[Touch-packages] [Bug 1811248] Re: systemd--networkd mounts denied for lxc guest

2019-07-16 Thread Launchpad Bug Tracker
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: apparmor (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu.

[Touch-packages] [Bug 1811248] Re: systemd--networkd mounts denied for lxc guest

2019-04-19 Thread km
After having upgraded the host to: unbuntu disco (19.04) | kernel 5.0.0-13 | aa 2.13.2-9 | systemd 240-6 the issue is still present -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu.

[Touch-packages] [Bug 1811248] Re: systemd--networkd mounts denied for lxc guest

2019-02-10 Thread km
adding cross reference https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=916639#85 > I think that disabling AppArmor by default for new LXC containers for Buster would be an OK-ish fallback option, if nothing else can realistically be made to work in time for the freeze; that would be sad, but

[Touch-packages] [Bug 1811248] Re: systemd--networkd mounts denied for lxc guest

2019-02-07 Thread km
Whilst 'lxc.apparmor.profile: unconfined' appears the only way to keep unprivileged lxc guests with systemd v240 alive it defeats the purpose of AppArmor. Notwithstanding, the tail riding on this bug https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1813622

[Touch-packages] [Bug 1811248] Re: systemd--networkd mounts denied for lxc guest

2019-02-06 Thread km
https://github.com/lxc/lxd/issues/5439#issuecomment-461257784 > The fix in LXD is only partial because there's currently no safe way for us to fix that for privileged containers due to an apparmor parser bug that the AppArmor team is still working on. So we've made the change only to the

[Touch-packages] [Bug 1811248] Re: systemd--networkd mounts denied for lxc guest

2019-02-01 Thread km
*** This bug is a duplicate of bug 1813622 *** https://bugs.launchpad.net/bugs/1813622 ** This bug has been marked a duplicate of bug 1813622 systemd-resolved, systemd-networkd and others fail to start in lxc container with v240 systemd -- You received this bug notification because you

[Touch-packages] [Bug 1811248] Re: systemd--networkd mounts denied for lxc guest

2019-01-20 Thread Marcin Longlastname
Going further, for those who are running arch containers in proxmox who reach here after googling via getting a message similar to this: [ 2204.273155] audit: type=1400 audit(1548030556.960:100): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-101_" name="/"

[Touch-packages] [Bug 1811248] Re: systemd--networkd mounts denied for lxc guest

2019-01-16 Thread km
This issue accelerating/cascading to the extent that that the lxc arch linux guest is now entirely dead https://bugs.archlinux.org/task/61428 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu.

[Touch-packages] [Bug 1811248] Re: systemd--networkd mounts denied for lxc guest

2019-01-11 Thread km
Some further input from the lxc dev team: > What systemd wants to do is the equivalent of executing mount --make-rslave / > on the commandline. The syscall from systemd specifically AFAICT is: > mount(NULL, "/", NULL, MS_REC|MS_SLAVE, NULL); As for the AppArmor profile rule, see

[Touch-packages] [Bug 1811248] Re: systemd--networkd mounts denied for lxc guest

2019-01-11 Thread km
strace does not seem to be the tool to figure out the info you are asking for. Considering that the pid of the involved processes would be unknown at the time of starting strace. And executing the process(es) from the cli along with strace will not bear fruit for the case. Going back to the log

Re: [Touch-packages] [Bug 1811248] Re: systemd--networkd mounts denied for lxc guest

2019-01-10 Thread Seth Arnold
On Fri, Jan 11, 2019 at 02:36:30AM -, km wrote: > profile="lxc-container-default-cgns" > > profile lxc-container-default-cgns > flags=(attach_disconnected,mediate_deleted) { > #include > > # the container may never be allowed to mount devpts. If it does, it > # will remount the

[Touch-packages] [Bug 1811248] Re: systemd--networkd mounts denied for lxc guest

2019-01-10 Thread km
profile="lxc-container-default-cgns" profile lxc-container-default-cgns flags=(attach_disconnected,mediate_deleted) { #include # the container may never be allowed to mount devpts. If it does, it # will remount the host's devpts. We could allow it to do it with # the newinstance

[Touch-packages] [Bug 1811248] Re: systemd--networkd mounts denied for lxc guest

2019-01-10 Thread Seth Arnold
Could you add to this bug which mount flags are being used by the mount(2) system call that's failed and which mount rules are in the profile? I couldn't find either information in the linked bugs. Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded