[Bug 1296681] Re: failed to change apparmor profile to lxc-container-default
*** This bug is a duplicate of bug 1296459 *** https://bugs.launchpad.net/bugs/1296459 I don't know if this bug is really a duplicate but i encountered it today. I had to poweroff then restart our proxmox server, and 2 lxc containers refused to start with this error : lxc-start 20170119130520.594 ERRORlxc_apparmor - lsm/apparmor.c:apparmor_process_label_set:234 - No such file or directory - failed to change apparmor profile to lxc-container-default-cgns lxc-start 20170119130520.595 ERRORlxc_sync - sync.c:__sync_wait:57 - An error occurred in another process (expected sequence number 5) lxc-start 20170119130520.595 ERRORlxc_start - start.c:__lxc_start:1357 - Failed to spawn container "105". lxc-start 20170119130521.359 ERRORlxc_conf - conf.c:run_buffer:347 - Script exited with status 32 lxc-start 20170119130521.359 ERRORlxc_start - start.c:lxc_fini:546 - Failed to run lxc.hook.post-stop for container "105". Adding "lxc.aa_profile = unconfined" fixed the issue. # pveversion --verbose proxmox-ve: 4.4-78 (running kernel: 4.4.35-2-pve) pve-manager: 4.4-5 (running version: 4.4-5/c43015a5) pve-kernel-4.4.13-1-pve: 4.4.13-56 pve-kernel-4.4.35-1-pve: 4.4.35-77 pve-kernel-4.2.6-1-pve: 4.2.6-36 pve-kernel-4.4.8-1-pve: 4.4.8-52 pve-kernel-4.4.13-2-pve: 4.4.13-58 pve-kernel-4.4.35-2-pve: 4.4.35-78 pve-kernel-4.4.21-1-pve: 4.4.21-71 pve-kernel-4.4.15-1-pve: 4.4.15-60 pve-kernel-4.4.24-1-pve: 4.4.24-72 pve-kernel-4.4.19-1-pve: 4.4.19-66 pve-kernel-4.4.10-1-pve: 4.4.10-54 lvm2: 2.02.116-pve3 corosync-pve: 2.4.0-1 libqb0: 1.0-1 pve-cluster: 4.0-48 qemu-server: 4.0-102 pve-firmware: 1.1-10 libpve-common-perl: 4.0-85 libpve-access-control: 4.0-19 libpve-storage-perl: 4.0-71 pve-libspice-server1: 0.12.8-1 vncterm: 1.2-1 pve-docs: 4.4-1 pve-qemu-kvm: 2.7.1-1 pve-container: 1.0-90 pve-firewall: 2.0-33 pve-ha-manager: 1.0-38 ksm-control-daemon: 1.2-1 glusterfs-client: 3.5.2-2+deb8u3 lxc-pve: 2.0.6-5 lxcfs: 2.0.5-pve2 criu: 1.6.0-1 novnc-pve: 0.5-8 smartmontools: 6.5+svn4324-1~pve80 zfsutils: 0.6.5.8-pve13~bpo80 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1296681 Title: failed to change apparmor profile to lxc-container-default To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1296681/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1296681] Re: failed to change apparmor profile to lxc-container-default
*** This bug is a duplicate of bug 1296459 *** https://bugs.launchpad.net/bugs/1296459 I seem to be seeing this issue as well. I'm not sure if its the duplicate issue. The profile config file name is lxc-default-with-mounting yet the actual profile name appears to be changed to lxc-container-default- with-mounting causing confusion. /etc/apparmor.d/lxc/lxc-default-with-mounting Inside that file the profile name is lxc-container-default-with- mounting. I presume that at some point the profile naming convention was changed from lxc-default to lxc-container-default but the file name didn't get changed to match the convention. This is confusing because if I configure the apparmor profile in the lxc config based on the config filename I'll get an error: lxc.aa_profile = lxc-default-with-mounting error: lxc-start: No such file or directory - failed to change apparmor profile to lxc-default-with-mounting using the actual profile name from inside the file lxc.aa_profile = lxc-container-default-with-mounting solves the problem. I think a solution to the multiple names confusion would be to rename: /etc/apparmor.d/lxc/lxc-default-with-mounting to /etc/apparmor.d/lxc/lxc-container-default-with-mounting -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1296681 Title: failed to change apparmor profile to lxc-container-default To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1296681/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1296681] Re: failed to change apparmor profile to lxc-container-default
*** This bug is a duplicate of bug 1296459 *** https://bugs.launchpad.net/bugs/1296459 Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: lxc (Ubuntu) Status: New = Confirmed -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1296681 Title: failed to change apparmor profile to lxc-container-default To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1296681/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1296681] Re: failed to change apparmor profile to lxc-container-default
*** This bug is a duplicate of bug 1296459 *** https://bugs.launchpad.net/bugs/1296459 I seem to be seeing this issue as well. I'm not sure if its the duplicate issue. The profile config file name is lxc-default-with-mounting yet the actual profile name appears to be changed to lxc-container-default- with-mounting causing confusion. /etc/apparmor.d/lxc/lxc-default-with-mounting Inside that file the profile name is lxc-container-default-with- mounting. I presume that at some point the profile naming convention was changed from lxc-default to lxc-container-default but the file name didn't get changed to match the convention. This is confusing because if I configure the apparmor profile in the lxc config based on the config filename I'll get an error: lxc.aa_profile = lxc-default-with-mounting error: lxc-start: No such file or directory - failed to change apparmor profile to lxc-default-with-mounting using the actual profile name from inside the file lxc.aa_profile = lxc-container-default-with-mounting solves the problem. I think a solution to the multiple names confusion would be to rename: /etc/apparmor.d/lxc/lxc-default-with-mounting to /etc/apparmor.d/lxc/lxc-container-default-with-mounting -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1296681 Title: failed to change apparmor profile to lxc-container-default To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1296681/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1296681] Re: failed to change apparmor profile to lxc-container-default
*** This bug is a duplicate of bug 1296459 *** https://bugs.launchpad.net/bugs/1296459 Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: lxc (Ubuntu) Status: New = Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1296681 Title: failed to change apparmor profile to lxc-container-default To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1296681/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1296681] Re: failed to change apparmor profile to lxc-container-default
*** This bug is a duplicate of bug 1296459 *** https://bugs.launchpad.net/bugs/1296459 ** This bug is no longer a duplicate of bug 1295774 ERROR processing policydb rules for profile lxc-container-default, failed to load ** This bug has been marked a duplicate of bug 1296459 Upgrade from 2.8.0-0ubuntu38 to 2.8.95~2430-0ubuntu2 breaks LXC containers -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1296681 Title: failed to change apparmor profile to lxc-container-default To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1296681/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1296681] Re: failed to change apparmor profile to lxc-container-default
*** This bug is a duplicate of bug 1296459 *** https://bugs.launchpad.net/bugs/1296459 ** This bug is no longer a duplicate of bug 1295774 ERROR processing policydb rules for profile lxc-container-default, failed to load ** This bug has been marked a duplicate of bug 1296459 Upgrade from 2.8.0-0ubuntu38 to 2.8.95~2430-0ubuntu2 breaks LXC containers -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1296681 Title: failed to change apparmor profile to lxc-container-default To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1296681/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1296681] Re: failed to change apparmor profile to lxc-container-default
It fails. I would say the problem is that /etc/apparmor.d/lxc/lxc-default includes a file named lxc-container-default which simply is missing in the package and thus can't be included. # /etc/init.d/apparmor reload * Reloading AppArmor profiles Enocoding of mount rule failed ERROR processing policydb rules for profile lxc-container-default, failed to load Skipping profile in /etc/apparmor.d/disable: usr.bin.firefox Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd # lxc-start -n meinerster lxc-start: Device or resource busy - failed to set memory.use_hierarchy to 1; continuing lxc-start: No such file or directory - failed to change apparmor profile to lxc-container-default lxc-start: invalid sequence number 1. expected 4 lxc-start: failed to spawn 'meinerster' lxc-start: Device or resource busy - cgroup_rmdir: failed to delete /sys/fs/cgroup/hugetlb/lxc/meinerster lxc-start: Device or resource busy - cgroup_rmdir: failed to delete /sys/fs/cgroup/perf_event/lxc/meinerster lxc-start: Device or resource busy - cgroup_rmdir: failed to delete /sys/fs/cgroup/blkio/lxc/meinerster lxc-start: Device or resource busy - cgroup_rmdir: failed to delete /sys/fs/cgroup/freezer/lxc/meinerster lxc-start: Device or resource busy - cgroup_rmdir: failed to delete /sys/fs/cgroup/devices/lxc/meinerster lxc-start: Device or resource busy - cgroup_rmdir: failed to delete /sys/fs/cgroup/memory/lxc/meinerster lxc-start: Device or resource busy - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpuacct/lxc/meinerster lxc-start: Device or resource busy - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu/lxc/meinerster lxc-start: Device or resource busy - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpuset/lxc/meinerster -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1296681 Title: failed to change apparmor profile to lxc-container-default To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1296681/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1296681] Re: failed to change apparmor profile to lxc-container-default
*** This bug is a duplicate of bug 1295774 *** https://bugs.launchpad.net/bugs/1295774 Nope, lxc-container-default is the profile name, there doesn't have to be a matching file name. However the log your provided tells me which apparmor bug you are hitting, I'll mark this bug as a duplicate of the right one. ** This bug has been marked a duplicate of bug 1295774 ERROR processing policydb rules for profile lxc-container-default, failed to load -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1296681 Title: failed to change apparmor profile to lxc-container-default To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1296681/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1296681] Re: failed to change apparmor profile to lxc-container-default
It fails. I would say the problem is that /etc/apparmor.d/lxc/lxc-default includes a file named lxc-container-default which simply is missing in the package and thus can't be included. # /etc/init.d/apparmor reload * Reloading AppArmor profiles Enocoding of mount rule failed ERROR processing policydb rules for profile lxc-container-default, failed to load Skipping profile in /etc/apparmor.d/disable: usr.bin.firefox Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd # lxc-start -n meinerster lxc-start: Device or resource busy - failed to set memory.use_hierarchy to 1; continuing lxc-start: No such file or directory - failed to change apparmor profile to lxc-container-default lxc-start: invalid sequence number 1. expected 4 lxc-start: failed to spawn 'meinerster' lxc-start: Device or resource busy - cgroup_rmdir: failed to delete /sys/fs/cgroup/hugetlb/lxc/meinerster lxc-start: Device or resource busy - cgroup_rmdir: failed to delete /sys/fs/cgroup/perf_event/lxc/meinerster lxc-start: Device or resource busy - cgroup_rmdir: failed to delete /sys/fs/cgroup/blkio/lxc/meinerster lxc-start: Device or resource busy - cgroup_rmdir: failed to delete /sys/fs/cgroup/freezer/lxc/meinerster lxc-start: Device or resource busy - cgroup_rmdir: failed to delete /sys/fs/cgroup/devices/lxc/meinerster lxc-start: Device or resource busy - cgroup_rmdir: failed to delete /sys/fs/cgroup/memory/lxc/meinerster lxc-start: Device or resource busy - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpuacct/lxc/meinerster lxc-start: Device or resource busy - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu/lxc/meinerster lxc-start: Device or resource busy - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpuset/lxc/meinerster -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1296681 Title: failed to change apparmor profile to lxc-container-default To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1296681/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1296681] Re: failed to change apparmor profile to lxc-container-default
*** This bug is a duplicate of bug 1295774 *** https://bugs.launchpad.net/bugs/1295774 Nope, lxc-container-default is the profile name, there doesn't have to be a matching file name. However the log your provided tells me which apparmor bug you are hitting, I'll mark this bug as a duplicate of the right one. ** This bug has been marked a duplicate of bug 1295774 ERROR processing policydb rules for profile lxc-container-default, failed to load -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1296681 Title: failed to change apparmor profile to lxc-container-default To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1296681/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1296681] Re: failed to change apparmor profile to lxc-container-default
uncommenting lxc.aa_profile = unconfined in the config made the machine run again, but still spit out error messages. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1296681 Title: failed to change apparmor profile to lxc-container-default To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1296681/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1296681] Re: failed to change apparmor profile to lxc-container-default
What happens if you do sudo /etc/init.d/apparmor reload and then try the container again with lxc.aa_profile = unconfined commented? We have a couple of apparmor regressions which happened with the latest apparmor upload and that the security is tracking down, I'm just not sure which you are hitting... -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1296681 Title: failed to change apparmor profile to lxc-container-default To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1296681/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1296681] Re: failed to change apparmor profile to lxc-container-default
uncommenting lxc.aa_profile = unconfined in the config made the machine run again, but still spit out error messages. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1296681 Title: failed to change apparmor profile to lxc-container-default To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1296681/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1296681] Re: failed to change apparmor profile to lxc-container-default
What happens if you do sudo /etc/init.d/apparmor reload and then try the container again with lxc.aa_profile = unconfined commented? We have a couple of apparmor regressions which happened with the latest apparmor upload and that the security is tracking down, I'm just not sure which you are hitting... -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1296681 Title: failed to change apparmor profile to lxc-container-default To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1296681/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
