[Bug 1325468] Re: [systemd] container startup fails with AppArmor
*** This bug is a duplicate of bug 1350947 *** https://bugs.launchpad.net/bugs/1350947 Unfortunately that previous commit isn't sufficient yet; I'm not sure how it worked for me when I tested it, but bug 1350947 is in the way. I'm making this a dupe and add an LXC task, that's easier. ** Changed in: lxc (Ubuntu) Status: Fix Committed => Triaged ** This bug has been marked a duplicate of bug 1350947 apparmor: no working rule to allow making a mount private -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1325468 Title: [systemd] container startup fails with AppArmor To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1325468/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1325468] Re: [systemd] container startup fails with AppArmor
** Changed in: lxc (Ubuntu) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1325468 Title: [systemd] container startup fails with AppArmor To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1325468/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1325468] Re: [systemd] container startup fails with AppArmor
Created upstream pull request: https://github.com/lxc/lxc/pull/285 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1325468 Title: [systemd] container startup fails with AppArmor To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1325468/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1325468] Re: [systemd] container startup fails with AppArmor
Stéphane pointed out on IRC the other day that "in (rw, slave)" is too lax, but that "=(rw, slave)" would be okay. I'll add that now, as this is both really hard to discover, as well as leaves quite a lot of garbage (mounts) behind on failures. ** Changed in: lxc (Ubuntu) Status: Triaged => In Progress ** Changed in: lxc (Ubuntu) Assignee: (unassigned) => Martin Pitt (pitti) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1325468 Title: [systemd] container startup fails with AppArmor To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1325468/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1325468] Re: [systemd] container startup fails with AppArmor
The syntax allows for spaces or commas to separate items, because people kept using them. However list of items must be inside of parenthesis. mount options in (rw, slave), -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1325468 Title: [systemd] container startup fails with AppArmor To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1325468/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1325468] Re: [systemd] container startup fails with AppArmor
I just tried this, and it seems to work: mount options in (rw, slave) -> /, man apparmor.d should be fixed for this, as the parentheses are not contained in the EBNF. With that, and the two /lib/init/apparmor-profile-load calls from /etc/init/lxc.conf I can now run all containers. ** Changed in: lxc (Ubuntu) Status: Confirmed => Triaged -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1325468 Title: [systemd] container startup fails with AppArmor To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1325468/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1325468] Re: [systemd] container startup fails with AppArmor
Oh, I missed the "lxc-start: No such file or directory - failed to change apparmor profile to lxc-container-default". I didn't run the equivalents of /etc/init/lxc.conf. "sudo /etc/init.d/apparmor reload" seems to have understood the new line (mount options in rw, slave,), but when I manually run the equivalent of that upstart job, I get an error: $ sudo /lib/init/apparmor-profile-load usr.bin.lxc-start AppArmor-Parser-Fehler f?r /etc/apparmor.d/usr.bin.lxc-start in /etc/apparmor.d/abstractions/lxc/start-container in Zeile 16: syntax error, unexpected TOK_ID, expecting TOK_END_OF_RULE or TOK_ARROW The syntax indeed looks a bit curious as it's using the comma both for separating mount options as well as separating entire rules, so this might not be entirely correct. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1325468 Title: [systemd] container startup fails with AppArmor To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1325468/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 1325468] Re: [systemd] container startup fails with AppArmor
That makes sense. status: confirmed importance: high ** Changed in: lxc (Ubuntu) Importance: Undecided => High ** Changed in: lxc (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1325468 Title: [systemd] container startup fails with AppArmor To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1325468/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1325468] Re: [systemd] container startup fails with AppArmor
After that fix I can start containers with "lxc.aa_profile = unconfined". With containers using the default profile I still get an error on startup: $ sudo lxc-start -n adt-utopic [sudo] password for martin: lxc-start: Device or resource busy - failed to set memory.use_hierarchy to 1; continuing lxc-start: Device or resource busy - failed to set memory.use_hierarchy to 1; continuing lxc-start: No such file or directory - failed to change apparmor profile to lxc-container-default lxc-start: invalid sequence number 1. expected 4 lxc-start: failed to spawn 'adt-utopic' lxc-start: Device or resource busy - cgroup_rmdir: failed to delete /sys/fs/cgroup/hugetlb/lxc/adt-utopic lxc-start: Device or resource busy - cgroup_rmdir: failed to delete /sys/fs/cgroup/perf_event/lxc/adt-utopic lxc-start: Device or resource busy - cgroup_rmdir: failed to delete /sys/fs/cgroup/blkio/lxc/adt-utopic lxc-start: Device or resource busy - cgroup_rmdir: failed to delete /sys/fs/cgroup/net_cls,net_prio/lxc/adt-utopic lxc-start: Device or resource busy - cgroup_rmdir: failed to delete /sys/fs/cgroup/freezer/lxc/adt-utopic lxc-start: Device or resource busy - cgroup_rmdir: failed to delete /sys/fs/cgroup/devices/lxc/adt-utopic lxc-start: Device or resource busy - cgroup_rmdir: failed to delete /sys/fs/cgroup/memory/lxc/adt-utopic lxc-start: Device or resource busy - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct/lxc/adt-utopic lxc-start: Device or resource busy - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpuset/lxc/adt-utopic There are no AppArmor denials (or other error messages) in dmesg. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1325468 Title: [systemd] container startup fails with AppArmor To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1325468/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1325468] Re: [systemd] container startup fails with AppArmor
This particular issue can be fixed in /etc/apparmor.d/abstractions/lxc /start-container by adding a line mount options in rw, slave, After "sudo /etc/init.d/apparmor reload" that "Failed to make / rslave" error is now gone. It still fails with the next error (Input/output error - error 5 creating /usr/lib/x86_64-linux-gnu/lxc/dev/lxc/console), but this seems to be an unrelated other bug. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1325468 Title: [systemd] container startup fails with AppArmor To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1325468/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
