Public bug reported:
With latest vivid's LXC, starting a vivid container now fails on
mounting the cgroups:
$ sudo lxc-create --name=v -t ubuntu -- -r vivid
$ sudo lxc-start -n v -F
Failed to mount cgroup at /sys/fs/cgroup/systemd: Permission denied
systemd 219 running in system mode. (+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK
+SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT -GNUTLS +ACL +XZ -LZ4 -SECCOMP +BLKID
-ELFUTILS +KMOD -IDN)
Detected virtualization lxc.
Detected architecture x86-64.
Welcome to Ubuntu Vivid Vervet (development branch)!
Set hostname to <v>.
Failed to install release agent, ignoring: No such file or directory
Failed to create root cgroup hierarchy: No such file or directory
Failed to allocate manager object: No such file or directory
This is due to an apparmor violation:
$ dmesg
[17921.831035] kvm [26603]: vcpu0 disabled perfctr wrmsr: 0xc1 data 0xffff
[17945.611375] device vethWK88T5 entered promiscuous mode
[17945.611487] IPv6: ADDRCONF(NETDEV_UP): vethWK88T5: link is not ready
[17945.651954] eth0: renamed from vethB6ASGB
[17945.692029] IPv6: ADDRCONF(NETDEV_CHANGE): vethWK88T5: link becomes ready
[17945.692104] lxcbr0: port 1(vethWK88T5) entered forwarding state
[17945.692116] lxcbr0: port 1(vethWK88T5) entered forwarding state
[17945.730478] audit: type=1400 audit(1428400530.895:113): apparmor="DENIED"
operation="mount" info="failed type match" error=-13
profile="lxc-container-default" name="/sys/fs/cgroup/systemd/" pid=28447
comm="systemd" fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev,
noexec"
[17945.730505] audit: type=1400 audit(1428400530.895:114): apparmor="DENIED"
operation="mount" info="failed type match" error=-13
profile="lxc-container-default" name="/sys/fs/cgroup/systemd/" pid=28447
comm="systemd" fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev,
noexec"
[17945.730931] audit: type=1400 audit(1428400530.895:115): apparmor="DENIED"
operation="mount" info="failed type match" error=-13
profile="lxc-container-default" name="/sys/fs/cgroup/devices/" pid=28447
comm="systemd" fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev,
noexec"
[17945.730963] audit: type=1400 audit(1428400530.895:116): apparmor="DENIED"
operation="mount" info="failed type match" error=-13
profile="lxc-container-default" name="/sys/fs/cgroup/net_cls,net_prio/"
pid=28447 comm="systemd" fstype="cgroup" srcname="cgroup" flags="rw, nosuid,
nodev, noexec"
[17945.730993] audit: type=1400 audit(1428400530.895:117): apparmor="DENIED"
operation="mount" info="failed type match" error=-13
profile="lxc-container-default" name="/sys/fs/cgroup/perf_event/" pid=28447
comm="systemd" fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev,
noexec"
[17945.731020] audit: type=1400 audit(1428400530.895:118): apparmor="DENIED"
operation="mount" info="failed type match" error=-13
profile="lxc-container-default" name="/sys/fs/cgroup/hugetlb/" pid=28447
comm="systemd" fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev,
noexec"
[17945.731049] audit: type=1400 audit(1428400530.895:119): apparmor="DENIED"
operation="mount" info="failed type match" error=-13
profile="lxc-container-default" name="/sys/fs/cgroup/cpuset/" pid=28447
comm="systemd" fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev,
noexec"
[17945.731077] audit: type=1400 audit(1428400530.895:120): apparmor="DENIED"
operation="mount" info="failed type match" error=-13
profile="lxc-container-default" name="/sys/fs/cgroup/freezer/" pid=28447
comm="systemd" fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev,
noexec"
[17945.731106] audit: type=1400 audit(1428400530.895:121): apparmor="DENIED"
operation="mount" info="failed type match" error=-13
profile="lxc-container-default" name="/sys/fs/cgroup/cpu,cpuacct/" pid=28447
comm="systemd" fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev,
noexec"
[17945.731133] audit: type=1400 audit(1428400530.895:122): apparmor="DENIED"
operation="mount" info="failed type match" error=-13
profile="lxc-container-default" name="/sys/fs/cgroup/memory/" pid=28447
comm="systemd" fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev,
noexec"
The workaround is to change the container config to use "lxc.aa_profile
= unconfined", but I suppose we actually want the default profile to
work.
ProblemType: Bug
DistroRelease: Ubuntu 15.04
Package: lxc 1.1.1-0ubuntu4
ProcVersionSignature: Ubuntu 3.19.0-12.12-generic 3.19.3
Uname: Linux 3.19.0-12-generic x86_64
ApportVersion: 2.17-0ubuntu1
Architecture: amd64
CurrentDesktop: Unity
Date: Tue Apr 7 11:55:09 2015
EcryptfsInUse: Yes
KernLog:
SourcePackage: lxc
UpgradeStatus: No upgrade log present (probably fresh install)
defaults.conf:
lxc.network.type = veth
lxc.network.link = lxcbr0
lxc.network.flags = up
lxc.network.hwaddr = 00:16:3e:xx:xx:xx
lxc.conf: lxc.lxcpath = /srv/lxc
** Affects: lxc (Ubuntu)
Importance: High
Status: New
** Tags: amd64 apport-bug vivid
** Changed in: lxc (Ubuntu)
Importance: Undecided => High
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1441070
Title:
lxc-start on default vivid container fails on apparmor violation
Status in lxc package in Ubuntu:
New
Bug description:
With latest vivid's LXC, starting a vivid container now fails on
mounting the cgroups:
$ sudo lxc-create --name=v -t ubuntu -- -r vivid
$ sudo lxc-start -n v -F
Failed to mount cgroup at /sys/fs/cgroup/systemd: Permission denied
systemd 219 running in system mode. (+PAM +AUDIT +SELINUX +IMA +APPARMOR
+SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT -GNUTLS +ACL +XZ -LZ4 -SECCOMP
+BLKID -ELFUTILS +KMOD -IDN)
Detected virtualization lxc.
Detected architecture x86-64.
Welcome to Ubuntu Vivid Vervet (development branch)!
Set hostname to <v>.
Failed to install release agent, ignoring: No such file or directory
Failed to create root cgroup hierarchy: No such file or directory
Failed to allocate manager object: No such file or directory
This is due to an apparmor violation:
$ dmesg
[17921.831035] kvm [26603]: vcpu0 disabled perfctr wrmsr: 0xc1 data 0xffff
[17945.611375] device vethWK88T5 entered promiscuous mode
[17945.611487] IPv6: ADDRCONF(NETDEV_UP): vethWK88T5: link is not ready
[17945.651954] eth0: renamed from vethB6ASGB
[17945.692029] IPv6: ADDRCONF(NETDEV_CHANGE): vethWK88T5: link becomes ready
[17945.692104] lxcbr0: port 1(vethWK88T5) entered forwarding state
[17945.692116] lxcbr0: port 1(vethWK88T5) entered forwarding state
[17945.730478] audit: type=1400 audit(1428400530.895:113): apparmor="DENIED"
operation="mount" info="failed type match" error=-13
profile="lxc-container-default" name="/sys/fs/cgroup/systemd/" pid=28447
comm="systemd" fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev,
noexec"
[17945.730505] audit: type=1400 audit(1428400530.895:114): apparmor="DENIED"
operation="mount" info="failed type match" error=-13
profile="lxc-container-default" name="/sys/fs/cgroup/systemd/" pid=28447
comm="systemd" fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev,
noexec"
[17945.730931] audit: type=1400 audit(1428400530.895:115): apparmor="DENIED"
operation="mount" info="failed type match" error=-13
profile="lxc-container-default" name="/sys/fs/cgroup/devices/" pid=28447
comm="systemd" fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev,
noexec"
[17945.730963] audit: type=1400 audit(1428400530.895:116): apparmor="DENIED"
operation="mount" info="failed type match" error=-13
profile="lxc-container-default" name="/sys/fs/cgroup/net_cls,net_prio/"
pid=28447 comm="systemd" fstype="cgroup" srcname="cgroup" flags="rw, nosuid,
nodev, noexec"
[17945.730993] audit: type=1400 audit(1428400530.895:117): apparmor="DENIED"
operation="mount" info="failed type match" error=-13
profile="lxc-container-default" name="/sys/fs/cgroup/perf_event/" pid=28447
comm="systemd" fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev,
noexec"
[17945.731020] audit: type=1400 audit(1428400530.895:118): apparmor="DENIED"
operation="mount" info="failed type match" error=-13
profile="lxc-container-default" name="/sys/fs/cgroup/hugetlb/" pid=28447
comm="systemd" fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev,
noexec"
[17945.731049] audit: type=1400 audit(1428400530.895:119): apparmor="DENIED"
operation="mount" info="failed type match" error=-13
profile="lxc-container-default" name="/sys/fs/cgroup/cpuset/" pid=28447
comm="systemd" fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev,
noexec"
[17945.731077] audit: type=1400 audit(1428400530.895:120): apparmor="DENIED"
operation="mount" info="failed type match" error=-13
profile="lxc-container-default" name="/sys/fs/cgroup/freezer/" pid=28447
comm="systemd" fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev,
noexec"
[17945.731106] audit: type=1400 audit(1428400530.895:121): apparmor="DENIED"
operation="mount" info="failed type match" error=-13
profile="lxc-container-default" name="/sys/fs/cgroup/cpu,cpuacct/" pid=28447
comm="systemd" fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev,
noexec"
[17945.731133] audit: type=1400 audit(1428400530.895:122): apparmor="DENIED"
operation="mount" info="failed type match" error=-13
profile="lxc-container-default" name="/sys/fs/cgroup/memory/" pid=28447
comm="systemd" fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev,
noexec"
The workaround is to change the container config to use
"lxc.aa_profile = unconfined", but I suppose we actually want the
default profile to work.
ProblemType: Bug
DistroRelease: Ubuntu 15.04
Package: lxc 1.1.1-0ubuntu4
ProcVersionSignature: Ubuntu 3.19.0-12.12-generic 3.19.3
Uname: Linux 3.19.0-12-generic x86_64
ApportVersion: 2.17-0ubuntu1
Architecture: amd64
CurrentDesktop: Unity
Date: Tue Apr 7 11:55:09 2015
EcryptfsInUse: Yes
KernLog:
SourcePackage: lxc
UpgradeStatus: No upgrade log present (probably fresh install)
defaults.conf:
lxc.network.type = veth
lxc.network.link = lxcbr0
lxc.network.flags = up
lxc.network.hwaddr = 00:16:3e:xx:xx:xx
lxc.conf: lxc.lxcpath = /srv/lxc
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1441070/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
