← Back to team overview

touch-packages team mailing list archive

  1. touch-packages team
  2. Mailing list archive
  3. Message #68832

[Bug 1441070] Re: lxc-start on default vivid container fails on apparmor violation

  Thread PreviousDate PreviousThread Next 
Whatever it was, it's working on current vivid now. Sorry for the noise.

** Changed in: lxc (Ubuntu)
       Status: Confirmed => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1441070

Title:
  lxc-start on default vivid container fails on apparmor violation

Status in lxc package in Ubuntu:
  Invalid

Bug description:
  With latest vivid's LXC, starting a vivid container now fails on
  mounting the cgroups:

  $ sudo lxc-create --name=v -t ubuntu -- -r vivid
  $ sudo lxc-start -n v -F
  Failed to mount cgroup at /sys/fs/cgroup/systemd: Permission denied
  systemd 219 running in system mode. (+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT -GNUTLS +ACL +XZ -LZ4 -SECCOMP +BLKID -ELFUTILS +KMOD -IDN)
  Detected virtualization lxc.
  Detected architecture x86-64.

  Welcome to Ubuntu Vivid Vervet (development branch)!

  Set hostname to <v>.
  Failed to install release agent, ignoring: No such file or directory
  Failed to create root cgroup hierarchy: No such file or directory
  Failed to allocate manager object: No such file or directory

  This is due to an apparmor violation:

  $ dmesg 
  [17921.831035] kvm [26603]: vcpu0 disabled perfctr wrmsr: 0xc1 data 0xffff
  [17945.611375] device vethWK88T5 entered promiscuous mode
  [17945.611487] IPv6: ADDRCONF(NETDEV_UP): vethWK88T5: link is not ready
  [17945.651954] eth0: renamed from vethB6ASGB
  [17945.692029] IPv6: ADDRCONF(NETDEV_CHANGE): vethWK88T5: link becomes ready
  [17945.692104] lxcbr0: port 1(vethWK88T5) entered forwarding state
  [17945.692116] lxcbr0: port 1(vethWK88T5) entered forwarding state
  [17945.730478] audit: type=1400 audit(1428400530.895:113): apparmor="DENIED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default" name="/sys/fs/cgroup/systemd/" pid=28447 comm="systemd" fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev, noexec"
  [17945.730505] audit: type=1400 audit(1428400530.895:114): apparmor="DENIED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default" name="/sys/fs/cgroup/systemd/" pid=28447 comm="systemd" fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev, noexec"
  [17945.730931] audit: type=1400 audit(1428400530.895:115): apparmor="DENIED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default" name="/sys/fs/cgroup/devices/" pid=28447 comm="systemd" fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev, noexec"
  [17945.730963] audit: type=1400 audit(1428400530.895:116): apparmor="DENIED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default" name="/sys/fs/cgroup/net_cls,net_prio/" pid=28447 comm="systemd" fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev, noexec"
  [17945.730993] audit: type=1400 audit(1428400530.895:117): apparmor="DENIED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default" name="/sys/fs/cgroup/perf_event/" pid=28447 comm="systemd" fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev, noexec"
  [17945.731020] audit: type=1400 audit(1428400530.895:118): apparmor="DENIED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default" name="/sys/fs/cgroup/hugetlb/" pid=28447 comm="systemd" fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev, noexec"
  [17945.731049] audit: type=1400 audit(1428400530.895:119): apparmor="DENIED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default" name="/sys/fs/cgroup/cpuset/" pid=28447 comm="systemd" fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev, noexec"
  [17945.731077] audit: type=1400 audit(1428400530.895:120): apparmor="DENIED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default" name="/sys/fs/cgroup/freezer/" pid=28447 comm="systemd" fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev, noexec"
  [17945.731106] audit: type=1400 audit(1428400530.895:121): apparmor="DENIED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default" name="/sys/fs/cgroup/cpu,cpuacct/" pid=28447 comm="systemd" fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev, noexec"
  [17945.731133] audit: type=1400 audit(1428400530.895:122): apparmor="DENIED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default" name="/sys/fs/cgroup/memory/" pid=28447 comm="systemd" fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev, noexec"

  The workaround is to change the container config to use
  "lxc.aa_profile = unconfined", but I suppose we actually want the
  default profile to work.

  ProblemType: Bug
  DistroRelease: Ubuntu 15.04
  Package: lxc 1.1.1-0ubuntu4
  ProcVersionSignature: Ubuntu 3.19.0-12.12-generic 3.19.3
  Uname: Linux 3.19.0-12-generic x86_64
  ApportVersion: 2.17-0ubuntu1
  Architecture: amd64
  CurrentDesktop: Unity
  Date: Tue Apr  7 11:55:09 2015
  EcryptfsInUse: Yes
  KernLog:
   
  SourcePackage: lxc
  UpgradeStatus: No upgrade log present (probably fresh install)
  defaults.conf:
   lxc.network.type = veth
   lxc.network.link = lxcbr0
   lxc.network.flags = up
   lxc.network.hwaddr = 00:16:3e:xx:xx:xx
  lxc.conf: lxc.lxcpath = /srv/lxc

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1441070/+subscriptions

References

  Thread PreviousDate PreviousThread Next