On Fri, Mar 15, 2019 at 10:41:55AM -0400, brian mullan wrote: > I am encountering a strange problem with Nested LXD on AWS EC2 Ubuntu 18.04 > instances... > > > > > > > > > > > > *snap 2.37.4snapd 2.37.4series 16ubuntu 18.04kernel > > 4.15.0-46-genericLXD 3.11* > > > In my AWS 18.04 host I install SNAP LXD and create an Ubuntu 18.04 > container lets call *"parent"* > > I enable Nesting for *"parent"* > > I enter "parent" and apt-get update, apt-get upgrade ... no problem > > In "parent" I also install SNAP LXD and create an Ubuntu 18.04 container > lets call *"child"* > > I enter "child" and when I try to "*apt-get update, apt-get upgrade*" ... I > see the very *same* packages to be upgraded > as I did when I upgrade "*parent*" ... however in *"child"* I get errors > related to apport, udev ?? > > I also see failure messages related to systemd-networkd.service access > denied etc (see below) > > Note: I tried this on a local KVM Ubuntu 18.04 VM > > *These are some of the packages that would be updated/upgraded in BOTH the > "parent" and "child" Ubuntu 18.04 container on an AWS EC2 Ubuntu Bionic > instance:* > > The following package was automatically installed and is no longer required: > libfreetype6 > Use 'apt autoremove' to remove it. > The following packages will be upgraded: > *apport* libnss-systemd libpam-modules libpam-modules-bin libpam-runtime > libpam-systemd libpam0g libseccomp2 libsystemd0 libudev1 > libxcb1 python3-apport python3-problem-report snapd systemd systemd-sysv* > udev* > 17 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. > Need to get 19.9 MB of archives. > After this operation, 49.2 kB of additional disk space will be used. > Do you want to continue? [Y/n] > > *Here are some of the errors that result...* > > (Reading database ... 28595 files and directories currently installed.) > Preparing to unpack .../libpam-runtime_1.1.8-3.6ubuntu2.18.04.1_all.deb ... > Unpacking libpam-runtime (1.1.8-3.6ubuntu2.18.04.1) over (1.1.8-3.6ubuntu2) > ... > Setting up libpam-runtime (1.1.8-3.6ubuntu2.18.04.1) ... > Setting up systemd (237-3ubuntu10.15) ... > *Failed to try-restart systemd-networkd.service: Access denied* > See system logs and 'systemctl status systemd-networkd.service' for details. > *Failed to try-restart systemd-resolved.service: Access denied* > See system logs and 'systemctl status systemd-resolved.service' for details. > *Failed to try-restart systemd-timesyncd.service: Access denied* > See system logs and 'systemctl status systemd-timesyncd.service' for > details. > *Failed to try-restart systemd-journald.service: Access denied* > See system logs and 'systemctl status systemd-journald.service' for details. > (Reading database ... 28595 files and directories currently installed.) > Preparing to unpack .../systemd-sysv_237-3ubuntu10.15_amd64.deb ... > Unpacking systemd-sysv (237-3ubuntu10.15) over (237-3ubuntu10.13) ... > Preparing to unpack .../libseccomp2_2.3.1-2.1ubuntu4.1_amd64.deb ... > Unpacking libseccomp2:amd64 (2.3.1-2.1ubuntu4.1) over (2.3.1-2.1ubuntu4) ... > Setting up libseccomp2:amd64 (2.3.1-2.1ubuntu4.1) ... > (Reading database ... 28595 files and directories currently installed.) > Preparing to unpack .../libxcb1_1.13-2~ubuntu18.04_amd64.deb ... > Unpacking libxcb1:amd64 (1.13-2~ubuntu18.04) over (1.13-1) ... > Preparing to unpack .../python3-problem-report_2.20.9-0ubuntu7.6_all.deb ... > Unpacking python3-problem-report (2.20.9-0ubuntu7.6) over > (2.20.9-0ubuntu7.5) ... > Preparing to unpack .../python3-apport_2.20.9-0ubuntu7.6_all.deb ... > Unpacking python3-apport (2.20.9-0ubuntu7.6) over (2.20.9-0ubuntu7.5) ... > Preparing to unpack .../apport_2.20.9-0ubuntu7.6_all.deb ... > *Failed to retrieve unit state: Access denied* > *invoke-rc.d: could not determine current runlevel* > *Failed to reload daemon: Access denied* > > *So I interrupted the script that was doing the above attempt at apt > update && apt upgrade -y * > *and opened a terminal and t**hen.. and tried this:* > > lxc exec test bash > apt update && apt upgrade > > But of course because i'd interrupted the above apt upgrade I had to do *dpkg > --configure -a* > > *dpkg --configure -a* > Setting up libnss-systemd:amd64 (237-3ubuntu10.15) ... > Processing triggers for ureadahead (0.100.0-20) ... > Setting up systemd-sysv (237-3ubuntu10.15) ... > Setting up python3-problem-report (2.20.9-0ubuntu7.6) ... > Processing triggers for libc-bin (2.27-3ubuntu1) ... > Setting up udev (237-3ubuntu10.15) ... > *Failed to reload daemon: Access denied* > dpkg: error processing package udev (--configure): > installed udev package post-installation script subprocess was interrupted > Processing triggers for man-db (2.8.3-2ubuntu0.1) ... > Processing triggers for dbus (1.12.2-1ubuntu1) ... > *Failed to open connection to "system" message bus: Failed to query > AppArmor policy: Permission denied* > Setting up libxcb1:amd64 (1.13-2~ubuntu18.04) ... > Setting up libpam-systemd:amd64 (237-3ubuntu10.15) ... > Setting up python3-apport (2.20.9-0ubuntu7.6) ... > dpkg: error processing package apport (--configure): > package is in a very bad inconsistent state; you should > reinstall it before attempting configuration > Processing triggers for libc-bin (2.27-3ubuntu1) ... > *Errors were encountered while processing:* > * udev* > * apport* > > *I went back and tried to reinstall apport...* > > # apt install --reinstall apport > Reading package lists... Done > Building dependency tree > Reading state information... Done > The following package was automatically installed and is no longer required: > libfreetype6 > Use 'apt autoremove' to remove it. > Suggested packages: > apport-gtk | apport-kde > The following packages will be upgraded: > apport > 1 upgraded, 0 newly installed, 0 to remove and 1 not upgraded. > 2 not fully installed or removed. > Need to get 0 B/124 kB of archives. > After this operation, 0 B of additional disk space will be used. > (Reading database ... 28595 files and directories currently installed.) > Preparing to unpack .../apport_2.20.9-0ubuntu7.6_all.deb ... > *Failed to retrieve unit state: Access denied* > *invoke-rc.d: could not determine current runlevel* > *Failed to reload daemon: Access denied* > > ====================================== > > Does anyone have any idea what might be causing this? > Again this is happening on AWS and on a local KVM Ubuntu VM.
Sounds like AppArmor messing with things in this case. Does enabling nesting for your nested container help somehow (the generated rules will change a bit as a result of that)? I'm pretty sure that if you look at `dmesg` you'll see some denials related to those package updates. I suspect the main difference between the two containers, other than the nested flag is that the parent container has its own apparmor namespace whereas the child has to run under a single apparmor profile as apparmor namespaces do not currently nest. > > Thanks for any ideas or suggestions. > > Brian > _______________________________________________ > lxc-users mailing list > [email protected] > http://lists.linuxcontainers.org/listinfo/lxc-users -- Stéphane Graber Ubuntu developer http://www.ubuntu.com
signature.asc
Description: PGP signature
_______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
