Le 30 mars 2019 15:29:52 GMT+01:00, intrigeri <intrig...@debian.org> a écrit : >Hi, > >Pierre-Elliott Bécue: >> This bugreport raises an interesting question regarding the tradeoff >> between the solution we implemented to fix bug #916639. > >> Cc-ing intrigeri: I'm reconsidering the /etc/lxc/default.conf setting >> regarding apparmor.profile. Putting generated breaks many unpriv >> containers as they have no apparmor.profile set in their >configuration. > >I'd love to help but I'll need more info to understand why the current >setup breaks "many unpriv containers", e.g.: > > - Is this specific to unprivileged containers? > > - Is it because "apparmor.profile = generated" is not suitable > for unprivileged containers? > >Finally, I wonder if "Suggests: apparmor" expresses strongly enough >the current status of the LXC + AppArmor integration in Debian. >Thankfully the Linux images will pull apparmor via Recommends… >except on systems where the administrator has disabled installation >of Recommends. > >Cheers,
It is specific to unpriviledged containers and due to the fact that non root users don't seem to have the ability to use the generated profile. PEB (from my phone)
