** Changed in: lxc (Ubuntu)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1684481
Title:
KVM guest execution start apparmor
Thanks Stephane and Christian!
Since we ...
a) have a workaround by manually adding the entry to the apparmor abstraction
(or dropping serial if that is an option)
b) having an explicit serial in the guest profile is not the default
c) KVM in LXD is more a "nice to have" solution than something
** Changed in: lxc (Ubuntu)
Status: In Progress => Fix Committed
** Changed in: lxc (Ubuntu)
Assignee: (unassigned) => Christian Brauner (cbrauner)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in
Hi John,
hi Christian,
Sent a branch to lxc that should fix this issue:
https://github.com/lxc/lxc/pull/1519
** Changed in: lxc (Ubuntu)
Status: Triaged => In Progress
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to
Thanks Stéphane,
@Christian, it looks like adding a rule
/dev/pts/ptmx rw,
to the profile is necessary for now.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1684481
We're looking at changing lxc to show /dev/ptmx as a real file rather than
symlink. This is however not particularly easy because:
- It can't be a bind-mount from the host (or it will interact with the host's
devpts)
- It can't be a straight mknod (because that's not allowed in unprivileged
Thank John,
as extra info on the ptmx pathing.
Host:
$ ls -laF /dev/ptmx /dev/pts/ptmx
crw-rw-rw- 1 root root 5, 2 Apr 21 2017 /dev/ptmx
c- 1 root root 5, 2 Apr 12 17:36 /dev/pts/ptmx
Container:
$ lxc exec testkvm-xenial-from -- ls -laF /dev/ptmx /dev/pts/ptmx
lrwxrwxrwx 1 root root
Hey Christian,
thanks for the profiles, I haven't had a chance to dig into them yet,
but after a quick first pass they look as expected.
so very interesting. First up apparmor has always done mediation post
symlink resolution, this is not new with stacking. What is new with
stacking is we are
Now the abstraction used in this case via:
#include
Held the following statement like for ages just for this use:
/dev/ptmx rw,
Please note the difference since the Deny is on:
/dev/pts/ptmx
That is especially notworthy since the former is just a link to the latter:
$ ll /dev/ptmx
lrwxrwxrwx
** Attachment added: "libvirt-92d3d720-da19-41c4-bd87-563c4ee002ce.files"
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1684481/+attachment/4865929/+files/libvirt-92d3d720-da19-41c4-bd87-563c4ee002ce.files
--
You received this bug notification because you are a member of Ubuntu
Touch
** Attachment added: "libvirt-qemu-abstraction"
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1684481/+attachment/4865930/+files/libvirt-qemu-abstraction
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in
** Attachment added: "libvirt-92d3d720-da19-41c4-bd87-563c4ee002ce.txt"
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1684481/+attachment/4865928/+files/libvirt-92d3d720-da19-41c4-bd87-563c4ee002ce.txt
--
You received this bug notification because you are a member of Ubuntu
Touch
Thanks Stephane for outlining the likely related timeline of changes.
Thanks John for picking that up, let me search the profiles for you.
Only when writing that up I realized that there is a path difference
that might as well be the root cause after all - writing it up after the
attachments.
--
Its true there are a few issues with apparmor profiles being loaded as
part of a stack when namespacing is involved. However this does not
appear to be one of them.
However the application may be behaving slightly differently resulting
in the profile needed to be extended. Can you please attach
Ok, so that's an apparmor or apparmor profile problem.
LXD recently changed to also allow for apparmor profiles to be loaded
inside privileged containers. This seems to align with your timeline
above.
Before that change, your kvm process wasn't itself confined when run
inside a privileged LXD
Since apport-collect detected this as apparmor for the report I was also
forcing a "linux" apport collect via "sudo apport-collect
--package=linux 1684481" on the host - since the guest is LXD the kernel
there (if any) doesn't matter).
Now logs should be complete.
** Changed in: linux (Ubuntu)
Running apport-collect on Host (Xenial) and LXD Container (Xenial as well).
BTW I saw LXD is not in the report, it is at:
*** 2.12-0ubuntu3~ubuntu16.04.1~ppa1 500
500 http://ppa.launchpad.net/ubuntu-lxc/lxd-stable/ubuntu xenial/main
ppc64el Packages
100 /var/lib/dpkg/status
The latter
apport information
** Tags added: apport-collected uec-images xenial
** Description changed:
Setup:
- Xenial host
- lxd guests with Trusty, Xenial, ...
- add a LXD profile to allow kvm [3] (inspired by stgraber)
- spawn KVM guests in the LXD guests using the different distro release
** Tags added: kernel-da-key
** Changed in: linux (Ubuntu)
Importance: Undecided => Medium
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1684481
Title:
KVM guest
** Changed in: linux (Ubuntu)
Status: New => Incomplete
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1684481
Title:
KVM guest execution start apparmor blocks on
** Also affects: lxd (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1684481
Title:
KVM guest execution start
21 matches
Mail list logo
