1. Forum
  2. Usenet
  3. LINUX.DEBIAN.KERNEL

  • Re: why do I have to use backports kernel to make LXC work on Bookworm?

    From Salvatore Bonaccorso@21:1/5 to Harald Dunkel on Thu Dec 28 14:50:01 2023
    Hi,

    On Thu, Dec 28, 2023 at 02:13:28PM +0100, Harald Dunkel wrote:
    Hi folks,

    apparently LXC is affected by a bug around apparmor support for months,
    see #1052934 and #1050256. The workaround is to set PrivateNetwork=false
    (set by default as a security measure) or to use a backports kernel.

    AFAIU reason is a bug in 6.1. The fix (1cf26c3d2c4c) is not a one-liner,
    but reasonably small, and it has already been verified, so how comes it
    is still in the loop for weeks?

    Because it needs backporting work in 6.1.y upstream, which for John
    Johansen aimed to work on. You can read about the history and backlog
    in #1050256 . So far I have not got a reply from John on https://bugs.debian.org/1050256#215 .

    Regards,
    Salvatore

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Harald Dunkel@21:1/5 to All on Thu Dec 28 14:30:01 2023
    Hi folks,

    apparently LXC is affected by a bug around apparmor support for months,
    see #1052934 and #1050256. The workaround is to set PrivateNetwork=false
    (set by default as a security measure) or to use a backports kernel.

    AFAIU reason is a bug in 6.1. The fix (1cf26c3d2c4c) is not a one-liner,
    but reasonably small, and it has already been verified, so how comes it
    is still in the loop for weeks?


    Regards

    Harri

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Harald Dunkel@21:1/5 to Salvatore Bonaccorso on Thu Dec 28 17:20:02 2023
    On 2023-12-28 14:40:30, Salvatore Bonaccorso wrote:

    Because it needs backporting work in 6.1.y upstream, which for John
    Johansen aimed to work on. You can read about the history and backlog
    in #1050256 . So far I have not got a reply from John on https://bugs.debian.org/1050256#215 .


    Oh, I thought he's a Debian maintainer. My bad.

    Thank you very much for your fast response.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Salvatore Bonaccorso@21:1/5 to Harald Dunkel on Fri Dec 29 13:50:01 2023
    Hi Herald,

    On Thu, Dec 28, 2023 at 05:17:48PM +0100, Harald Dunkel wrote:
    On 2023-12-28 14:40:30, Salvatore Bonaccorso wrote:

    Because it needs backporting work in 6.1.y upstream, which for John Johansen aimed to work on. You can read about the history and backlog
    in #1050256 . So far I have not got a reply from John on https://bugs.debian.org/1050256#215 .


    Oh, I thought he's a Debian maintainer. My bad.

    Thank you very much for your fast response.

    No problem! I will let some day pass and then ping him again to ask
    after the "holiday season". I think even if someone else will propose
    a target backport Greg will want an ack from the apparmor maintainers,
    and John ist the sole one listed n the upstream MAINTAINERS file:

    APPARMOR SECURITY MODULE
    M: John Johansen <john.johansen@canonical.com>
    M: John Johansen <john@apparmor.net>
    L: apparmor@lists.ubuntu.com (moderated for non-subscribers)
    S: Supported
    W: apparmor.net
    B: https://gitlab.com/apparmor/apparmor-kernel
    C: irc://irc.oftc.net/apparmor
    T: git git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor
    T: https://gitlab.com/apparmor/apparmor-kernel.git
    F: Documentation/admin-guide/LSM/apparmor.rst
    F: security/apparmor/

    I hope we can make it for the next point release.

    Regards,
    Salvatore

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)