group.of.nepali.translators team mailing list archive

Thread
Date
[Bug 1648143] Re: tor in lxd: apparmor="DENIED" operation="change_onexec" namespace="root//CONTAINERNAME_<var-lib-lxd>" profile="unconfined" name="system_tor"

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Robie Basak <1648143@xxxxxxxxxxxxxxxxxx>
Date: Mon, 06 Mar 2017 16:11:38 -0000
Reply-to: Bug 1648143 <1648143@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
So this particular bug is Invalid for the tor package in Ubuntu, since
the bug was in the kernel and we've verified that with fixes in
proposed. tor still doesn't work on Zesty, but I'll file a separate bug
for that.

** Changed in: tor (Ubuntu)
       Status: New => Invalid

** Changed in: tor (Ubuntu Xenial)
       Status: New => Invalid

** Changed in: tor (Ubuntu Yakkety)
       Status: New => Invalid

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1648143

Title:
  tor in lxd: apparmor="DENIED" operation="change_onexec"
  namespace="root//CONTAINERNAME_<var-lib-lxd>" profile="unconfined"
  name="system_tor"

Status in apparmor package in Ubuntu:
  Confirmed
Status in linux package in Ubuntu:
  Fix Released
Status in tor package in Ubuntu:
  Invalid
Status in apparmor source package in Xenial:
  New
Status in linux source package in Xenial:
  Fix Released
Status in tor source package in Xenial:
  Invalid
Status in apparmor source package in Yakkety:
  New
Status in linux source package in Yakkety:
  Fix Committed
Status in tor source package in Yakkety:
  Invalid

Bug description:
  Environment:
  ----------------

      Distribution: ubuntu
      Distribution version: 16.10
      lxc info:
      apiextensions:

      storage_zfs_remove_snapshots
      container_host_shutdown_timeout
      container_syscall_filtering
      auth_pki
      container_last_used_at
      etag
      patch
      usb_devices
      https_allowed_credentials
      image_compression_algorithm
      directory_manipulation
      container_cpu_time
      storage_zfs_use_refquota
      storage_lvm_mount_options
      network
      profile_usedby
      container_push
      apistatus: stable
      apiversion: "1.0"
      auth: trusted
      environment:
      addresses:
          163.172.48.149:8443
          172.20.10.1:8443
          172.20.11.1:8443
          172.20.12.1:8443
          172.20.22.1:8443
          172.20.21.1:8443
          10.8.0.1:8443
          architectures:
          x86_64
          i686
          certificate: |
          -----BEGIN CERTIFICATE-----
          -----END CERTIFICATE-----
          certificatefingerprint: 3048baa9f20d316f60a6c602452b58409a6d9e2c3218897e8de7c7c72af0179b
          driver: lxc
          driverversion: 2.0.5
          kernel: Linux
          kernelarchitecture: x86_64
          kernelversion: 4.8.0-27-generic
          server: lxd
          serverpid: 32694
          serverversion: 2.4.1
          storage: btrfs
          storageversion: 4.7.3
          config:
          core.https_address: '[::]:8443'
          core.trust_password: true

  Container: ubuntu 16.10

  
  Issue description
  ------------------

  
  tor can't start in a non privileged container

  
  Logs from the container:
  -------------------------

  Dec 7 15:03:00 anonymous tor[302]: Configuration was valid
  Dec 7 15:03:00 anonymous systemd[303]: tor@default.service: Failed at step APPARMOR spawning /usr/bin/tor: No such file or directory
  Dec 7 15:03:00 anonymous systemd[1]: tor@default.service: Main process exited, code=exited, status=231/APPARMOR
  Dec 7 15:03:00 anonymous systemd[1]: Failed to start Anonymizing overlay network for TCP.
  Dec 7 15:03:00 anonymous systemd[1]: tor@default.service: Unit entered failed state.
  Dec 7 15:03:00 anonymous systemd[1]: tor@default.service: Failed with result 'exit-code'.
  Dec 7 15:03:00 anonymous systemd[1]: tor@default.service: Service hold-off time over, scheduling restart.
  Dec 7 15:03:00 anonymous systemd[1]: Stopped Anonymizing overlay network for TCP.
  Dec 7 15:03:00 anonymous systemd[1]: tor@default.service: Failed to reset devices.list: Operation not permitted
  Dec 7 15:03:00 anonymous systemd[1]: Failed to set devices.allow on /system.slice/system-tor.slice/tor@default.service: Operation not permitted
  Dec 7 15:03:00 anonymous systemd[1]: message repeated 6 times: [ Failed to set devices.allow on /system.slice/system-tor.slice/tor@default.service: Operation not permitted]
  Dec 7 15:03:00 anonymous systemd[1]: Couldn't stat device /run/systemd/inaccessible/chr
  Dec 7 15:03:00 anonymous systemd[1]: Couldn't stat device /run/systemd/inaccessible/blk
  Dec 7 15:03:00 anonymous systemd[1]: Failed to set devices.allow on /system.slice/system-tor.slice/tor@default.service: Operation not permitted


  Logs from the host
  --------------------

  audit: type=1400 audit(1481119378.856:6950): apparmor="DENIED" operation="change_onexec" info="label not found" error=-2 namespace="root//lxd-anonymous_" profile="unconfined" name="system_tor" 
  pid=12164 comm="(tor)"

  
  Steps to reproduce
  ---------------------

      install ubuntu container 16.10 on a ubuntu 16.10 host
      install tor in the container
      Launch tor

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1648143/+subscriptions