Bug#898025: lxc: apparmor="DENIED" operation="mount" info="failed flags match" error=-13
Dear LXC maintainers, johnw: > I think it's not bug. > Because I removed systemd, either if I reinstall systemd, or I add > some mount rules to apparmor , then the denied messages gone. Given my own test results and John's feedback, I suggest closing this bug. Cheers, -- intrigeri
Bug#898025: lxc: apparmor="DENIED" operation="mount" info="failed flags match" error=-13
Hi, sorry for late reply, I think it's not bug. Because I removed systemd, either if I reinstall systemd, or I add some mount rules to apparmor , then the denied messages gone. Thank you for help, thanks. On 2018年10月26日 下午5:55:02 [GMT+08:00], intrigeri wrote: >Control: tag -1 - upstream >Control: tag -1 + moreinfo > >Hi, > >kaka: >> Over the year, if I enable apparmor for lxc (lxc.aa_profile = >lxc-container-default), > >First, I don't think you need to turn this on manually and I doubt >this is the best AppArmor profile to use. According to >lxc.container.conf(5): > > APPARMOR PROFILE >If lxc was compiled and installed with apparmor support, and the host >sys‐ >tem has apparmor enabled, then the apparmor profile under which the >con‐ >tainer should be run can be specified in the container configuration. >The >default is lxc-container-default-cgns if the host kernel is cgroup >names‐ > pace aware, or lxc-container-default othewise. > >So not setting lxc.aa_profile at all should automatically select the >lxc-container-default-cgns profile. Not that it would make >a difference for this bug though. > >> I see a lot of "apparmor denied" messages like below, >> But the lxc itself is can running and functional without a problem, >> Why apparmor always complain lxc? (is this normal)? > >> apparmor="DENIED" operation="mount" info="failed type match" >error=-13 profile="lxc-container-default" name="/sys/fs/pstore/" >pid=2676 comm="mount" fstype="pstore" srcname="pstore" >> apparmor="DENIED" operation="mount" info="failed type match" >error=-13 profile="lxc-container-default" name="/sys/fs/pstore/" >pid=2676 comm="mount" fstype="pstore" srcname="pstore" flags="ro" >> apparmor="DENIED" operation="mount" info="failed flags match" >error=-13 profile="lxc-container-default" name="/" pid=2763 >comm="mount" flags="rw, remount" > >On current sid: > > - I cannot reproduce this with the lxc-debian template, which is > expected since it has no lxc.mount.entry for /sys/fs/pstore > > - I cannot reproduce this with the lxc-ubuntu template (which _has_ > a lxc.mount.entry for /sys/fs/pstore) either: > > # lxc-create -n ubuntu -t /usr/share/lxc/templates/lxc-ubuntu > […] > # lxc-start -F -n ubuntu > […] > Ubuntu 16.04.5 LTS ubuntu console > > ubuntu login: ubuntu > Password: > […] > $ ubuntu@ubuntu:~$ mount | grep pstore > pstore on /sys/fs/pstore type pstore (rw,nosuid,nodev,noexec,relatime) > > And there's no single AppArmor denial in the host system's logs. > aa-status confirms that this container is running under the > lxc-container-default-cgns profile. > >So, can you still reproduce this on current testing/sid? >If yes, can you please share a simple reproducer similar to the one >I've tried to provide above? > >Cheers, >-- >intrigeri Key fingerprint: CDB3 6C62 254B C088 1E5D DD32 182C 97DB CF2C 80AC
Bug#898025: lxc: apparmor="DENIED" operation="mount" info="failed flags match" error=-13
Control: tag -1 - upstream Control: tag -1 + moreinfo Hi, kaka: > Over the year, if I enable apparmor for lxc (lxc.aa_profile = > lxc-container-default), First, I don't think you need to turn this on manually and I doubt this is the best AppArmor profile to use. According to lxc.container.conf(5): APPARMOR PROFILE If lxc was compiled and installed with apparmor support, and the host sys‐ tem has apparmor enabled, then the apparmor profile under which the con‐ tainer should be run can be specified in the container configuration. The default is lxc-container-default-cgns if the host kernel is cgroup names‐ pace aware, or lxc-container-default othewise. So not setting lxc.aa_profile at all should automatically select the lxc-container-default-cgns profile. Not that it would make a difference for this bug though. > I see a lot of "apparmor denied" messages like below, > But the lxc itself is can running and functional without a problem, > Why apparmor always complain lxc? (is this normal)? > apparmor="DENIED" operation="mount" info="failed type match" error=-13 > profile="lxc-container-default" name="/sys/fs/pstore/" pid=2676 comm="mount" > fstype="pstore" srcname="pstore" > apparmor="DENIED" operation="mount" info="failed type match" error=-13 > profile="lxc-container-default" name="/sys/fs/pstore/" pid=2676 comm="mount" > fstype="pstore" srcname="pstore" flags="ro" > apparmor="DENIED" operation="mount" info="failed flags match" error=-13 > profile="lxc-container-default" name="/" pid=2763 comm="mount" flags="rw, > remount" On current sid: - I cannot reproduce this with the lxc-debian template, which is expected since it has no lxc.mount.entry for /sys/fs/pstore - I cannot reproduce this with the lxc-ubuntu template (which _has_ a lxc.mount.entry for /sys/fs/pstore) either: # lxc-create -n ubuntu -t /usr/share/lxc/templates/lxc-ubuntu […] # lxc-start -F -n ubuntu […] Ubuntu 16.04.5 LTS ubuntu console ubuntu login: ubuntu Password: […] $ ubuntu@ubuntu:~$ mount | grep pstore pstore on /sys/fs/pstore type pstore (rw,nosuid,nodev,noexec,relatime) And there's no single AppArmor denial in the host system's logs. aa-status confirms that this container is running under the lxc-container-default-cgns profile. So, can you still reproduce this on current testing/sid? If yes, can you please share a simple reproducer similar to the one I've tried to provide above? Cheers, -- intrigeri
Bug#898025: [pkg-apparmor] Fwd: Bug#898025: lxc: apparmor="DENIED" operation="mount" info="failed flags match" error=-13
Control: tag -1 + upstream Hi, johnw: > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=898025 > Over the year, if I enable apparmor for lxc (lxc.aa_profile = > lxc-container-default), > I see a lot of "apparmor denied" messages like below, > But the lxc itself is can running and functional without a problem, > Why apparmor always complain lxc? (is this normal)? First of all, disclaimer: I know extremely little about LXC and the way it uses AppArmor confinement. > apparmor="DENIED" operation="mount" info="failed type match" > error=-13 profile="lxc-container-default" name="/sys/fs/pstore/" > pid=2676 comm="mount" fstype="pstore" srcname="pstore" FWIW I've looked at recent Ubuntu packages (2.0.8-0ubuntu1~16.04.1 and 3.0.1-0ubuntu1) and none of them have AppArmor rules for /sys/fs/pstore. It looks like an upstream bug to me because both Ubuntu and Debian have: config/templates/ubuntu.common.conf.in:lxc.mount.entry = /sys/fs/pstore sys/fs/pstore none bind,optional 0 0 … so it seems expected that the container will mount /sys/fs/pstore and then a rule is missing. > apparmor="DENIED" operation="mount" info="failed flags match" > error=-13 profile="lxc-container-default" name="/" pid=2763 > comm="mount" flags="rw, remount" I guess the "remount" flag is the problem. I guess it depends on what LXC template you're using. Cheers, -- intrigeri
Bug#898025: lxc: apparmor="DENIED" operation="mount" info="failed flags match" error=-13
-- Configuration Files: /etc/apparmor.d/abstractions/lxc/container-base [Errno 13] Permission denied: '/etc/apparmor.d/abstractions/lxc/container-base' /etc/apparmor.d/abstractions/lxc/start-container [Errno 13] Permission denied: '/etc/apparmor.d/abstractions/lxc/start-container' /etc/apparmor.d/lxc-containers [Errno 13] Permission denied: '/etc/apparmor.d/lxc-containers' /etc/apparmor.d/lxc/lxc-default [Errno 13] Permission denied: '/etc/apparmor.d/lxc/lxc-default' /etc/apparmor.d/lxc/lxc-default-cgns [Errno 13] Permission denied: '/etc/apparmor.d/lxc/lxc-default-cgns' /etc/apparmor.d/lxc/lxc-default-with-mounting [Errno 13] Permission denied: '/etc/apparmor.d/lxc/lxc-default-with-mounting' /etc/apparmor.d/lxc/lxc-default-with-nesting [Errno 13] Permission denied: '/etc/apparmor.d/lxc/lxc-default-with-nesting' /etc/apparmor.d/usr.bin.lxc-start [Errno 13] Permission denied: '/etc/apparmor.d/usr.bin.lxc-start' -- no debconf information Attached apparmor.d rules(default from lxc.deb without modify) and lxc config here -- Key fingerprint: CDB3 6C62 254B C088 1E5D DD32 182C 97DB CF2C 80AC lxc-apparmor.tar Description: Unix tar archive
Bug#898025: lxc: apparmor="DENIED" operation="mount" info="failed flags match" error=-13
Package: lxc Version: 1:2.0.9-6 Severity: normal Dear Maintainer, *** Reporter, please consider answering these questions, where appropriate *** * What led up to the situation? * What exactly did you do (or not do) that was effective (or ineffective)? * What was the outcome of this action? * What outcome did you expect instead? Over the year, if I enable apparmor for lxc (lxc.aa_profile = lxc-container-default), I see a lot of "apparmor denied" messages like below, But the lxc itself is can running and functional without a problem, Why apparmor always complain lxc? (is this normal)? apparmor="DENIED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default" name="/sys/fs/pstore/" pid=2676 comm="mount" fstype="pstore" srcname="pstore" apparmor="DENIED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default" name="/sys/fs/pstore/" pid=2676 comm="mount" fstype="pstore" srcname="pstore" flags="ro" apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default" name="/" pid=2763 comm="mount" flags="rw, remount" *** End of the template - remove these template lines *** -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 4.16.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages lxc depends on: ii libapparmor1 2.12-4 ii libc6 2.27-3 ii libcap2 1:2.25-1.2 ii libgnutls30 3.5.18-1 ii liblxc1 1:2.0.9-6 ii libseccomp2 2.3.3-1 ii libselinux1 2.7-2+b2 ii lsb-base 9.20170808 ii python3 3.6.5-3 ii python3-lxc 1:2.0.9-6 Versions of packages lxc recommends: ii bridge-utils 1.5-16 pn debootstrap ii dirmngr 2.2.5-1 pn dnsmasq-base ii gnupg 2.2.5-1 ii iptables 1.6.2-1 pn libpam-cgfs pn lxcfs ii openssl 1.1.0h-2 ii rsync 3.1.2-2.1 pn uidmap Versions of packages lxc suggests: ii apparmor 2.12-4 ii btrfs-progs 4.15.1-2 pn lvm2 -- Configuration Files: /etc/apparmor.d/abstractions/lxc/container-base [Errno 13] Permission denied: '/etc/apparmor.d/abstractions/lxc/container-base' /etc/apparmor.d/abstractions/lxc/start-container [Errno 13] Permission denied: '/etc/apparmor.d/abstractions/lxc/start-container' /etc/apparmor.d/lxc-containers [Errno 13] Permission denied: '/etc/apparmor.d/lxc-containers' /etc/apparmor.d/lxc/lxc-default [Errno 13] Permission denied: '/etc/apparmor.d/lxc/lxc-default' /etc/apparmor.d/lxc/lxc-default-cgns [Errno 13] Permission denied: '/etc/apparmor.d/lxc/lxc-default-cgns' /etc/apparmor.d/lxc/lxc-default-with-mounting [Errno 13] Permission denied: '/etc/apparmor.d/lxc/lxc-default-with-mounting' /etc/apparmor.d/lxc/lxc-default-with-nesting [Errno 13] Permission denied: '/etc/apparmor.d/lxc/lxc-default-with-nesting' /etc/apparmor.d/usr.bin.lxc-start [Errno 13] Permission denied: '/etc/apparmor.d/usr.bin.lxc-start' -- no debconf information