Apparmor is disabled in LXD containers now !?!
Compare aa-status after spawning a new container.
root@d-testapparmor:~# aa-status
apparmor module is loaded.
15 profiles are loaded.
15 profiles are in enforce mode.
/snap/core/6673/usr/lib/snapd/snap-confine
/snap/core/6673/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
snap-update-ns.core
snap-update-ns.lxd
snap.core.hook.configure
snap.lxd.activate
snap.lxd.benchmark
snap.lxd.buginfo
snap.lxd.check-kernel
snap.lxd.daemon
snap.lxd.hook.configure
snap.lxd.hook.install
snap.lxd.lxc
snap.lxd.lxd
snap.lxd.migrate
0 profiles are in complain mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
root@c-testapparmor:~# aa-status
apparmor module is loaded.
25 profiles are loaded.
25 profiles are in enforce mode.
/sbin/dhclient
/snap/core/6673/usr/lib/snapd/snap-confine
/snap/core/6673/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
/usr/bin/man
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/NetworkManager/nm-dhcp-helper
/usr/lib/connman/scripts/dhclient-script
/usr/lib/snapd/snap-confine
/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
/usr/sbin/tcpdump
man_filter
man_groff
snap-update-ns.core
snap-update-ns.lxd
snap.core.hook.configure
snap.lxd.activate
snap.lxd.benchmark
snap.lxd.buginfo
snap.lxd.check-kernel
snap.lxd.daemon
snap.lxd.hook.configure
snap.lxd.hook.install
snap.lxd.lxc
snap.lxd.lxd
snap.lxd.migrate
0 profiles are in complain mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
That is confirmed by the service:
Apr 15 14:16:21 d-testapparmor systemd[1]: Starting Load AppArmor profiles...
Apr 15 14:16:21 d-testapparmor apparmor.systemd[101]: Not starting AppArmor in
container
Apr 15 14:16:21 d-testapparmor systemd[1]: Started Load AppArmor profiles.
** Also affects: apparmor (Ubuntu)
Importance: Undecided
Status: New
** Summary changed:
- Migrations to Disco trigger "Unable to find security driver for model
apparmor"
+ apparmor no more starting in Disco LXD containers
** Description changed:
+ In LXD apparmor now skips starting:
+ Formerly:
+ root@testkvm-bionic-from:~# systemctl status apparmor
+ ● apparmor.service - AppArmor initialization
+ Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor
preset: enabled)
+ Active: active (exited) since Mon 2019-04-15 13:09:07 UTC; 1h 8min ago
+ Docs: man:apparmor(7)
+ http://wiki.apparmor.net/
+ Process: 90 ExecStart=/etc/init.d/apparmor start (code=exited,
status=0/SUCCESS)
+ Main PID: 90 (code=exited, status=0/SUCCESS)
+
+ Apr 15 13:09:07 testkvm-bionic-from systemd[1]: apparmor.service: Failed to
reset devices.list: Operation not permitted
+ Apr 15 13:09:07 testkvm-bionic-from systemd[1]: Starting AppArmor
initialization...
+ Apr 15 13:09:07 testkvm-bionic-from apparmor[90]: * Starting AppArmor
profiles
+ Apr 15 13:09:07 testkvm-bionic-from apparmor[90]: Skipping profile in
/etc/apparmor.d/disable: usr.sbin.rsyslogd
+ Apr 15 13:09:07 testkvm-bionic-from apparmor[90]: ...done.
+ Apr 15 13:09:07 testkvm-bionic-from systemd[1]: Started AppArmor
initialization.
+
+
+ Now:
+ root@testkvm-disco-to:~# systemctl status apparmor
+ ● apparmor.service - Load AppArmor profiles
+ Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor
preset: enabled)
+ Active: active (exited) since Mon 2019-04-15 13:56:12 UTC; 21min ago
+ Docs: man:apparmor(7)
+ https://gitlab.com/apparmor/apparmor/wikis/home/
+ Process: 101 ExecStart=/lib/apparmor/apparmor.systemd reload (code=exited,
status=0/SUCCESS)
+ Main PID: 101 (code=exited, status=0/SUCCESS)
+
+ Apr 15 13:56:12 testkvm-disco-to systemd[1]: Starting Load AppArmor
profiles...
+ Apr 15 13:56:12 testkvm-disco-to apparmor.systemd[101]: Not starting AppArmor
in container
+ Apr 15 13:56:12 testkvm-disco-to systemd[1]: Started Load AppArmor profiles.
+
+
+ ---
+
+ This bug started as:
+ Migrations to Disco trigger "Unable to find security driver for model
apparmor"
+
This most likely is related to my KVM-in-LXD setup but it worked fine
for years and I'd like to sort out what broke. I have migrated to
Disco's qemu 3.1 already which makes me doubts generic issues in qemu
3.1 in general.
The virt tests that run cross release work fine starting from X/B/C but all
those chains fail at mirgating to Disco now with:
- $ lxc exec testkvm-cosmic-from -- virsh migrate --unsafe --live
kvmguest-bionic-normal
- qemu+ssh://10.21.151.207/system
- error: unsupported configuration: Unable to find security driver for model
apparmor
+ $ lxc exec testkvm-cosmic-from -- virsh migrate --unsafe --live
kvmguest-bionic-normal
+ qemu+ssh://10.21.151.207/system
+ error: unsupported configuration: Unable to find security driver for model
apparmor
I need to analyze what changed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1824812
Title:
apparmor no more starting in Disco LXD containers
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1824812/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
