Ordering was important:

$ modprobe shiftfs
$ sudo snap set lxd shiftfs.enable=true
$ sudo systemctl restart snap.lxd.daemon
Now it is enabled:
$ lxc info | grep shiftfs                                                       
                                      
    shiftfs: "true"
$ lxc exec d-testapparmor -- mount | grep shift
/var/snap/lxd/common/lxd/storage-pools/default2/containers/d-testapparmor/rootfs
 on / type shiftfs (rw,relatime,passthrough=3)
/var/snap/lxd/common/lxd/storage-pools/default2/containers/d-testapparmor/rootfs
 on /snap type shiftfs (rw,relatime,passthrough=3)


And with that I can reproduce the bug:

$ lxc exec d-testapparmor -- aa-status
apparmor module is loaded.
0 profiles are loaded.
0 profiles are in enforce mode.
0 profiles are in complain mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
$ lxc exec d-testapparmor -- apparmor_parser -r /etc/apparmor.d/sbin.dhclient
AppArmor parser error for /etc/apparmor.d/sbin.dhclient in 
/etc/apparmor.d/tunables/home at line 25: Could not process include directory 
'/etc/apparmor.d/tunables/home.d' in 'tunables/home.d'


Installing the host kernel from proposed.
=> 5.0.0.14.15

ubuntu@disco-test-aa-stack:~$ sudo apt install linux-generic 
linux-headers-generic linux-image-generic
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following additional packages will be installed:
  linux-headers-5.0.0-14 linux-headers-5.0.0-14-generic 
linux-image-5.0.0-14-generic linux-modules-5.0.0-14-generic 
linux-modules-extra-5.0.0-14-generic
Suggested packages:
  fdutils linux-doc-5.0.0 | linux-source-5.0.0 linux-tools
The following NEW packages will be installed:
  linux-headers-5.0.0-14 linux-headers-5.0.0-14-generic 
linux-image-5.0.0-14-generic linux-modules-5.0.0-14-generic 
linux-modules-extra-5.0.0-14-generic
The following packages will be upgraded:
  linux-generic linux-headers-generic linux-image-generic
3 upgraded, 5 newly installed, 0 to remove and 8 not upgraded.
Need to get 67.1 MB of archives.
After this operation, 334 MB of additional disk space will be used.
Do you want to continue? [Y/n] Y
Get:1 http://archive.ubuntu.com/ubuntu disco-proposed/main amd64 
linux-modules-5.0.0-14-generic amd64 5.0.0-14.15 [13.7 MB]
6% [1 linux-modules-5.0.0-14-generic 4743 kB/13.7 MB 35%]
Get:2 http://archive.ubuntu.com/ubuntu disco-proposed/main amd64 
linux-image-5.0.0-14-generic amd64 5.0.0-14.15 [8350 kB]
Get:3 http://archive.ubuntu.com/ubuntu disco-proposed/main amd64 
linux-modules-extra-5.0.0-14-generic amd64 5.0.0-14.15 [33.2 MB]
Get:4 http://archive.ubuntu.com/ubuntu disco-proposed/main amd64 linux-generic 
amd64 5.0.0.14.15 [1860 B]                                                      
                              
Get:5 http://archive.ubuntu.com/ubuntu disco-proposed/main amd64 
linux-image-generic amd64 5.0.0.14.15 [2484 B]                                  
                                            
Get:6 http://archive.ubuntu.com/ubuntu disco-proposed/main amd64 
linux-headers-5.0.0-14 all 5.0.0-14.15 [10.7 MB]                                
                                            
Get:7 http://archive.ubuntu.com/ubuntu disco-proposed/main amd64 
linux-headers-5.0.0-14-generic amd64 5.0.0-14.15 [1170 kB]                      
                                            
Get:8 http://archive.ubuntu.com/ubuntu disco-proposed/main amd64 
linux-headers-generic amd64 5.0.0.14.15 [2440 B]                                
                                            
Fetched 67.1 MB in 13s (5048 kB/s)                                              
                                                                                
                             
Selecting previously unselected package linux-modules-5.0.0-14-generic.
(Reading database ... 67632 files and directories currently installed.)
Preparing to unpack .../0-linux-modules-5.0.0-14-generic_5.0.0-14.15_amd64.deb 
...
Unpacking linux-modules-5.0.0-14-generic (5.0.0-14.15) ...
Selecting previously unselected package linux-image-5.0.0-14-generic.
Preparing to unpack .../1-linux-image-5.0.0-14-generic_5.0.0-14.15_amd64.deb ...
Unpacking linux-image-5.0.0-14-generic (5.0.0-14.15) ...
Selecting previously unselected package linux-modules-extra-5.0.0-14-generic.
Preparing to unpack 
.../2-linux-modules-extra-5.0.0-14-generic_5.0.0-14.15_amd64.deb ...
Unpacking linux-modules-extra-5.0.0-14-generic (5.0.0-14.15) ...
Preparing to unpack .../3-linux-generic_5.0.0.14.15_amd64.deb ...
Unpacking linux-generic (5.0.0.14.15) over (5.0.0.13.14) ...
Preparing to unpack .../4-linux-image-generic_5.0.0.14.15_amd64.deb ...
Unpacking linux-image-generic (5.0.0.14.15) over (5.0.0.13.14) ...
Selecting previously unselected package linux-headers-5.0.0-14.
Preparing to unpack .../5-linux-headers-5.0.0-14_5.0.0-14.15_all.deb ...
Unpacking linux-headers-5.0.0-14 (5.0.0-14.15) ...
Selecting previously unselected package linux-headers-5.0.0-14-generic.
Preparing to unpack .../6-linux-headers-5.0.0-14-generic_5.0.0-14.15_amd64.deb 
...
Unpacking linux-headers-5.0.0-14-generic (5.0.0-14.15) ...
Preparing to unpack .../7-linux-headers-generic_5.0.0.14.15_amd64.deb ...
Unpacking linux-headers-generic (5.0.0.14.15) over (5.0.0.13.14) ...
Setting up linux-headers-5.0.0-14 (5.0.0-14.15) ...
Setting up linux-headers-5.0.0-14-generic (5.0.0-14.15) ...
Setting up linux-modules-5.0.0-14-generic (5.0.0-14.15) ...
Setting up linux-headers-generic (5.0.0.14.15) ...
Setting up linux-image-5.0.0-14-generic (5.0.0-14.15) ...
I: /vmlinuz is now a symlink to boot/vmlinuz-5.0.0-14-generic
I: /initrd.img is now a symlink to boot/initrd.img-5.0.0-14-generic
Setting up linux-modules-extra-5.0.0-14-generic (5.0.0-14.15) ...
Setting up linux-image-generic (5.0.0.14.15) ...
Setting up linux-generic (5.0.0.14.15) ...
Processing triggers for linux-image-5.0.0-14-generic (5.0.0-14.15) ...
/etc/kernel/postinst.d/initramfs-tools:
update-initramfs: Generating /boot/initrd.img-5.0.0-14-generic
cryptsetup: WARNING: The initramfs image may not contain cryptsetup binaries 
    nor crypto modules. If that's on purpose, you may want to uninstall the 
    'cryptsetup-initramfs' package in order to disable the cryptsetup initramfs 
    integration and avoid this warning.
/etc/kernel/postinst.d/zz-update-grub:
Sourcing file `/etc/default/grub'
Sourcing file `/etc/default/grub.d/40-force-partuuid.cfg'
Sourcing file `/etc/default/grub.d/50-cloudimg-settings.cfg'
Sourcing file `/etc/default/grub.d/init-select.cfg'
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-5.0.0-14-generic
Found initrd image: /boot/initrd.img-5.0.0-14-generic
Found linux image: /boot/vmlinuz-5.0.0-13-generic
Found initrd image: /boot/initrd.img-5.0.0-13-generic
done


Install worked fine, now rebooting into it.

$ uname -a
Linux disco-test-aa-stack 5.0.0-14-generic #15-Ubuntu SMP Wed Apr 24 15:39:57 
UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

Still using shiftfs
$ lxc info | grep shiftfs
    shiftfs: "true"
$ lxc exec d-testapparmor -- mount | grep shift
/var/snap/lxd/common/lxd/storage-pools/default2/containers/d-testapparmor/rootfs
 on / type shiftfs (rw,relatime,passthrough=3)
/var/snap/lxd/common/lxd/storage-pools/default2/containers/d-testapparmor/rootfs
 on /snap type shiftfs (rw,relatime,passthrough=3)

Profiles now load ok:
$ lxc exec d-testapparmor -- aa-status
apparmor module is loaded.
27 profiles are loaded.
27 profiles are in enforce mode.

Summarizing - kernel in proposed verified

** Tags removed: verification-needed-disco
** Tags added: verification-done-disco

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1824812

Title:
  apparmor does not start in Disco LXD containers

Status in AppArmor:
  Triaged
Status in apparmor package in Ubuntu:
  Fix Released
Status in libvirt package in Ubuntu:
  Invalid
Status in linux package in Ubuntu:
  In Progress
Status in linux source package in Disco:
  Fix Committed

Bug description:
  In LXD apparmor now skips starting.

  Steps to reproduce:
  1. start LXD container
    $ lxc launch ubuntu-daily:d d-testapparmor
    (disco to trigger the issue, cosmic as reference)
  2. check the default profiles loaded
    $ aa-status

  => This will in cosmic and up to recently disco list plenty of profiles 
active even in the default install.
  Cosmic:
    25 profiles are loaded.
    25 profiles are in enforce mode.
  Disco:
    15 profiles are loaded.
    15 profiles are in enforce mode.

  All those 15 remaining are from snaps.
  The service of apparmor.service actually states that it refuses to start.

  $ systemctl status apparmor
  ...
  Apr 15 13:56:12 testkvm-disco-to apparmor.systemd[101]: Not starting AppArmor 
in container

  I can get those profiles (the default installed ones) loaded, for example:
    $ sudo apparmor_parser -r /etc/apparmor.d/sbin.dhclient
  makes it appear
    22 profiles are in enforce mode.
     /sbin/dhclient

  I was wondering as in my case I found my guest with no (=0) profiles loaded. 
But as shown above after "apparmor_parser -r" and package install profiles 
seemed fine. Then the puzzle was solved, on package install they
  will call apparmor_parser via the dh_apparmor snippet and it is fine.

  To fully disable all of them:
    $ lxc stop <container>
    $ lxc start <container>
    $ lxc exec d-testapparmor aa-status
  apparmor module is loaded.
  0 profiles are loaded.
  0 profiles are in enforce mode.
  0 profiles are in complain mode.
  0 processes have profiles defined.
  0 processes are in enforce mode.
  0 processes are in complain mode.
  0 processes are unconfined but have a profile defined.

  That would match the service doing an early exit as shown in systemctl
  status output above. The package install or manual load works, but
  none are loaded by the service automatically e.g. on container
  restart.

  --- --- ---

  This bug started as:
  Migrations to Disco trigger "Unable to find security driver for model 
apparmor"

  This most likely is related to my KVM-in-LXD setup but it worked fine
  for years and I'd like to sort out what broke. I have migrated to
  Disco's qemu 3.1 already which makes me doubts generic issues in qemu
  3.1 in general.

  The virt tests that run cross release work fine starting from X/B/C but all 
those chains fail at mirgating to Disco now with:
    $ lxc exec testkvm-cosmic-from -- virsh migrate --unsafe --live 
kvmguest-bionic-normal
    qemu+ssh://10.21.151.207/system
    error: unsupported configuration: Unable to find security driver for model 
apparmor

  I need to analyze what changed

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1824812/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to