Ordering was important:
$ modprobe shiftfs
$ sudo snap set lxd shiftfs.enable=true
$ sudo systemctl restart snap.lxd.daemon
Now it is enabled:
$ lxc info | grep shiftfs
shiftfs: "true"
$ lxc exec d-testapparmor -- mount | grep shift
/var/snap/lxd/common/lxd/storage-pools/default2/containers/d-testapparmor/rootfs
on / type shiftfs (rw,relatime,passthrough=3)
/var/snap/lxd/common/lxd/storage-pools/default2/containers/d-testapparmor/rootfs
on /snap type shiftfs (rw,relatime,passthrough=3)
And with that I can reproduce the bug:
$ lxc exec d-testapparmor -- aa-status
apparmor module is loaded.
0 profiles are loaded.
0 profiles are in enforce mode.
0 profiles are in complain mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
$ lxc exec d-testapparmor -- apparmor_parser -r /etc/apparmor.d/sbin.dhclient
AppArmor parser error for /etc/apparmor.d/sbin.dhclient in
/etc/apparmor.d/tunables/home at line 25: Could not process include directory
'/etc/apparmor.d/tunables/home.d' in 'tunables/home.d'
Installing the host kernel from proposed.
=> 5.0.0.14.15
ubuntu@disco-test-aa-stack:~$ sudo apt install linux-generic
linux-headers-generic linux-image-generic
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
linux-headers-5.0.0-14 linux-headers-5.0.0-14-generic
linux-image-5.0.0-14-generic linux-modules-5.0.0-14-generic
linux-modules-extra-5.0.0-14-generic
Suggested packages:
fdutils linux-doc-5.0.0 | linux-source-5.0.0 linux-tools
The following NEW packages will be installed:
linux-headers-5.0.0-14 linux-headers-5.0.0-14-generic
linux-image-5.0.0-14-generic linux-modules-5.0.0-14-generic
linux-modules-extra-5.0.0-14-generic
The following packages will be upgraded:
linux-generic linux-headers-generic linux-image-generic
3 upgraded, 5 newly installed, 0 to remove and 8 not upgraded.
Need to get 67.1 MB of archives.
After this operation, 334 MB of additional disk space will be used.
Do you want to continue? [Y/n] Y
Get:1 http://archive.ubuntu.com/ubuntu disco-proposed/main amd64
linux-modules-5.0.0-14-generic amd64 5.0.0-14.15 [13.7 MB]
6% [1 linux-modules-5.0.0-14-generic 4743 kB/13.7 MB 35%]
Get:2 http://archive.ubuntu.com/ubuntu disco-proposed/main amd64
linux-image-5.0.0-14-generic amd64 5.0.0-14.15 [8350 kB]
Get:3 http://archive.ubuntu.com/ubuntu disco-proposed/main amd64
linux-modules-extra-5.0.0-14-generic amd64 5.0.0-14.15 [33.2 MB]
Get:4 http://archive.ubuntu.com/ubuntu disco-proposed/main amd64 linux-generic
amd64 5.0.0.14.15 [1860 B]
Get:5 http://archive.ubuntu.com/ubuntu disco-proposed/main amd64
linux-image-generic amd64 5.0.0.14.15 [2484 B]
Get:6 http://archive.ubuntu.com/ubuntu disco-proposed/main amd64
linux-headers-5.0.0-14 all 5.0.0-14.15 [10.7 MB]
Get:7 http://archive.ubuntu.com/ubuntu disco-proposed/main amd64
linux-headers-5.0.0-14-generic amd64 5.0.0-14.15 [1170 kB]
Get:8 http://archive.ubuntu.com/ubuntu disco-proposed/main amd64
linux-headers-generic amd64 5.0.0.14.15 [2440 B]
Fetched 67.1 MB in 13s (5048 kB/s)
Selecting previously unselected package linux-modules-5.0.0-14-generic.
(Reading database ... 67632 files and directories currently installed.)
Preparing to unpack .../0-linux-modules-5.0.0-14-generic_5.0.0-14.15_amd64.deb
...
Unpacking linux-modules-5.0.0-14-generic (5.0.0-14.15) ...
Selecting previously unselected package linux-image-5.0.0-14-generic.
Preparing to unpack .../1-linux-image-5.0.0-14-generic_5.0.0-14.15_amd64.deb ...
Unpacking linux-image-5.0.0-14-generic (5.0.0-14.15) ...
Selecting previously unselected package linux-modules-extra-5.0.0-14-generic.
Preparing to unpack
.../2-linux-modules-extra-5.0.0-14-generic_5.0.0-14.15_amd64.deb ...
Unpacking linux-modules-extra-5.0.0-14-generic (5.0.0-14.15) ...
Preparing to unpack .../3-linux-generic_5.0.0.14.15_amd64.deb ...
Unpacking linux-generic (5.0.0.14.15) over (5.0.0.13.14) ...
Preparing to unpack .../4-linux-image-generic_5.0.0.14.15_amd64.deb ...
Unpacking linux-image-generic (5.0.0.14.15) over (5.0.0.13.14) ...
Selecting previously unselected package linux-headers-5.0.0-14.
Preparing to unpack .../5-linux-headers-5.0.0-14_5.0.0-14.15_all.deb ...
Unpacking linux-headers-5.0.0-14 (5.0.0-14.15) ...
Selecting previously unselected package linux-headers-5.0.0-14-generic.
Preparing to unpack .../6-linux-headers-5.0.0-14-generic_5.0.0-14.15_amd64.deb
...
Unpacking linux-headers-5.0.0-14-generic (5.0.0-14.15) ...
Preparing to unpack .../7-linux-headers-generic_5.0.0.14.15_amd64.deb ...
Unpacking linux-headers-generic (5.0.0.14.15) over (5.0.0.13.14) ...
Setting up linux-headers-5.0.0-14 (5.0.0-14.15) ...
Setting up linux-headers-5.0.0-14-generic (5.0.0-14.15) ...
Setting up linux-modules-5.0.0-14-generic (5.0.0-14.15) ...
Setting up linux-headers-generic (5.0.0.14.15) ...
Setting up linux-image-5.0.0-14-generic (5.0.0-14.15) ...
I: /vmlinuz is now a symlink to boot/vmlinuz-5.0.0-14-generic
I: /initrd.img is now a symlink to boot/initrd.img-5.0.0-14-generic
Setting up linux-modules-extra-5.0.0-14-generic (5.0.0-14.15) ...
Setting up linux-image-generic (5.0.0.14.15) ...
Setting up linux-generic (5.0.0.14.15) ...
Processing triggers for linux-image-5.0.0-14-generic (5.0.0-14.15) ...
/etc/kernel/postinst.d/initramfs-tools:
update-initramfs: Generating /boot/initrd.img-5.0.0-14-generic
cryptsetup: WARNING: The initramfs image may not contain cryptsetup binaries
nor crypto modules. If that's on purpose, you may want to uninstall the
'cryptsetup-initramfs' package in order to disable the cryptsetup initramfs
integration and avoid this warning.
/etc/kernel/postinst.d/zz-update-grub:
Sourcing file `/etc/default/grub'
Sourcing file `/etc/default/grub.d/40-force-partuuid.cfg'
Sourcing file `/etc/default/grub.d/50-cloudimg-settings.cfg'
Sourcing file `/etc/default/grub.d/init-select.cfg'
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-5.0.0-14-generic
Found initrd image: /boot/initrd.img-5.0.0-14-generic
Found linux image: /boot/vmlinuz-5.0.0-13-generic
Found initrd image: /boot/initrd.img-5.0.0-13-generic
done
Install worked fine, now rebooting into it.
$ uname -a
Linux disco-test-aa-stack 5.0.0-14-generic #15-Ubuntu SMP Wed Apr 24 15:39:57
UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
Still using shiftfs
$ lxc info | grep shiftfs
shiftfs: "true"
$ lxc exec d-testapparmor -- mount | grep shift
/var/snap/lxd/common/lxd/storage-pools/default2/containers/d-testapparmor/rootfs
on / type shiftfs (rw,relatime,passthrough=3)
/var/snap/lxd/common/lxd/storage-pools/default2/containers/d-testapparmor/rootfs
on /snap type shiftfs (rw,relatime,passthrough=3)
Profiles now load ok:
$ lxc exec d-testapparmor -- aa-status
apparmor module is loaded.
27 profiles are loaded.
27 profiles are in enforce mode.
Summarizing - kernel in proposed verified
** Tags removed: verification-needed-disco
** Tags added: verification-done-disco
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1824812
Title:
apparmor does not start in Disco LXD containers
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1824812/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
