Patch the usr.bin.lxc-copy apparmor profile

Due to the bug in liblxc-common packaging [1], there is a conflict in apparmor profiles which prevents any management of existing profiles. In order to allow apparmor configuration we need to bushfix the usr.bin.lxc-copy profile until fixed one won't be released. [1] https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/2110635 Change-Id: I3de2c45fc1b24424ccbb8035cc7e7603dc5d0976
2025-05-14 14:57:58 +02:00
parent afc9900d39
commit f059f97ce2
2 changed files with 26 additions and 0 deletions
--- a/releasenotes/notes/lxc_apparmor_issue-e25bbc97e7f2ba62.yaml
+++ b/releasenotes/notes/lxc_apparmor_issue-e25bbc97e7f2ba62.yaml
@@ -0,0 +1,10 @@
+---
+issues:
+  - |
+    It was discovered that LXC 5.0.3 in Ubuntu 24.04 (Noble Numbat)
+    contains packaging issue resulting in apparmor profiling conflicts.
+    A temporary workaround has been applied in ``lxc_hosts`` role to
+    apply a hotfix to the profile. However, it will be wiped with the
+    next update of ``liblxc-common`` package.
+    Please, check the `bug #2110635 <https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/2110635>`_
+    for more details on the issue.
--- a/tasks/lxc_install_apt.yml
+++ b/tasks/lxc_install_apt.yml
@@ -65,5 +65,21 @@
    - lxc-apparmor
    - lxc_hosts-config

+# NOTE: Addresses packaging bug https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/2110635
+- name: Fix liblxc-common apparmor profiles
+  ansible.builtin.lineinfile:
+    path: /etc/apparmor.d/usr.bin.lxc-copy
+    regexp: "^/usr/bin/lxc-start flags="
+    line: "/usr/bin/lxc-copy flags=(attach_disconnected) {"
+    state: present
+  when:
+    - ansible_facts['distribution'] | lower == 'ubuntu'
+    - ansible_facts['distribution_release'] == 'noble'
+  notify:
+    - Reload apparmor
+  tags:
+    - lxc-files
+    - lxc-apparmor
+
 - name: Flush handler to reload apparmor profiles
  ansible.builtin.meta: flush_handlers