On 18-04-05 16:47:26, Georg Faerber wrote: > On 18-04-05 13:18:56, Georg Faerber wrote: > > On 18-04-05 08:10:09, Antonio Terceiro wrote: > > > On Thu, Apr 05, 2018 at 09:49:02AM +0200, Georg Faerber wrote: > > > > However, running > > > > build-and-upload after this leads to the same result: > > > > > > > > [...] > > > > autopkgtest [09:41:33]: version 5.2 > > > > autopkgtest [09:41:33]: host debian; command line: /usr/bin/autopkgtest > > > > /home/georg/code/debian/ruby-team/build-area/ruby-sequel_5.7.0-1.dsc -- > > > > lxc autopkgtest-unstable-amd64 > > > > autopkgtest [09:41:53]: testbed dpkg architecture: amd64 > > > > autopkgtest [09:41:54]: testbed running kernel: Linux 4.15.0-1-amd64 #1 > > > > SMP Debian 4.15.4-1 (2018-02-18) > > > > autopkgtest [09:41:54]: @@@@@@@@@@@@@@@@@@@@ source > > > > /home/georg/code/debian/ruby-team/build-area/ruby-sequel_5.7.0-1.dsc > > > > Cannot execute /bin/sh > > > > > > ^ this is very weird > > > > Yes, it is. Especially, because it works if called manually.. > > After some more debugging with Antonio on IRC, I suspect this is due to > apparmor: > > [ +0.357028] audit: type=1400 audit(1522939203.328:120): apparmor="DENIED" > operation="mount" info="failed type match" error=-13 > profile="lxc-container-default-cgns" name="/sys/fs/cgroup/unified/" pid=14741 > comm="systemd" fstype="cgroup2" srcname="cgroup2" flags="rw, nosuid, nodev, > noexec" > [ +0.000055] audit: type=1400 audit(1522939203.328:121): apparmor="DENIED" > operation="mount" info="failed type match" error=-13 > profile="lxc-container-default-cgns" name="/sys/fs/cgroup/unified/" pid=14741 > comm="systemd" fstype="cgroup2" srcname="cgroup2" flags="rw, nosuid, nodev, > noexec" > > My apparmor knowledge is still quite limited, so the following might be > wrong, but: > > - Disabling apparmor, restarting lxc (and rebooting as well, just to > make sure) didn't made this work. > - I suspect the setup / script is broken at least on unstable, and on > testing as well, I guess. > > I'll debug this further, but still would be happy to take more > pointers.. :)
Hm, maybe the above is not correct: - Setting all lxc profiles to complain mode, lead to: [ +0.357471] audit: type=1400 audit(1522941246.693:197): apparmor="ALLOWED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default-cgns" name="/sys/fs/cgroup/unified/" pid=21615 comm="systemd" fstype="cgroup2" srcname="cgroup2" flags="rw, nosuid, nodev, noexec" with the same result as above. - Adding lxc.aa_profile = unconfined to the container config resulted in no audit log in dmesg, but no success either. Cheers, Georg
signature.asc
Description: Digital signature
