On Thu, 2014-06-19 at 10:48 -0400, Stéphane Graber wrote: > On Thu, Jun 19, 2014 at 10:35:50AM -0400, Michael H. Warfield wrote: > > On Thu, 2014-06-19 at 10:19 -0400, Michael H. Warfield wrote: > > > On Thu, 2014-06-19 at 10:15 -0400, Michael H. Warfield wrote: > > > > This feels like it's an app armour issue... Posting to the -devel since > > > > I don't think it's a user level problem. > > > > > > > I run an Ubuntu container on a Fedora 20 host and it's "running" fine. > > > > The container was build on an Ubuntu "host" (really a container creating > > > > a sub-container) with "lxc-create ... -t ubuntu -- -r sid". > > > > > > Oh, correction... That was mislabeled as sid. I double checked the > > > os-release and I had build "trusty" and this particular one had been > > > built using the download template, not using a subcontainer after all. > > > I've got too many development and test containers and I'm starting to > > > get them mixed up. My apologies. > > Oh, I should have read the whole thread before replying to the first e-mail :) > > > More points on the curve. When I shut the container down (over an ssh > > connection) in order to rename it, I saw this error: > > > > root@Ubuntu-sid:~# init 0 > > SELinux: Could not open policy file <= > > /etc/selinux/targeted/policy/policy.29: No such file or directory > > root@Ubuntu-sid:~# Connection to 2001:4830:3000:8200:207d:8eff:fe6f:3f79 > > closed by remote host. > > Connection to 2001:4830:3000:8200:207d:8eff:fe6f:3f79 closed. > > > > My host is in selinux "permissive" mode > > and /etc/selinux/targeted/policy/policy.29 does exist in the host. > > Ubuntu container trying to do something with selinux? > > > > After the rename of the container I noticed this when I logged back > > in... > > > > [mhw@canyon ~]$ ssh ubuntu@2001:4830:3000:8200:7c32:63ff:fec2:24b > > The authenticity of host '2001:4830:3000:8200:7c32:63ff:fec2:24b > > (2001:4830:3000:8200:7c32:63ff:fec2:24b)' can't be established. > > ECDSA key fingerprint is c4:ee:a0:56:8d:f7:19:cb:10:b9:14:49:cf:da:46:6b. > > Are you sure you want to continue connecting (yes/no)? yes > > Warning: Permanently added '2001:4830:3000:8200:7c32:63ff:fec2:24b' (ECDSA) > > to the list of known hosts. > > ubuntu@2001:4830:3000:8200:7c32:63ff:fec2:24b's password: > > X11 forwarding request failed on channel 0 > > Welcome to Ubuntu 14.04 LTS (GNU/Linux 3.14.5-200.fc20.x86_64 x86_64) > > > > * Documentation: https://help.ubuntu.com/ > > Unable to get valid context for ubuntu > > Last login: Thu Jun 19 14:25:07 2014 from canyon.ip6.wittsend.com > > ubuntu@Ubuntu-trusty:~$ > > > > In addition to the fact that the download template didn't create the > > container with persistent mac addresses (the reason for the ssh > > authenticity warnings) I got an "Unable to get valid context for ubuntu" > > error when logging in. > > > > I'll probably try putting the host into selinux disabled mode and try > > again.
> Yeah, that'd be interesting as a test. > Ubuntu doesn't use SELinux, though a lot of stuff we ship has some kind > of support for it, so you may well be getting into odd corner cases, > running Ubuntu on a SELinux enabled machine. That does appear to be the case. By putting the host into selinux disabled mode, the login error disappears and the "apt-get install -f" proceeded properly. That's a nasty corner case. Permissive mode has a policy loaded into the kernel but is not enforcing anything. Definitely a skew between what the host has set up and what the apps in the container think they should be doing. Guess that makes it an selinux problem. Thanks! Regards, Mike > > Regards, > > Mike > > > > > > When I go to run "apt-get update ; apt-get upgrade" I get an error like > > > > this: > > > > > > > > root@Ubuntu-sid:~# apt-get upgrade > > > > Reading package lists... Done > > > > Building dependency tree > > > > Reading state information... Done > > > > You might want to run 'apt-get -f install' to correct these. > > > > The following packages have unmet dependencies: > > > > libasn1-8-heimdal : Depends: libroken18-heimdal (>= 1.4.0+git20110226) > > > > but it is not installed > > > > libgssapi3-heimdal : Depends: libroken18-heimdal (>= > > > > 1.4.0+git20110226) but it is not installed > > > > libhcrypto4-heimdal : Depends: libroken18-heimdal (>= > > > > 1.4.0+git20110226) but it is not installed > > > > libheimntlm0-heimdal : Depends: libroken18-heimdal (>= > > > > 1.4.0+git20110226) but it is not installed > > > > libhx509-5-heimdal : Depends: libroken18-heimdal (>= > > > > 1.4.0+git20110226) but it is not installed > > > > libkrb5-26-heimdal : Depends: libroken18-heimdal (>= 1.6~git20131117) > > > > but it is not installed > > > > libwind0-heimdal : Depends: libroken18-heimdal (>= 1.4.0+git20110226) > > > > but it is not installed > > > > E: Unmet dependencies. Try using -f. > > > > > > > > Ok... So, I try that... > > > > > > > > root@Ubuntu-sid:~# apt-get -f install > > > > Reading package lists... Done > > > > Building dependency tree > > > > Reading state information... Done > > > > Correcting dependencies... Done > > > > The following extra packages will be installed: > > > > libroken18-heimdal > > > > The following NEW packages will be installed: > > > > libroken18-heimdal > > > > 0 upgraded, 1 newly installed, 0 to remove and 22 not upgraded. > > > > 88 not fully installed or removed. > > > > Need to get 0 B/40.0 kB of archives. > > > > After this operation, 162 kB of additional disk space will be used. > > > > Do you want to continue? [Y/n] y > > > > dpkg: error processing archive > > > > /var/cache/apt/archives/libroken18-heimdal_1.6~git20131207+dfsg-1ubuntu1_amd64.deb > > > > (--unpack): > > > > cannot get security labeling handle: No such file or directory > > > > Errors were encountered while processing: > > > > > > > > /var/cache/apt/archives/libroken18-heimdal_1.6~git20131207+dfsg-1ubuntu1_amd64.deb > > > > E: Sub-process /usr/bin/dpkg returned an error code (1) > > > > > > > > Ok... Here's where I think it's an app armour thing. That error > > > > "cannot get security labeling handle: No such file or directory" can not > > > > be good. > > > > > > > > Any ideas what we have broken in here or what should be done about it to > > > > make it work? > > > > > > > > Regards, > > > > Mike > > > > > > > -- > > Michael H. Warfield (AI4NB) | (770) 978-7061 | m...@wittsend.com > > /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ > > NIC whois: MHW9 | An optimist believes we live in the best of > > all > > PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it! > > > > > > > _______________________________________________ > > lxc-devel mailing list > > lxc-devel@lists.linuxcontainers.org > > http://lists.linuxcontainers.org/listinfo/lxc-devel > > > _______________________________________________ > lxc-devel mailing list > lxc-devel@lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-devel -- Michael H. Warfield (AI4NB) | (770) 978-7061 | m...@wittsend.com /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
signature.asc
Description: This is a digitally signed message part
_______________________________________________ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel