← Back to team overview

group.of.nepali.translators team mailing list archive

[Bug 1648143] Re: tor in lxd: apparmor="DENIED" operation="change_onexec" namespace="root//CONTAINERNAME_<var-lib-lxd>" profile="unconfined" name="system_tor"

 

** Also affects: tor (Ubuntu Yakkety)
   Importance: Undecided
       Status: New

** Also affects: apparmor (Ubuntu Yakkety)
   Importance: Undecided
       Status: New

** Also affects: linux (Ubuntu Yakkety)
   Importance: Undecided
       Status: New

** Also affects: tor (Ubuntu Xenial)
   Importance: Undecided
       Status: New

** Also affects: apparmor (Ubuntu Xenial)
   Importance: Undecided
       Status: New

** Also affects: linux (Ubuntu Xenial)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1648143

Title:
  tor in lxd: apparmor="DENIED" operation="change_onexec"
  namespace="root//CONTAINERNAME_<var-lib-lxd>" profile="unconfined"
  name="system_tor"

Status in apparmor package in Ubuntu:
  Confirmed
Status in linux package in Ubuntu:
  Incomplete
Status in tor package in Ubuntu:
  New
Status in apparmor source package in Xenial:
  New
Status in linux source package in Xenial:
  Fix Committed
Status in tor source package in Xenial:
  New
Status in apparmor source package in Yakkety:
  New
Status in linux source package in Yakkety:
  Fix Committed
Status in tor source package in Yakkety:
  New

Bug description:
  Environment:
  ----------------

      Distribution: ubuntu
      Distribution version: 16.10
      lxc info:
      apiextensions:

      storage_zfs_remove_snapshots
      container_host_shutdown_timeout
      container_syscall_filtering
      auth_pki
      container_last_used_at
      etag
      patch
      usb_devices
      https_allowed_credentials
      image_compression_algorithm
      directory_manipulation
      container_cpu_time
      storage_zfs_use_refquota
      storage_lvm_mount_options
      network
      profile_usedby
      container_push
      apistatus: stable
      apiversion: "1.0"
      auth: trusted
      environment:
      addresses:
          163.172.48.149:8443
          172.20.10.1:8443
          172.20.11.1:8443
          172.20.12.1:8443
          172.20.22.1:8443
          172.20.21.1:8443
          10.8.0.1:8443
          architectures:
          x86_64
          i686
          certificate: |
          -----BEGIN CERTIFICATE-----
          -----END CERTIFICATE-----
          certificatefingerprint: 3048baa9f20d316f60a6c602452b58409a6d9e2c3218897e8de7c7c72af0179b
          driver: lxc
          driverversion: 2.0.5
          kernel: Linux
          kernelarchitecture: x86_64
          kernelversion: 4.8.0-27-generic
          server: lxd
          serverpid: 32694
          serverversion: 2.4.1
          storage: btrfs
          storageversion: 4.7.3
          config:
          core.https_address: '[::]:8443'
          core.trust_password: true

  Container: ubuntu 16.10

  
  Issue description
  ------------------

  
  tor can't start in a non privileged container

  
  Logs from the container:
  -------------------------

  Dec 7 15:03:00 anonymous tor[302]: Configuration was valid
  Dec 7 15:03:00 anonymous systemd[303]: tor@default.service: Failed at step APPARMOR spawning /usr/bin/tor: No such file or directory
  Dec 7 15:03:00 anonymous systemd[1]: tor@default.service: Main process exited, code=exited, status=231/APPARMOR
  Dec 7 15:03:00 anonymous systemd[1]: Failed to start Anonymizing overlay network for TCP.
  Dec 7 15:03:00 anonymous systemd[1]: tor@default.service: Unit entered failed state.
  Dec 7 15:03:00 anonymous systemd[1]: tor@default.service: Failed with result 'exit-code'.
  Dec 7 15:03:00 anonymous systemd[1]: tor@default.service: Service hold-off time over, scheduling restart.
  Dec 7 15:03:00 anonymous systemd[1]: Stopped Anonymizing overlay network for TCP.
  Dec 7 15:03:00 anonymous systemd[1]: tor@default.service: Failed to reset devices.list: Operation not permitted
  Dec 7 15:03:00 anonymous systemd[1]: Failed to set devices.allow on /system.slice/system-tor.slice/tor@default.service: Operation not permitted
  Dec 7 15:03:00 anonymous systemd[1]: message repeated 6 times: [ Failed to set devices.allow on /system.slice/system-tor.slice/tor@default.service: Operation not permitted]
  Dec 7 15:03:00 anonymous systemd[1]: Couldn't stat device /run/systemd/inaccessible/chr
  Dec 7 15:03:00 anonymous systemd[1]: Couldn't stat device /run/systemd/inaccessible/blk
  Dec 7 15:03:00 anonymous systemd[1]: Failed to set devices.allow on /system.slice/system-tor.slice/tor@default.service: Operation not permitted


  Logs from the host
  --------------------

  audit: type=1400 audit(1481119378.856:6950): apparmor="DENIED" operation="change_onexec" info="label not found" error=-2 namespace="root//lxd-anonymous_" profile="unconfined" name="system_tor" 
  pid=12164 comm="(tor)"

  
  Steps to reproduce
  ---------------------

      install ubuntu container 16.10 on a ubuntu 16.10 host
      install tor in the container
      Launch tor

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1648143/+subscriptions