Package: lxc Version: 1:5.0.2-1 Severity: normal X-Debbugs-Cc: [email protected]
Dear Maintainer, After upgrading an unprivileged container from bullseye to bookworm, LXC's AppArmor profiles are no longer sufficient for the guest's systemd-logind. This manifests as a 25 second hang when running certain commands (notably sudo -i and su -) in the container. It also produces a lot of errors in the host & guest logs. Before the upgrade to bookworm, the hangs did not occur, and systemd-logind started without trouble. -- Host journal: Apr 02 18:30:01 debtesting CRON[6361]: pam_unix(cron:session): session opened for user root(uid=0) by (uid=0) Apr 02 18:30:01 debtesting CRON[6362]: (root) CMD ([ -x /etc/init.d/anacron ] && if [ ! -d /run/systemd/system ]; then /usr/sbin/invoke-rc.d anacron start >/dev/null; fi) Apr 02 18:30:01 debtesting CRON[6361]: pam_unix(cron:session): session closed for user root Apr 02 18:30:16 debtesting audit[6365]: AVC apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=6365 comm="(d-logind)" flags="rw, rslave" Apr 02 18:30:16 debtesting kernel: kauditd_printk_skb: 13 callbacks suppressed Apr 02 18:30:16 debtesting kernel: audit: type=1400 audit(1680485416.414:324): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=6365 comm="(d-logind)" flags="rw, rslave" Apr 02 18:30:16 debtesting audit[6369]: AVC apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=6369 comm="(d-logind)" flags="rw, rslave" Apr 02 18:30:16 debtesting kernel: audit: type=1400 audit(1680485416.426:325): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=6369 comm="(d-logind)" flags="rw, rslave" Apr 02 18:30:16 debtesting audit[6373]: AVC apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=6373 comm="(d-logind)" flags="rw, rslave" Apr 02 18:30:16 debtesting kernel: audit: type=1400 audit(1680485416.450:326): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=6373 comm="(d-logind)" flags="rw, rslave" Apr 02 18:30:16 debtesting audit[6377]: AVC apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=6377 comm="(d-logind)" flags="rw, rslave" Apr 02 18:30:16 debtesting kernel: audit: type=1400 audit(1680485416.522:327): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=6377 comm="(d-logind)" flags="rw, rslave" Apr 02 18:30:16 debtesting audit[6381]: AVC apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=6381 comm="(d-logind)" flags="rw, rslave" Apr 02 18:30:16 debtesting kernel: audit: type=1400 audit(1680485416.534:328): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=6381 comm="(d-logind)" flags="rw, rslave" -- Guest journal: Apr 02 18:30:16 lxbox sudo[136]: root : TTY=pts/7 ; PWD=/root ; USER=root ; COMMAND=/bin/bash Apr 02 18:30:16 lxbox sudo[136]: pam_limits(sudo-i:session): Could not set limit for 'core' to soft=0, hard=-1: Operation not permitted; uid=0,euid=0 Apr 02 18:30:16 lxbox sudo[136]: pam_unix(sudo-i:session): session opened for user root(uid=0) by (uid=0) Apr 02 18:30:16 lxbox dbus-daemon[97]: [system] Activating via systemd: service name='org.freedesktop.login1' unit='dbus-org.freedesktop.login1.service' requested by ':1.2' (uid=0 pid=136 comm="sudo -i") Apr 02 18:30:16 lxbox systemd[1]: Starting [email protected] - Load Kernel Module drm... Apr 02 18:30:16 lxbox (modprobe)[137]: [email protected]: Executable /sbin/modprobe missing, skipping: No such file or directory Apr 02 18:30:16 lxbox systemd[1]: [email protected]: Deactivated successfully. Apr 02 18:30:16 lxbox systemd[1]: Finished [email protected] - Load Kernel Module drm. Apr 02 18:30:16 lxbox systemd[1]: Starting systemd-logind.service - User Login Management... Apr 02 18:30:16 lxbox (d-logind)[138]: systemd-logind.service: Failed to set up mount namespacing: Permission denied Apr 02 18:30:16 lxbox (d-logind)[138]: systemd-logind.service: Failed at step NAMESPACE spawning /lib/systemd/systemd-logind: Permission denied Apr 02 18:30:16 lxbox systemd[1]: systemd-logind.service: Main process exited, code=exited, status=226/NAMESPACE Apr 02 18:30:16 lxbox systemd[1]: systemd-logind.service: Failed with result 'exit-code'. Apr 02 18:30:16 lxbox systemd[1]: Failed to start systemd-logind.service - User Login Management. Apr 02 18:30:16 lxbox systemd[1]: systemd-logind.service: Scheduled restart job, restart counter is at 1. Apr 02 18:30:16 lxbox systemd[1]: Stopped systemd-logind.service - User Login Management. Apr 02 18:30:16 lxbox systemd[1]: Starting [email protected] - Load Kernel Module drm... Apr 02 18:30:16 lxbox (modprobe)[141]: [email protected]: Executable /sbin/modprobe missing, skipping: No such file or directory Apr 02 18:30:16 lxbox systemd[1]: [email protected]: Deactivated successfully. Apr 02 18:30:16 lxbox systemd[1]: Finished [email protected] - Load Kernel Module drm. Apr 02 18:30:16 lxbox systemd[1]: Starting systemd-logind.service - User Login Management... Apr 02 18:30:16 lxbox (d-logind)[142]: systemd-logind.service: Failed to set up mount namespacing: Permission denied Apr 02 18:30:16 lxbox (d-logind)[142]: systemd-logind.service: Failed at step NAMESPACE spawning /lib/systemd/systemd-logind: Permission denied Apr 02 18:30:16 lxbox systemd[1]: systemd-logind.service: Main process exited, code=exited, status=226/NAMESPACE Apr 02 18:30:16 lxbox systemd[1]: systemd-logind.service: Failed with result 'exit-code'. Apr 02 18:30:16 lxbox systemd[1]: Failed to start systemd-logind.service - User Login Management. Apr 02 18:30:16 lxbox systemd[1]: systemd-logind.service: Scheduled restart job, restart counter is at 2. Apr 02 18:30:16 lxbox systemd[1]: Stopped systemd-logind.service - User Login Management. Apr 02 18:30:16 lxbox systemd[1]: Starting [email protected] - Load Kernel Module drm... Apr 02 18:30:16 lxbox (modprobe)[145]: [email protected]: Executable /sbin/modprobe missing, skipping: No such file or directory Apr 02 18:30:16 lxbox systemd[1]: [email protected]: Deactivated successfully. Apr 02 18:30:16 lxbox systemd[1]: Finished [email protected] - Load Kernel Module drm. Apr 02 18:30:16 lxbox systemd[1]: Starting systemd-logind.service - User Login Management... Apr 02 18:30:16 lxbox (d-logind)[146]: systemd-logind.service: Failed to set up mount namespacing: Permission denied Apr 02 18:30:16 lxbox (d-logind)[146]: systemd-logind.service: Failed at step NAMESPACE spawning /lib/systemd/systemd-logind: Permission denied Apr 02 18:30:16 lxbox systemd[1]: systemd-logind.service: Main process exited, code=exited, status=226/NAMESPACE Apr 02 18:30:16 lxbox systemd[1]: systemd-logind.service: Failed with result 'exit-code'. Apr 02 18:30:16 lxbox systemd[1]: Failed to start systemd-logind.service - User Login Management. Apr 02 18:30:16 lxbox systemd[1]: systemd-logind.service: Scheduled restart job, restart counter is at 3. Apr 02 18:30:16 lxbox systemd[1]: Stopped systemd-logind.service - User Login Management. Apr 02 18:30:16 lxbox (modprobe)[149]: [email protected]: Executable /sbin/modprobe missing, skipping: No such file or directory Apr 02 18:30:16 lxbox systemd[1]: Starting [email protected] - Load Kernel Module drm... Apr 02 18:30:16 lxbox systemd[1]: [email protected]: Deactivated successfully. Apr 02 18:30:16 lxbox systemd[1]: Finished [email protected] - Load Kernel Module drm. Apr 02 18:30:16 lxbox systemd[1]: Starting systemd-logind.service - User Login Management... Apr 02 18:30:16 lxbox (d-logind)[150]: systemd-logind.service: Failed to set up mount namespacing: Permission denied Apr 02 18:30:16 lxbox (d-logind)[150]: systemd-logind.service: Failed at step NAMESPACE spawning /lib/systemd/systemd-logind: Permission denied Apr 02 18:30:16 lxbox systemd[1]: systemd-logind.service: Main process exited, code=exited, status=226/NAMESPACE Apr 02 18:30:16 lxbox systemd[1]: systemd-logind.service: Failed with result 'exit-code'. Apr 02 18:30:16 lxbox systemd[1]: Failed to start systemd-logind.service - User Login Management. Apr 02 18:30:16 lxbox systemd[1]: systemd-logind.service: Scheduled restart job, restart counter is at 4. Apr 02 18:30:16 lxbox systemd[1]: Stopped systemd-logind.service - User Login Management. Apr 02 18:30:16 lxbox systemd[1]: Starting [email protected] - Load Kernel Module drm... Apr 02 18:30:16 lxbox (modprobe)[153]: [email protected]: Executable /sbin/modprobe missing, skipping: No such file or directory Apr 02 18:30:16 lxbox systemd[1]: [email protected]: Deactivated successfully. Apr 02 18:30:16 lxbox systemd[1]: Finished [email protected] - Load Kernel Module drm. Apr 02 18:30:16 lxbox systemd[1]: Starting systemd-logind.service - User Login Management... Apr 02 18:30:16 lxbox (d-logind)[154]: systemd-logind.service: Failed to set up mount namespacing: Permission denied Apr 02 18:30:16 lxbox (d-logind)[154]: systemd-logind.service: Failed at step NAMESPACE spawning /lib/systemd/systemd-logind: Permission denied Apr 02 18:30:16 lxbox systemd[1]: systemd-logind.service: Main process exited, code=exited, status=226/NAMESPACE Apr 02 18:30:16 lxbox systemd[1]: systemd-logind.service: Failed with result 'exit-code'. Apr 02 18:30:16 lxbox systemd[1]: Failed to start systemd-logind.service - User Login Management. Apr 02 18:30:16 lxbox systemd[1]: systemd-logind.service: Scheduled restart job, restart counter is at 5. Apr 02 18:30:16 lxbox systemd[1]: Stopped systemd-logind.service - User Login Management. Apr 02 18:30:16 lxbox systemd[1]: Starting [email protected] - Load Kernel Module drm... Apr 02 18:30:16 lxbox (modprobe)[157]: [email protected]: Executable /sbin/modprobe missing, skipping: No such file or directory Apr 02 18:30:16 lxbox systemd[1]: [email protected]: Deactivated successfully. Apr 02 18:30:16 lxbox systemd[1]: Finished [email protected] - Load Kernel Module drm. Apr 02 18:30:16 lxbox systemd[1]: systemd-logind.service: Start request repeated too quickly. Apr 02 18:30:16 lxbox systemd[1]: systemd-logind.service: Failed with result 'exit-code'. Apr 02 18:30:16 lxbox systemd[1]: Failed to start systemd-logind.service - User Login Management. Apr 02 18:30:41 lxbox dbus-daemon[97]: [system] Failed to activate service 'org.freedesktop.login1': timed out (service_start_timeout=25000ms) Apr 02 18:30:41 lxbox sudo[136]: pam_systemd(sudo-i:session): Failed to create session: Failed to activate service 'org.freedesktop.login1': timed out (service_start_timeout=25000ms) -- Guest busctl monitor output: Type=method_call Endian=l Flags=0 Version=1 Cookie=1 Timestamp="Mon 2023-04-03 01:30:16.386617 UTC" Sender=:1.2 Destination=org.freedesktop.DBus Path=/org/freedesktop/DBus Interface=org.freedesktop.DBus Member=Hello UniqueName=:1.2 MESSAGE "" { }; Type=method_return Endian=l Flags=1 Version=1 Cookie=1 ReplyCookie=1 Timestamp="Mon 2023-04-03 01:30:16.386790 UTC" Sender=org.freedesktop.DBus Destination=:1.2 MESSAGE "s" { STRING ":1.2"; }; Type=signal Endian=l Flags=1 Version=1 Cookie=5 Timestamp="Mon 2023-04-03 01:30:16.386806 UTC" Sender=org.freedesktop.DBus Path=/org/freedesktop/DBus Interface=org.freedesktop.DBus Member=NameOwnerChanged MESSAGE "sss" { STRING ":1.2"; STRING ""; STRING ":1.2"; }; Type=signal Endian=l Flags=1 Version=1 Cookie=2 Timestamp="Mon 2023-04-03 01:30:16.386820 UTC" Sender=org.freedesktop.DBus Destination=:1.2 Path=/org/freedesktop/DBus Interface=org.freedesktop.DBus Member=NameAcquired MESSAGE "s" { STRING ":1.2"; }; Type=signal Endian=l Flags=1 Version=1 Cookie=12 Timestamp="Mon 2023-04-03 01:30:16.392000 UTC" Sender=org.freedesktop.DBus Destination=org.freedesktop.systemd1 Path=/org/freedesktop/DBus Interface=org.freedesktop.systemd1.Activator Member=ActivationRequest MESSAGE "s" { STRING "dbus-org.freedesktop.login1.service"; }; Type=method_call Endian=l Flags=0 Version=1 Cookie=2 Timestamp="Mon 2023-04-03 01:30:16.392080 UTC" Sender=:1.2 Destination=org.freedesktop.login1 Path=/org/freedesktop/login1 Interface=org.freedesktop.login1.Manager Member=CreateSession UniqueName=:1.2 MESSAGE "uusssssussbssa(sv)" { UINT32 0; UINT32 0; STRING "sudo-i"; STRING "x11"; STRING "user"; STRING "KDE"; STRING "seat0"; UINT32 7; STRING "pts/7"; STRING ""; BOOLEAN false; STRING "root"; STRING ""; ARRAY "(sv)" { }; }; Type=error Endian=l Flags=1 Version=1 Cookie=3 ReplyCookie=2 Timestamp="Mon 2023-04-03 01:30:41.416860 UTC" Sender=org.freedesktop.DBus Destination=:1.2 ErrorName=org.freedesktop.DBus.Error.TimedOut ErrorMessage="Failed to activate service 'org.freedesktop.login1': timed out (service_start_timeout=25000ms)" MESSAGE "s" { STRING "Failed to activate service 'org.freedesktop.login1': timed out (service_start_timeout=25000ms)"; }; Type=signal Endian=l Flags=1 Version=1 Cookie=6 Timestamp="Mon 2023-04-03 01:30:41.417026 UTC" Sender=org.freedesktop.DBus Destination=:1.2 Path=/org/freedesktop/DBus Interface=org.freedesktop.DBus Member=NameLost MESSAGE "s" { STRING ":1.2"; }; Type=signal Endian=l Flags=1 Version=1 Cookie=7 Timestamp="Mon 2023-04-03 01:30:41.417043 UTC" Sender=org.freedesktop.DBus Path=/org/freedesktop/DBus Interface=org.freedesktop.DBus Member=NameOwnerChanged MESSAGE "sss" { STRING ":1.2"; STRING ":1.2"; STRING ""; }; -- System Information: Debian Release: 12.0 APT prefers testing-security APT policy: (500, 'testing-security'), (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 6.1.0-7-amd64 (SMP w/2 CPU threads; PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=locale: Cannot set LC_ALL to default locale: No such file or directory UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages lxc depends on: ii debconf [debconf-2.0] 1.5.82 ii dnsmasq-base [dnsmasq-base] 2.89-1 ii iproute2 6.1.0-2 ii libapparmor1 3.0.8-3 ii libc6 2.36-8 ii libcap2 1:2.66-3 ii libgcc-s1 12.2.0-14 ii liblxc-common 1:5.0.2-1 ii liblxc1 1:5.0.2-1 ii libseccomp2 2.5.4-1+b3 ii libselinux1 3.4-1+b5 ii nftables 1.0.6-2 ii sysvinit-utils [lsb-base] 3.06-2 Versions of packages lxc recommends: ii apparmor 3.0.8-3 ii debootstrap 1.0.128+nmu2 ii dirmngr 2.2.40-1.1 ii gnupg 2.2.40-1.1 ii libpam-cgfs 1:5.0.2-1 ii lxc-templates 3.0.4.48.g4765da8-1 ii lxcfs 5.0.3-1 ii openssl 3.0.8-1 ii rsync 3.2.7-1 ii uidmap 1:4.13+dfsg1-1+b1 ii wget 1.21.3-1+b2 Versions of packages lxc suggests: pn btrfs-progs <none> pn lvm2 <none> pn python3-lxc <none> -- debconf information excluded
