Since I started seeing this in libvirt There might be reasons that is done that way but this affects me and probably other use cases e.g. if I install libvirt: $ apt install libvirt-daemon-system $ aa-status | grep libvirt
On my test systems the containers do not get any profile loaded: $ aa-status apparmor module is loaded. 0 profiles are loaded. 0 profiles are in enforce mode. 0 profiles are in complain mode. 0 processes have profiles defined. 0 processes are in enforce mode. 0 processes are in complain mode. 0 processes are unconfined but have a profile defined. When testing a new disco container on my laptop they at least have only less profiles, but some profiles work. Odd at least. ** Description changed: - In LXD apparmor now skips starting: - Formerly: - root@testkvm-bionic-from:~# systemctl status apparmor - ● apparmor.service - AppArmor initialization - Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled) - Active: active (exited) since Mon 2019-04-15 13:09:07 UTC; 1h 8min ago - Docs: man:apparmor(7) - http://wiki.apparmor.net/ - Process: 90 ExecStart=/etc/init.d/apparmor start (code=exited, status=0/SUCCESS) - Main PID: 90 (code=exited, status=0/SUCCESS) + In LXD apparmor now skips starting. - Apr 15 13:09:07 testkvm-bionic-from systemd[1]: apparmor.service: Failed to reset devices.list: Operation not permitted - Apr 15 13:09:07 testkvm-bionic-from systemd[1]: Starting AppArmor initialization... - Apr 15 13:09:07 testkvm-bionic-from apparmor[90]: * Starting AppArmor profiles - Apr 15 13:09:07 testkvm-bionic-from apparmor[90]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd - Apr 15 13:09:07 testkvm-bionic-from apparmor[90]: ...done. - Apr 15 13:09:07 testkvm-bionic-from systemd[1]: Started AppArmor initialization. + Steps to reproduce: + 1. start LXD container + $ lxc launch ubuntu-daily:d d-testapparmor + (disco to trigger the issue, cosmic as reference) + 2. check the default profiles loaded + $ aa-status + => This will in cosmic and up to recently disco list plenty of profiles active even in the default install. + Cosmic: + 25 profiles are loaded. + 25 profiles are in enforce mode. + Disco: + 15 profiles are loaded. + 15 profiles are in enforce mode. - Now: - root@testkvm-disco-to:~# systemctl status apparmor - ● apparmor.service - Load AppArmor profiles - Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled) - Active: active (exited) since Mon 2019-04-15 13:56:12 UTC; 21min ago - Docs: man:apparmor(7) - https://gitlab.com/apparmor/apparmor/wikis/home/ - Process: 101 ExecStart=/lib/apparmor/apparmor.systemd reload (code=exited, status=0/SUCCESS) - Main PID: 101 (code=exited, status=0/SUCCESS) + All those 15 remaining are from snaps. + The service of apparmor.service actually states that it refuses to start. - Apr 15 13:56:12 testkvm-disco-to systemd[1]: Starting Load AppArmor profiles... + $ systemctl status apparmor + ... Apr 15 13:56:12 testkvm-disco-to apparmor.systemd[101]: Not starting AppArmor in container - Apr 15 13:56:12 testkvm-disco-to systemd[1]: Started Load AppArmor profiles. + Since some apparmor seems to work I need to debug it further why so many + are missing initially and why it affects me in libvirt. - --- + --- --- --- This bug started as: Migrations to Disco trigger "Unable to find security driver for model apparmor" This most likely is related to my KVM-in-LXD setup but it worked fine for years and I'd like to sort out what broke. I have migrated to Disco's qemu 3.1 already which makes me doubts generic issues in qemu 3.1 in general. The virt tests that run cross release work fine starting from X/B/C but all those chains fail at mirgating to Disco now with: $ lxc exec testkvm-cosmic-from -- virsh migrate --unsafe --live kvmguest-bionic-normal qemu+ssh://10.21.151.207/system error: unsupported configuration: Unable to find security driver for model apparmor I need to analyze what changed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1824812 Title: apparmor no more starting in Disco LXD containers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1824812/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
