Package: lxd
Version: 5.0.2-5
Followup-For: Bug #1038315
I'm unsure if current breakage is due to apparmor itself (the bug reported
there was apparently fixed a while ago), lxd's apparmor profile, or
somewhere else (as satisfying as blaming systemd would be...). See linked
bugs listed below.
Is it possible that the AppArmor socket mediation patches have not made it
into upstream and/or Debian kernels? :thinking_face: If so, then this bug
needs to be reassigned to the kernel.
I'm writing here because this also breaks the plocate-updatedb service
inside LXD containers.
I don't think it's a bug with network namespacing inside containers, as
unshare -u ifconfig
works fine, for example.
In the container:
root@pat:~# systemctl status plocate-updatedb.service
× plocate-updatedb.service - Update the plocate database
Loaded: loaded (/lib/systemd/system/plocate-updatedb.service; static)
Drop-In: /run/systemd/system/service.d
└─zzz-lxc-service.conf
Active: failed (Result: exit-code) since Fri 2023-06-23 09:53:56 AWST;
5h 31min ago
TriggeredBy: ● plocate-updatedb.timer
Process: 33437 ExecStart=/usr/sbin/updatedb.plocate (code=exited,
status=225/NETWORK)
Main PID: 33437 (code=exited, status=225/NETWORK)
CPU: 584us
Jun 23 09:53:56 pat systemd[1]: Starting plocate-updatedb.service - Update
the plocate database...
Jun 23 09:53:56 pat systemd[1]: plocate-updatedb.service: Main process
exited, code=exited, status=225/NETWORK
Jun 23 09:53:56 pat systemd[1]: plocate-updatedb.service: Failed with
result 'exit-code'.
Jun 23 09:53:56 pat systemd[1]: Failed to start plocate-updatedb.service -
Update the plocate database.
On the host after attempting to start the service inside the guest:
2023-06-23T09:53:56.040427+08:00 grook kernel: [772843.931461] audit:
type=1400 audit(1687485236.036:118): apparmor="DENIED" operation="file_lock"
profile="lxd-pat_</var/lib/lxd>" pid=3334600 comm="(.plocate)" family="unix"
sock_type=ram" protocol=0 requested_mask="send"
2023-06-23T09:53:56.040437+08:00 grook kernel: [772843.931469] audit:
type=1400 audit(1687485236.036:119): apparmor="DENIED" operation="file_lock"
profile="lxd-pat_</var/lib/lxd>" pid=3334600 comm="(.plocate)" family="unix"
sock_type=ram" protocol=0 requested_mask="send"
Host information (both host and guest are running bookworm BTW):
Kernel: Linux 6.1.0-9-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE,
TAINT_UNSIGNED_MODULE
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8),
LANGUAGE=en_AU:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages lxd depends on:
ii adduser 3.134
ii attr 1:2.5.1-4
ii ca-certificates 20230311
ii init-system-helpers 1.65.2
ii libacl1 2.3.1-3
ii libc6 2.36-9
ii libcap2 1:2.66-4
ii libdqlite0 1.11.1-1
ii libgcc-s1 12.2.0-14
ii liblxc-common 1:5.0.2-1
ii liblxc1 1:5.0.2-1
ii libsqlite3-0 3.40.1-2
ii libudev1 252.6-1
ii lxcfs 5.0.3-1
ii lxd-client 5.0.2-5
ii rsync 3.2.7-1
ii squashfs-tools 1:4.5.1-1
ii uidmap 1:4.13+dfsg1-1+b1
ii xz-utils 5.4.1-0.2
Versions of packages lxd recommends:
ii apparmor 3.0.8-3
ii dnsmasq-base [dnsmasq-base] 2.89-1
ii lxd-agent 5.0.2-5
Versions of packages lxd suggests:
pn btrfs-progs <none>
pn ceph-common <none>
ii gdisk 1.0.9-2.1
ii lvm2 2.03.16-2
ii lxd-tools 5.0.2-5
ii zfsutils-linux 2.1.11-1
The container itself does not have apparmour installed.
systemd-hostnamed.service is probably also affected, but in my case I paved
over the issue by setting PrivateNetwork=no in an override.
Related:
- https://bugs.launchpad.net/bugs/1575779 and
https://bugs.launchpad.net/bugs/1780227
- https://bugs.launchpad.net/bugs/1635382
- https://github.com/lxc/lxc/issues/820 and
https://github.com/lxc/lxd/issues/1603
-MD
