Repeating a bit with a Jammy container (hence new comment) ### PRE CONDITION
this is using the custom Mantic VM _and_ has apparmor_restrict_unprivileged_unconfined disabled sudo bash -c "echo 0 > /proc/sys/kernel/apparmor_restrict_unprivileged_unconfined" 1. start a jammy container lxc launch ubuntu:jammy Creating the instance Instance name is: alive-bee Starting alive-bee 2. see some apparmor denies in journal Oct 06 12:32:57 mantic-cust-vm kernel: audit: type=1400 audit(1696595577.647:954): apparmor="DENIED" operation="mount" class="mount" info="failed flags match" error=-13 profile="lxd-alive-bee_</var/snap/lxd/common/lxd>" name="/run/systemd/unit-root/proc/" pid=5421 comm="(d-logind)" fstype="proc" srcname="proc" flags="rw, nosuid, nodev, noexec" Oct 06 12:33:01 mantic-cust-vm kernel: kauditd_printk_skb: 20 callbacks suppressed Oct 06 12:33:01 mantic-cust-vm kernel: audit: type=1400 audit(1696595581.539:975): apparmor="DENIED" operation="file_inherit" class="file" namespace="root//lxd-alive-bee_<var-snap-lxd-common-lxd>" profile="snap.lxd.hook.install" name="/apparmor/.null" pid=5538 comm="snap-exec" requested_mask="wr" denied_mask="wr" fsuid=1000000 ouid=0 Oct 06 12:33:03 mantic-cust-vm kernel: audit: type=1400 audit(1696595583.771:976): apparmor="DENIED" operation="file_inherit" class="net" namespace="root//lxd-alive-bee_<var-snap-lxd-common-lxd>" profile="/snap/snapd/20092/usr/lib/snapd/snap-confine" pid=5784 comm="snap-confine" family="netlink" sock_type="raw" protocol=15 requested_mask="send receive" denied_mask="send receive" Oct 06 12:33:03 mantic-cust-vm kernel: audit: type=1400 audit(1696595583.779:977): apparmor="DENIED" operation="file_inherit" class="file" namespace="root//lxd-alive-bee_<var-snap-lxd-common-lxd>" profile="snap.lxd.hook.configure" name="/apparmor/.null" pid=5784 comm="snap-exec" requested_mask="wr" denied_mask="wr" fsuid=1000000 ouid=0 Oct 06 12:33:03 mantic-cust-vm kernel: audit: type=1400 audit(1696595583.791:978): apparmor="DENIED" operation="file_inherit" class="file" namespace="root//lxd-alive-bee_<var-snap-lxd-common-lxd>" profile="/snap/snapd/20092/usr/lib/snapd/snap-confine" name="/apparmor/.null" pid=5784 comm="aa-exec" requested_mask="wr" denied_mask="wr" fsuid=1000000 ouid=0 Oct 06 12:33:04 mantic-cust-vm kernel: audit: type=1400 audit(1696595584.007:979): apparmor="DENIED" operation="mount" class="mount" info="failed flags match" error=-13 profile="lxd-alive-bee_</var/snap/lxd/common/lxd>" name="/run/systemd/unit-root/proc/" pid=5933 comm="(imedated)" fstype="proc" srcname="proc" flags="rw, nosuid, nodev, noexec" 3. snap changes is Done root@alive-bee:~# snap changes ID Status Spawn Ready Summary 1 Done 9 days ago, at 02:11 UTC today at 12:33 UTC Initialize system state 2 Done today at 12:32 UTC today at 12:33 UTC Initialize device 4. cloud-init is done root@alive-bee:~# cloud-init status status: done So using the latest released jammy container is also now launching "successfully." Unsure how the other apparmor things denies affect container performance. Running a quick spot check of my machine (Jammy) launching a Jammy container -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2038567 Title: Mantic 6.5.0-7 kernel causes regression in LXD container usage Status in Release Notes for Ubuntu: New Status in apparmor package in Ubuntu: New Status in linux package in Ubuntu: Incomplete Status in lxd package in Ubuntu: New Status in snapd package in Ubuntu: New Bug description: Following upgrade to 6.5.0-7 kernel in mantic cloud images we are seeing a regression in our cloud image tests. The test runs the following: ``` lxd init --auto --storage-backend dir lxc launch ubuntu-daily:mantic mantic lxc info mantic lxc exec mantic -- cloud-init status --wait ``` The `lxc exec mantic -- cloud-init status --wait` times out after 240s and will fail our test as a result. I have been able to replicate in a local VM ``` wget http://cloud-images.ubuntu.com/mantic/20231005/mantic-server-cloudimg-amd64.img wget --output-document=launch-qcow2-image-qemu.sh https://gist.githubusercontent.com/philroche/14c241c086a5730481e24178b654268f/raw/7af95cd4dfc8e1d0600e6118803d2c866765714e/gistfile1.txt chmod +x launch-qcow2-image-qemu.sh ./launch-qcow2-image-qemu.sh --password passw0rd --image ./mantic-server-cloudimg-amd64.img cat <<EOF > "./reproducer.sh" #!/bin/bash -eux lxd init --auto --storage-backend dir lxc launch ubuntu-daily:mantic mantic lxc info mantic lxc exec mantic -- cloud-init status --wait EOF chmod +x ./reproducer.sh sshpass -p passw0rd scp -o UserKnownHostsFile=/dev/null -o CheckHostIP=no -o StrictHostKeyChecking=no -P 2222 ./reproducer.sh ubuntu@127.0.0.1:~/ sshpass -p passw0rd ssh -o UserKnownHostsFile=/dev/null -o CheckHostIP=no -o StrictHostKeyChecking=no -p 2222 ubuntu@127.0.0.1 sudo apt-get update sshpass -p passw0rd ssh -o UserKnownHostsFile=/dev/null -o CheckHostIP=no -o StrictHostKeyChecking=no -p 2222 ubuntu@127.0.0.1 sudo apt-get upgrade --assume-yes sshpass -p passw0rd ssh -o UserKnownHostsFile=/dev/null -o CheckHostIP=no -o StrictHostKeyChecking=no -p 2222 ubuntu@127.0.0.1 ./reproducer.sh ``` The issue is not present with the 6.5.0-5 kernel and the issue is present regardless of the container launched. I tried the jammy container to test this. From my test VM ``` ubuntu@cloudimg:~$ uname --all Linux cloudimg 6.5.0-7-generic #7-Ubuntu SMP PREEMPT_DYNAMIC Fri Sep 29 09:14:56 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux ubuntu@cloudimg:~$ uname --kernel-release 6.5.0-7-generic ``` This is a regression in our test that will block 23.10 cloud image release next week. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/2038567/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
