Mailinglist Archive: opensuse-bugs (6221 mails)

< Previous Next >
[Bug 1085996] LXD container network setup fails on OpenSuse with apparmor denials
  • From: bugzilla_noreply@xxxxxxxxxx
  • Date: Mon, 02 Apr 2018 18:16:17 +0000
  • Message-id: <bug-1085996-21960-QuW3dGyqfi@http.bugzilla.opensuse.org/>
http://bugzilla.opensuse.org/show_bug.cgi?id=1085996
http://bugzilla.opensuse.org/show_bug.cgi?id=1085996#c2

--- Comment #2 from John Johansen <jrjohansen117@xxxxxxxxx> ---
its not that simple.

while it is true that the apparmor networking patch in use is not namespace
aware, it doesn't need to be. It is not doing mediation at a level where
namespace awareness is needed.

That is it is control very coarse level of mediation of tasks ability to use a
socket of a given family and type, and not down to the level of actual
addresses that would need namespace awareness.

From the logs this can not even be attributed to the difference between ubuntu
carrying fine grained mediation of af_unix sockets, and suse just the broader
coarse grained socket mediation, as all of the denials are around inet and
inet6.

There is something different in the setup between what lxd or the system setup
that is leading to these denials that we need to trace down.


As for the comment in the lxd issue, that was not meant as a definitive its an
opensuse kernel issue. It was very much a suse is carrying a slightly different
patchset than ubuntu or the upstream kernel (which currently has no network
mediation), and that is the place where I would start looking.

So far however I don't have enough info to determine what the difference is
that is causing this.

--
You are receiving this mail because:
You are on the CC list for the bug.
< Previous Next >