[tor-dev] apparmor in lxc containers [#17754]

intrigeri intrigeri at boum.org
Tue Dec 15 10:40:26 UTC 2015


Peter Palfrader wrote (15 Dec 2015 08:24:25 GMT) :
> https://bugs.torproject.org/17754 reports that tor no longer works in
> LXC containers.

> I have set up an ubuntu wily VM, and a wily LXC container in it, and I
> can confirm that with the AppArmorProfile= line in the service file, tor
> will not launch.

Given the logs I see on the ticket, it looks like systemd was not
allowed by the container to apply our AppArmor policy.
Linux namespaces support more and more stuff these days, but they
didn't go as far as supporting stacking AppArmor policies yet:


... not even mentioning limitations that AppArmor has with stacked
filesystems such as aufs and overlayfs, which are commonly used
for containers.

> Do you have any ideas how to properly fix this?  Or what the best
> workaround would be to document?

Sadly, I don't know what we can do better at the moment than disabling
AppArmor when running in such environments, like:


More information about the tor-dev mailing list