a silly design
[03:31:24 PM] <peb> so if we don't drag apparmor, I need to comment out/remove the profile = generated in /etc/lxc/default.conf
[03:31:36 PM] <peb> I'll do some tests
[03:31:48 PM] <peb> but ack, the current situation is probably not the appropriate one for stable
[03:31:56 PM] <peb> I'll find a way before asking for an unblock
[03:31:57 PM] <jcristau> it should be able to confine containers if you have apparmor, and not if not.
[03:32:17 PM] <peb> my previous tests shown otherwise, but maybe I missed something
[03:32:47 PM] <peb> i'll redo some tests during the weekend

I'm making this into a bug to ease tracking.

                        Mattia Rizzolo

GPG Key: 66AE 2B4A FCCF 3F52 DA18  4D18 4B04 3FCD B944 4540      .''`.
more about me:  https://mapreri.org                             : :'  :
Launchpad user: https://launchpad.net/~mapreri                  `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia  `-

signature.asc (849 bytes) Download Attachment