Package: lxd Version: 5.0.2-5 Followup-For: Bug #1038315 I'm unsure if current breakage is due to apparmor itself (the bug reported there was apparently fixed a while ago), lxd's apparmor profile, or somewhere else (as satisfying as blaming systemd would be...). See linked bugs listed below.
Is it possible that the AppArmor socket mediation patches have not made it into upstream and/or Debian kernels? :thinking_face: If so, then this bug needs to be reassigned to the kernel. I'm writing here because this also breaks the plocate-updatedb service inside LXD containers. I don't think it's a bug with network namespacing inside containers, as unshare -u ifconfig works fine, for example. In the container: root@pat:~# systemctl status plocate-updatedb.service × plocate-updatedb.service - Update the plocate database Loaded: loaded (/lib/systemd/system/plocate-updatedb.service; static) Drop-In: /run/systemd/system/service.d └─zzz-lxc-service.conf Active: failed (Result: exit-code) since Fri 2023-06-23 09:53:56 AWST; 5h 31min ago TriggeredBy: ● plocate-updatedb.timer Process: 33437 ExecStart=/usr/sbin/updatedb.plocate (code=exited, status=225/NETWORK) Main PID: 33437 (code=exited, status=225/NETWORK) CPU: 584us Jun 23 09:53:56 pat systemd[1]: Starting plocate-updatedb.service - Update the plocate database... Jun 23 09:53:56 pat systemd[1]: plocate-updatedb.service: Main process exited, code=exited, status=225/NETWORK Jun 23 09:53:56 pat systemd[1]: plocate-updatedb.service: Failed with result 'exit-code'. Jun 23 09:53:56 pat systemd[1]: Failed to start plocate-updatedb.service - Update the plocate database. On the host after attempting to start the service inside the guest: 2023-06-23T09:53:56.040427+08:00 grook kernel: [772843.931461] audit: type=1400 audit(1687485236.036:118): apparmor="DENIED" operation="file_lock" profile="lxd-pat_</var/lib/lxd>" pid=3334600 comm="(.plocate)" family="unix" sock_type=ram" protocol=0 requested_mask="send" 2023-06-23T09:53:56.040437+08:00 grook kernel: [772843.931469] audit: type=1400 audit(1687485236.036:119): apparmor="DENIED" operation="file_lock" profile="lxd-pat_</var/lib/lxd>" pid=3334600 comm="(.plocate)" family="unix" sock_type=ram" protocol=0 requested_mask="send" Host information (both host and guest are running bookworm BTW): Kernel: Linux 6.1.0-9-amd64 (SMP w/8 CPU threads; PREEMPT) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_AU:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages lxd depends on: ii adduser 3.134 ii attr 1:2.5.1-4 ii ca-certificates 20230311 ii init-system-helpers 1.65.2 ii libacl1 2.3.1-3 ii libc6 2.36-9 ii libcap2 1:2.66-4 ii libdqlite0 1.11.1-1 ii libgcc-s1 12.2.0-14 ii liblxc-common 1:5.0.2-1 ii liblxc1 1:5.0.2-1 ii libsqlite3-0 3.40.1-2 ii libudev1 252.6-1 ii lxcfs 5.0.3-1 ii lxd-client 5.0.2-5 ii rsync 3.2.7-1 ii squashfs-tools 1:4.5.1-1 ii uidmap 1:4.13+dfsg1-1+b1 ii xz-utils 5.4.1-0.2 Versions of packages lxd recommends: ii apparmor 3.0.8-3 ii dnsmasq-base [dnsmasq-base] 2.89-1 ii lxd-agent 5.0.2-5 Versions of packages lxd suggests: pn btrfs-progs <none> pn ceph-common <none> ii gdisk 1.0.9-2.1 ii lvm2 2.03.16-2 ii lxd-tools 5.0.2-5 ii zfsutils-linux 2.1.11-1 The container itself does not have apparmour installed. systemd-hostnamed.service is probably also affected, but in my case I paved over the issue by setting PrivateNetwork=no in an override. Related: - https://bugs.launchpad.net/bugs/1575779 and https://bugs.launchpad.net/bugs/1780227 - https://bugs.launchpad.net/bugs/1635382 - https://github.com/lxc/lxc/issues/820 and https://github.com/lxc/lxd/issues/1603 -MD