Your message dated Mon, 20 Apr 2020 07:46:51 +0900 (JST)
with message-id
<[email protected]>
and subject line Re: Bug#958158: lxc: lsm/apparmor.c: make_apparmor_namespace:
845 Permission denied - Error creating AppArmor namespace:
/sys/kernel/security/apparmor/policy/namespaces/lxc-buster-unpriv_<-home-ryutaroh-.local-share-lxc>
has caused the Debian Bug report #958158,
regarding lxc: lsm/apparmor.c: make_apparmor_namespace: 845 Permission denied -
Error creating AppArmor namespace:
/sys/kernel/security/apparmor/policy/namespaces/lxc-buster-unpriv_<-home-ryutaroh-.local-share-lxc>
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
958158: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=958158
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: lxc
Version: 1:4.0.2-1~1
Severity: normal
Dear Maintainer,
Thank you very much for packaging LXC 4.0.2.
I created guest Linux with
lxc-create -B btrfs -t download -- -d debian -r buster -a amd64
I was able to use LXC 4.0.2 with
* priviledged container started by root
* unprivileged container started by root.
on Debian Bullseye host in pure CGroupV2 (systemd.unified_cgroup_hierarchy=1).
But when a non-root user runs "lxc-execute" or "lxc-start",
I get an AppArmor error as below.
Script started on 2020-04-19 15:36:36+09:00 [TERM="linux" TTY="/dev/tty2"
COLUMNS="128" LINES="48"]
ryutaroh@bullseye-qemu:~$ systemd-run --user --scope -p "Delegate=yes"
lxc-execute -n buster-unpriv -- /bin/bash
Running scope as unit: run-ra950d6a0aaf94fd28f2153e0958e4293.scope
lxc-execute: buster-unpriv: lsm/apparmor.c: make_apparmor_namespace: 845
Permission denied - Error creating AppArmor namespace:
/sys/kernel/security/apparmor/policy/namespaces/lxc-buster-unpriv_<-home-ryutaroh-.local-share-lxc>
lxc-execute: buster-unpriv: lsm/apparmor.c: apparmor_prepare: 1064 Failed to
load generated AppArmor profile
lxc-execute: buster-unpriv: start.c: lxc_init: 845 Failed to initialize LSM
lxc-execute: buster-unpriv: start.c: __lxc_start: 1898 Failed to initialize
container "buster-unpriv"
lxc-execute: buster-unpriv: tools/lxc_execute.c: main: 226 Failed run an
application inside container
ryutaroh@bullseye-qemu:~$ exit
exit
Script done on 2020-04-19 15:37:39+09:00 [COMMAND_EXIT_CODE="1"]
The above error can be worked around by adding
lxc.apparmor.profile = unconfined
to the config file of a container.
I suspect that this is the same as the upstream issue reported at
https://github.com/lxc/lxc/issues/3371
but I am unsure. So I do not attach the upstream tag.
I do not think this is related to pure CGroupV2.
Best regards, Ryutaroh Matsumoto
-- System Information:
Debian Release: bullseye/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 5.5.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=ja_JP.UTF-8, LC_CTYPE=ja_JP.UTF-8 (charmap=UTF-8),
LANGUAGE=ja_JP.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages lxc depends on:
ii debconf [debconf-2.0] 1.5.73
ii libc6 2.30-4
ii libgcc-s1 10-20200411-1
ii liblxc1 1:4.0.2-1~1
ii lsb-base 11.1.0
Versions of packages lxc recommends:
ii apparmor 2.13.4-1+b1
ii bridge-utils 1.6-2
pn debootstrap <none>
ii dirmngr 2.2.20-1
ii dnsmasq-base [dnsmasq-base] 2.80-1.1
ii gnupg 2.2.20-1
ii iproute2 5.5.0-1
ii iptables 1.8.4-3
pn libpam-cgfs <none>
pn lxc-templates <none>
pn lxcfs <none>
ii openssl 1.1.1f-1
pn rsync <none>
ii uidmap 1:4.8.1-1
Versions of packages lxc suggests:
ii btrfs-progs 5.6-1
pn lvm2 <none>
pn python3-lxc <none>
-- debconf information:
lxc/auto_update_config:
--- End Message ---
--- Begin Message ---
Control: tags -1 + upstream wontfix
Dear Maintainers,
Sorry, this is an upstream feature.
With lxc.apparmor.profile = generated, I also observe the same issue
in lxc 4.0.2 on Ubuntu Focal.
It was said that this is a feature at
https://discuss.linuxcontainers.org/t/unprivileged-container-wont-start-cgroups-sysvinit/6766
https://discuss.linuxcontainers.org/t/cannot-use-generated-profile-apparmor-parser-not-available/4449
I close this, and I have updated
https://wiki.debian.org/LXC#Unprivileged_container
Best regards, Ryutaroh
From: Ryutaroh Matsumoto <[email protected]>
Date: Sun, 19 Apr 2020 16:22:30 +0900 (JST)
> The reported issue #958158 is not observed in
> LXC 4.0.2 on Ubuntu 20.04.
> So I wonder if this is an upstream issue or Debian specific.
> Ryutaroh
--- End Message ---
