In that container that has no profiles at all I can explicitly load them. $ sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.libvirtd $ systemctl restart libvirtd
makes it show up correctly 1 processes are in enforce mode. /usr/sbin/libvirtd (1146) But why is it missing in the first place ... ? ** Description changed: In LXD apparmor now skips starting. Steps to reproduce: 1. start LXD container - $ lxc launch ubuntu-daily:d d-testapparmor - (disco to trigger the issue, cosmic as reference) + $ lxc launch ubuntu-daily:d d-testapparmor + (disco to trigger the issue, cosmic as reference) 2. check the default profiles loaded - $ aa-status + $ aa-status => This will in cosmic and up to recently disco list plenty of profiles active even in the default install. - Cosmic: - 25 profiles are loaded. - 25 profiles are in enforce mode. + Cosmic: + 25 profiles are loaded. + 25 profiles are in enforce mode. Disco: - 15 profiles are loaded. - 15 profiles are in enforce mode. + 15 profiles are loaded. + 15 profiles are in enforce mode. All those 15 remaining are from snaps. The service of apparmor.service actually states that it refuses to start. $ systemctl status apparmor ... Apr 15 13:56:12 testkvm-disco-to apparmor.systemd[101]: Not starting AppArmor in container - Since some apparmor seems to work I need to debug it further why so many - are missing initially and why it affects me in libvirt. + I can get those profiles (the default installed ones) loaded, for example: + $ sudo apparmor_parser -r /etc/apparmor.d/sbin.dhclient + makes it appear + 22 profiles are in enforce mode. + /sbin/dhclient + + + Since some apparmor seems to work I need to debug it further why so many are missing initially and why it affects me in libvirt. --- --- --- This bug started as: Migrations to Disco trigger "Unable to find security driver for model apparmor" This most likely is related to my KVM-in-LXD setup but it worked fine for years and I'd like to sort out what broke. I have migrated to Disco's qemu 3.1 already which makes me doubts generic issues in qemu 3.1 in general. The virt tests that run cross release work fine starting from X/B/C but all those chains fail at mirgating to Disco now with: $ lxc exec testkvm-cosmic-from -- virsh migrate --unsafe --live kvmguest-bionic-normal qemu+ssh://10.21.151.207/system error: unsupported configuration: Unable to find security driver for model apparmor I need to analyze what changed ** Description changed: In LXD apparmor now skips starting. Steps to reproduce: 1. start LXD container $ lxc launch ubuntu-daily:d d-testapparmor (disco to trigger the issue, cosmic as reference) 2. check the default profiles loaded $ aa-status => This will in cosmic and up to recently disco list plenty of profiles active even in the default install. Cosmic: 25 profiles are loaded. 25 profiles are in enforce mode. Disco: 15 profiles are loaded. 15 profiles are in enforce mode. All those 15 remaining are from snaps. The service of apparmor.service actually states that it refuses to start. $ systemctl status apparmor ... Apr 15 13:56:12 testkvm-disco-to apparmor.systemd[101]: Not starting AppArmor in container I can get those profiles (the default installed ones) loaded, for example: - $ sudo apparmor_parser -r /etc/apparmor.d/sbin.dhclient + $ sudo apparmor_parser -r /etc/apparmor.d/sbin.dhclient makes it appear - 22 profiles are in enforce mode. - /sbin/dhclient + 22 profiles are in enforce mode. + /sbin/dhclient + I was wondering as in my case I found my guest with no (=0) profiles loaded. But as shown above after "apparmor_parser -r" and package install profiles seemed fine. Then the puzzle was solved, on package install they + will call apparmor_parser via the dh_apparmor snippet and it is fine. - Since some apparmor seems to work I need to debug it further why so many are missing initially and why it affects me in libvirt. + To fully disable all of them: + $ lxc stop <container> + $ lxc start <container> + $ lxc exec d-testapparmor aa-status + apparmor module is loaded. + 0 profiles are loaded. + 0 profiles are in enforce mode. + 0 profiles are in complain mode. + 0 processes have profiles defined. + 0 processes are in enforce mode. + 0 processes are in complain mode. + 0 processes are unconfined but have a profile defined. + + That would match the service doing an early exit as shown in systemctl + status output above. The package install or manual load works, but none + are loaded by the service automatically e.g. on container restart. --- --- --- This bug started as: Migrations to Disco trigger "Unable to find security driver for model apparmor" This most likely is related to my KVM-in-LXD setup but it worked fine for years and I'd like to sort out what broke. I have migrated to Disco's qemu 3.1 already which makes me doubts generic issues in qemu 3.1 in general. The virt tests that run cross release work fine starting from X/B/C but all those chains fail at mirgating to Disco now with: $ lxc exec testkvm-cosmic-from -- virsh migrate --unsafe --live kvmguest-bionic-normal qemu+ssh://10.21.151.207/system error: unsupported configuration: Unable to find security driver for model apparmor I need to analyze what changed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1824812 Title: apparmor no more starting in Disco LXD containers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1824812/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
