Public bug reported:
Environment:
----------------
Distribution: ubuntu
Distribution version: 16.10
lxc info:
apiextensions:
storage_zfs_remove_snapshots
container_host_shutdown_timeout
container_syscall_filtering
auth_pki
container_last_used_at
etag
patch
usb_devices
https_allowed_credentials
image_compression_algorithm
directory_manipulation
container_cpu_time
storage_zfs_use_refquota
storage_lvm_mount_options
network
profile_usedby
container_push
apistatus: stable
apiversion: "1.0"
auth: trusted
environment:
addresses:
163.172.48.149:8443
172.20.10.1:8443
172.20.11.1:8443
172.20.12.1:8443
172.20.22.1:8443
172.20.21.1:8443
10.8.0.1:8443
architectures:
x86_64
i686
certificate: |
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
certificatefingerprint:
3048baa9f20d316f60a6c602452b58409a6d9e2c3218897e8de7c7c72af0179b
driver: lxc
driverversion: 2.0.5
kernel: Linux
kernelarchitecture: x86_64
kernelversion: 4.8.0-27-generic
server: lxd
serverpid: 32694
serverversion: 2.4.1
storage: btrfs
storageversion: 4.7.3
config:
core.https_address: '[::]:8443'
core.trust_password: true
Container: ubuntu 16.10
Issue description
------------------
tor can't start in a non privileged container
Logs from the container:
-------------------------
Dec 7 15:03:00 anonymous tor[302]: Configuration was valid
Dec 7 15:03:00 anonymous systemd[303]: tor@default.service: Failed at step
APPARMOR spawning /usr/bin/tor: No such file or directory
Dec 7 15:03:00 anonymous systemd[1]: tor@default.service: Main process exited,
code=exited, status=231/APPARMOR
Dec 7 15:03:00 anonymous systemd[1]: Failed to start Anonymizing overlay
network for TCP.
Dec 7 15:03:00 anonymous systemd[1]: tor@default.service: Unit entered failed
state.
Dec 7 15:03:00 anonymous systemd[1]: tor@default.service: Failed with result
'exit-code'.
Dec 7 15:03:00 anonymous systemd[1]: tor@default.service: Service hold-off time
over, scheduling restart.
Dec 7 15:03:00 anonymous systemd[1]: Stopped Anonymizing overlay network for
TCP.
Dec 7 15:03:00 anonymous systemd[1]: tor@default.service: Failed to reset
devices.list: Operation not permitted
Dec 7 15:03:00 anonymous systemd[1]: Failed to set devices.allow on
/system.slice/system-tor.slice/tor@default.service: Operation not permitted
Dec 7 15:03:00 anonymous systemd[1]: message repeated 6 times: [ Failed to set
devices.allow on /system.slice/system-tor.slice/tor@default.service: Operation
not permitted]
Dec 7 15:03:00 anonymous systemd[1]: Couldn't stat device
/run/systemd/inaccessible/chr
Dec 7 15:03:00 anonymous systemd[1]: Couldn't stat device
/run/systemd/inaccessible/blk
Dec 7 15:03:00 anonymous systemd[1]: Failed to set devices.allow on
/system.slice/system-tor.slice/tor@default.service: Operation not permitted
Logs from the host
--------------------
audit: type=1400 audit(1481119378.856:6950): apparmor="DENIED"
operation="change_onexec" info="label not found" error=-2
namespace="root//lxd-anonymous_" profile="unconfined" name="system_tor"
pid=12164 comm="(tor)"
Steps to reproduce
---------------------
install ubuntu container 16.10 on a ubuntu 16.10 host
install tor in the container
Launch tor
** Affects: apparmor (Ubuntu)
Importance: Undecided
Status: New
** Affects: tor (Ubuntu)
Importance: Undecided
Status: New
** Tags: apparmor lxd tor
** Also affects: tor (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1648143
Title:
tor in lxd: apparmor="DENIED" operation="change_onexec"
namespace="root//CONTAINERNAME_<var-lib-lxd>" profile="unconfined"
name="system_tor"
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1648143/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
