Bug#1033917: [pkg-lxc-devel] Bug#1033917: lxc: apparmor profile no longer allows unprivileged guest systemd-logind to start (since bookworm)
>What's weird is that the problem was already happening in buster and >bullseye. That doesn't seem to be true, AFAICT. Bullseye (both my usual Bullseye guest and a freshly installed one) does not exhibit the 25 second hang. A freshly installed Buster guest doesn't, either. Not even with the default config instead of nesting.conf. To be precise: Although Bullseye and Buster do generate apparmor mount errors in the host's syslog, the 25 second hang is new with Bookworm guests. Maybe multiple problems are in play here? >I guess it is plausible that /etc/lxc/default.conf has been updated in >your upgrade, resetting the lxc-apparmor-profile to something that won't >work for unprivileged containers. Nope. I haven't upgraded the Bullseye host machine on which I discovered the hang, and it occurs on both that host and a newly installed Bookworm host. Also, I checked default.conf on both hosts just now, and it matches the one in lxc_5.0.2-1_amd64.deb. >The missing lines in apparmor rules have been added in >lxc-default-with-nesting rules of apparmor for lxc 5. My fresh Bookworm VM has lxc 5, and those four additional lines are present in /etc/apparmor.d/lxc/lxc-default-with-nesting. The contents of /usr/share/lxc/config/nesting.conf are also identical. Even when including it in my container config, the 25 second hang persists. >the solution lies either within LXD >(which generates custom profiles for each containers), or with creating >a dedicated apparmor profile that you use only on unprivileged >containers. I tried LXD as a workaround. Turns out it is not a suitable replacement in my case. I would be happy to try a modified apparmor profile. Ideally even get it added into Bookworm's lxc package, or accepted upstream, so Bookworm doesn't arrive in this broken state for lxc users. I tried modifying the apparmor profile based on the host's syslog messages. Despite using exactly the same mount options that appeared in the logs, the errors and the 25 second hang persisted. (And I did remember to reload the profile with apparmor_parser -r.) I wonder if the info="failed flags match" in those syslog messages is supposed to hint that something more is needed. It seems like we're missing some information here.
Bug#1033917: [pkg-lxc-devel] Bug#1033917: lxc: apparmor profile no longer allows unprivileged guest systemd-logind to start (since bookworm)
Forest wrote on 03/04/2023 at 23:18:10+0200: > Package: lxc > Version: 1:5.0.2-1 > Severity: normal > X-Debbugs-Cc: fores...@sonic.net > > Dear Maintainer, > > After upgrading an unprivileged container from bullseye to bookworm, LXC's > AppArmor profiles are no longer sufficient for the guest's systemd-logind. > > This manifests as a 25 second hang when running certain commands (notably > sudo -i and su -) in the container. It also produces a lot of errors in the > host & guest logs. > > Before the upgrade to bookworm, the hangs did not occur, and systemd-logind > started without trouble. > > > -- Host journal: > > Apr 02 18:30:01 debtesting CRON[6361]: pam_unix(cron:session): session opened > for user root(uid=0) by (uid=0) > Apr 02 18:30:01 debtesting CRON[6362]: (root) CMD ([ -x /etc/init.d/anacron ] > && if [ ! -d /run/systemd/system ]; then /usr/sbin/invoke-rc.d anacron start > >/dev/null; fi) > Apr 02 18:30:01 debtesting CRON[6361]: pam_unix(cron:session): session closed > for user root > Apr 02 18:30:16 debtesting audit[6365]: AVC apparmor="DENIED" > operation="mount" info="failed flags match" error=-13 > profile="lxc-container-default-cgns" name="/" pid=6365 comm="(d-logind)" > flags="rw, rslave" > Apr 02 18:30:16 debtesting kernel: kauditd_printk_skb: 13 callbacks suppressed > Apr 02 18:30:16 debtesting kernel: audit: type=1400 > audit(1680485416.414:324): apparmor="DENIED" operation="mount" info="failed > flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=6365 > comm="(d-logind)" flags="rw, rslave" > Apr 02 18:30:16 debtesting audit[6369]: AVC apparmor="DENIED" > operation="mount" info="failed flags match" error=-13 > profile="lxc-container-default-cgns" name="/" pid=6369 comm="(d-logind)" > flags="rw, rslave" > Apr 02 18:30:16 debtesting kernel: audit: type=1400 > audit(1680485416.426:325): apparmor="DENIED" operation="mount" info="failed > flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=6369 > comm="(d-logind)" flags="rw, rslave" > Apr 02 18:30:16 debtesting audit[6373]: AVC apparmor="DENIED" > operation="mount" info="failed flags match" error=-13 > profile="lxc-container-default-cgns" name="/" pid=6373 comm="(d-logind)" > flags="rw, rslave" > Apr 02 18:30:16 debtesting kernel: audit: type=1400 > audit(1680485416.450:326): apparmor="DENIED" operation="mount" info="failed > flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=6373 > comm="(d-logind)" flags="rw, rslave" > Apr 02 18:30:16 debtesting audit[6377]: AVC apparmor="DENIED" > operation="mount" info="failed flags match" error=-13 > profile="lxc-container-default-cgns" name="/" pid=6377 comm="(d-logind)" > flags="rw, rslave" > Apr 02 18:30:16 debtesting kernel: audit: type=1400 > audit(1680485416.522:327): apparmor="DENIED" operation="mount" info="failed > flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=6377 > comm="(d-logind)" flags="rw, rslave" > Apr 02 18:30:16 debtesting audit[6381]: AVC apparmor="DENIED" > operation="mount" info="failed flags match" error=-13 > profile="lxc-container-default-cgns" name="/" pid=6381 comm="(d-logind)" > flags="rw, rslave" > Apr 02 18:30:16 debtesting kernel: audit: type=1400 > audit(1680485416.534:328): apparmor="DENIED" operation="mount" info="failed > flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=6381 > comm="(d-logind)" flags="rw, rslave" > > > -- Guest journal: > > Apr 02 18:30:16 lxbox sudo[136]: root : TTY=pts/7 ; PWD=/root ; USER=root > ; COMMAND=/bin/bash > Apr 02 18:30:16 lxbox sudo[136]: pam_limits(sudo-i:session): Could not set > limit for 'core' to soft=0, hard=-1: Operation not permitted; uid=0,euid=0 > Apr 02 18:30:16 lxbox sudo[136]: pam_unix(sudo-i:session): session opened for > user root(uid=0) by (uid=0) > Apr 02 18:30:16 lxbox dbus-daemon[97]: [system] Activating via systemd: > service name='org.freedesktop.login1' > unit='dbus-org.freedesktop.login1.service' requested by ':1.2' (uid=0 pid=136 > comm="sudo -i") > Apr 02 18:30:16 lxbox systemd[1]: Starting modprobe@drm.service - Load Kernel > Module drm... > Apr 02 18:30:16 lxbox (modprobe)[137]: modprobe@drm.service: Executable > /sbin/modprobe missing, skipping: No such file or directory > Apr 02 18:30:16 lxbox systemd[1]: modprobe@drm.service: Deactivated > successfully. > Apr 02 18:30:16 lxbox systemd[1]: Finished modprobe@drm.service - Load Kernel > Module drm. > Apr 02 18:30:16 lxbox systemd[1]: Starting systemd-logind.service - User > Login Management... > Apr 02 18:30:16 lxbox (d-logind)[138]: systemd-logind.service: Failed to set > up mount namespacing: Permission denied > Apr 02 18:30:16 lxbox (d-logind)[138]: systemd-logind.service: Failed at step > NAMESPACE spawning /lib/systemd/systemd-logind: Permission denied > Apr 02 18:30:16 lxbox systemd[1]: systemd-logind.service: Main process > exited, code=exited, status=226/NAMESPACE > Apr 02 18:30:16 lxbox
Bug#1033917: lxc: apparmor profile no longer allows unprivileged guest systemd-logind to start (since bookworm)
Package: lxc Version: 1:5.0.2-1 Severity: normal X-Debbugs-Cc: fores...@sonic.net Dear Maintainer, After upgrading an unprivileged container from bullseye to bookworm, LXC's AppArmor profiles are no longer sufficient for the guest's systemd-logind. This manifests as a 25 second hang when running certain commands (notably sudo -i and su -) in the container. It also produces a lot of errors in the host & guest logs. Before the upgrade to bookworm, the hangs did not occur, and systemd-logind started without trouble. -- Host journal: Apr 02 18:30:01 debtesting CRON[6361]: pam_unix(cron:session): session opened for user root(uid=0) by (uid=0) Apr 02 18:30:01 debtesting CRON[6362]: (root) CMD ([ -x /etc/init.d/anacron ] && if [ ! -d /run/systemd/system ]; then /usr/sbin/invoke-rc.d anacron start >/dev/null; fi) Apr 02 18:30:01 debtesting CRON[6361]: pam_unix(cron:session): session closed for user root Apr 02 18:30:16 debtesting audit[6365]: AVC apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=6365 comm="(d-logind)" flags="rw, rslave" Apr 02 18:30:16 debtesting kernel: kauditd_printk_skb: 13 callbacks suppressed Apr 02 18:30:16 debtesting kernel: audit: type=1400 audit(1680485416.414:324): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=6365 comm="(d-logind)" flags="rw, rslave" Apr 02 18:30:16 debtesting audit[6369]: AVC apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=6369 comm="(d-logind)" flags="rw, rslave" Apr 02 18:30:16 debtesting kernel: audit: type=1400 audit(1680485416.426:325): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=6369 comm="(d-logind)" flags="rw, rslave" Apr 02 18:30:16 debtesting audit[6373]: AVC apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=6373 comm="(d-logind)" flags="rw, rslave" Apr 02 18:30:16 debtesting kernel: audit: type=1400 audit(1680485416.450:326): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=6373 comm="(d-logind)" flags="rw, rslave" Apr 02 18:30:16 debtesting audit[6377]: AVC apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=6377 comm="(d-logind)" flags="rw, rslave" Apr 02 18:30:16 debtesting kernel: audit: type=1400 audit(1680485416.522:327): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=6377 comm="(d-logind)" flags="rw, rslave" Apr 02 18:30:16 debtesting audit[6381]: AVC apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=6381 comm="(d-logind)" flags="rw, rslave" Apr 02 18:30:16 debtesting kernel: audit: type=1400 audit(1680485416.534:328): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=6381 comm="(d-logind)" flags="rw, rslave" -- Guest journal: Apr 02 18:30:16 lxbox sudo[136]: root : TTY=pts/7 ; PWD=/root ; USER=root ; COMMAND=/bin/bash Apr 02 18:30:16 lxbox sudo[136]: pam_limits(sudo-i:session): Could not set limit for 'core' to soft=0, hard=-1: Operation not permitted; uid=0,euid=0 Apr 02 18:30:16 lxbox sudo[136]: pam_unix(sudo-i:session): session opened for user root(uid=0) by (uid=0) Apr 02 18:30:16 lxbox dbus-daemon[97]: [system] Activating via systemd: service name='org.freedesktop.login1' unit='dbus-org.freedesktop.login1.service' requested by ':1.2' (uid=0 pid=136 comm="sudo -i") Apr 02 18:30:16 lxbox systemd[1]: Starting modprobe@drm.service - Load Kernel Module drm... Apr 02 18:30:16 lxbox (modprobe)[137]: modprobe@drm.service: Executable /sbin/modprobe missing, skipping: No such file or directory Apr 02 18:30:16 lxbox systemd[1]: modprobe@drm.service: Deactivated successfully. Apr 02 18:30:16 lxbox systemd[1]: Finished modprobe@drm.service - Load Kernel Module drm. Apr 02 18:30:16 lxbox systemd[1]: Starting systemd-logind.service - User Login Management... Apr 02 18:30:16 lxbox (d-logind)[138]: systemd-logind.service: Failed to set up mount namespacing: Permission denied Apr 02 18:30:16 lxbox (d-logind)[138]: systemd-logind.service: Failed at step NAMESPACE spawning /lib/systemd/systemd-logind: Permission denied Apr 02 18:30:16 lxbox systemd[1]: systemd-logind.service: Main process exited, code=exited, status=226/NAMESPACE Apr 02 18:30:16 lxbox systemd[1]: systemd-logind.service: Failed with result 'exit-code'. Apr 02 18:30:16 lxbox systemd[1]: Failed to start systemd-logind.service - User Login Management. Apr 02 18:30:16 lxbox systemd[1]: systemd-logind.service: Scheduled
