[Touch-packages] [Bug 1296459] Re: Upgrade from 2.8.0-0ubuntu38 to 2.8.95~2430-0ubuntu2 breaks LXC containers

Sun, 12 Feb 2017 09:59:50 -0800 

@shemgp, this suggests that you're using a non-ubuntu kernel which comes
with incomplete apparmor support. This typically happens when you're
using a mainline kernel build rather than an official Ubuntu kernel.

You can force LXD to use such a kernel, though as mentioned, confinement
will be partial.

    lxc profile default set raw.lxc lxc.aa_allow_incomplete=1

Should ensure it's set for all your containers.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1296459

Title:
  Upgrade from 2.8.0-0ubuntu38 to 2.8.95~2430-0ubuntu2 breaks LXC
  containers

Status in apparmor package in Ubuntu:
  Fix Released

Bug description:
  I've been getting a few issues on a bunch of machines over the past
  few days, mostly unprivileged LXC containers reporting mount failures
  at boot time, leading to them failing miserably.

  The failures in question are:
  [ 1084.404894] type=1400 audit(1395617066.637:62): apparmor="DENIED" 
operation="mount" info="failed flags match" error=-13 
profile="lxc-container-default" name="/sys/fs/cgroup/" pid=12858 comm="mount" 
fstype="tmpfs" srcname="none" flags="rw"
  [ 1084.405042] type=1400 audit(1395617066.637:63): apparmor="DENIED" 
operation="mount" info="failed flags match" error=-13 
profile="lxc-container-default" name="/sys/fs/cgroup/" pid=12858 comm="mount" 
fstype="tmpfs" srcname="none" flags="ro"
  [ 1084.406013] type=1400 audit(1395617066.637:64): apparmor="DENIED" 
operation="mount" info="failed flags match" error=-13 
profile="lxc-container-default" name="/run/" pid=12859 comm="mount" 
fstype="tmpfs" srcname="none" flags="rw, nosuid, noexec"
  [ 1084.406127] type=1400 audit(1395617066.637:65): apparmor="DENIED" 
operation="mount" info="failed flags match" error=-13 
profile="lxc-container-default" name="/run/" pid=12859 comm="mount" 
fstype="tmpfs" srcname="none" flags="ro, nosuid, noexec"

  
  Those happen when running under our usual, unmodified lxc-container-default 
profile which includes container-based which contains:
  root@vorash:~# grep tmpfs /etc/apparmor.d/abstractions/lxc/container-base
    # allow tmpfs mounts everywhere
    mount fstype=tmpfs,

  
  Downgrading to 2.8.0-0ubuntu38 and reloading apparmor appears to resolve the 
issue, so this appears to be a parser bug rather than one of our usual kernel 
regressions...

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1296459/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to