Ubuntu
lxc package

lxc-start on default vivid container fails on apparmor violation

Bug #1441070 reported by Martin Pitt
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
lxc (Ubuntu)
Invalid
High
Unassigned

Bug Description

With latest vivid's LXC, starting a vivid container now fails on mounting the cgroups:

$ sudo lxc-create --name=v -t ubuntu -- -r vivid
$ sudo lxc-start -n v -F
Failed to mount cgroup at /sys/fs/cgroup/systemd: Permission denied
systemd 219 running in system mode. (+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT -GNUTLS +ACL +XZ -LZ4 -SECCOMP +BLKID -ELFUTILS +KMOD -IDN)
Detected virtualization lxc.
Detected architecture x86-64.

Welcome to Ubuntu Vivid Vervet (development branch)!

Set hostname to <v>.
Failed to install release agent, ignoring: No such file or directory
Failed to create root cgroup hierarchy: No such file or directory
Failed to allocate manager object: No such file or directory

This is due to an apparmor violation:

$ dmesg
[17921.831035] kvm [26603]: vcpu0 disabled perfctr wrmsr: 0xc1 data 0xffff
[17945.611375] device vethWK88T5 entered promiscuous mode
[17945.611487] IPv6: ADDRCONF(NETDEV_UP): vethWK88T5: link is not ready
[17945.651954] eth0: renamed from vethB6ASGB
[17945.692029] IPv6: ADDRCONF(NETDEV_CHANGE): vethWK88T5: link becomes ready
[17945.692104] lxcbr0: port 1(vethWK88T5) entered forwarding state
[17945.692116] lxcbr0: port 1(vethWK88T5) entered forwarding state
[17945.730478] audit: type=1400 audit(1428400530.895:113): apparmor="DENIED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default" name="/sys/fs/cgroup/systemd/" pid=28447 comm="systemd" fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev, noexec"
[17945.730505] audit: type=1400 audit(1428400530.895:114): apparmor="DENIED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default" name="/sys/fs/cgroup/systemd/" pid=28447 comm="systemd" fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev, noexec"
[17945.730931] audit: type=1400 audit(1428400530.895:115): apparmor="DENIED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default" name="/sys/fs/cgroup/devices/" pid=28447 comm="systemd" fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev, noexec"
[17945.730963] audit: type=1400 audit(1428400530.895:116): apparmor="DENIED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default" name="/sys/fs/cgroup/net_cls,net_prio/" pid=28447 comm="systemd" fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev, noexec"
[17945.730993] audit: type=1400 audit(1428400530.895:117): apparmor="DENIED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default" name="/sys/fs/cgroup/perf_event/" pid=28447 comm="systemd" fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev, noexec"
[17945.731020] audit: type=1400 audit(1428400530.895:118): apparmor="DENIED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default" name="/sys/fs/cgroup/hugetlb/" pid=28447 comm="systemd" fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev, noexec"
[17945.731049] audit: type=1400 audit(1428400530.895:119): apparmor="DENIED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default" name="/sys/fs/cgroup/cpuset/" pid=28447 comm="systemd" fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev, noexec"
[17945.731077] audit: type=1400 audit(1428400530.895:120): apparmor="DENIED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default" name="/sys/fs/cgroup/freezer/" pid=28447 comm="systemd" fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev, noexec"
[17945.731106] audit: type=1400 audit(1428400530.895:121): apparmor="DENIED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default" name="/sys/fs/cgroup/cpu,cpuacct/" pid=28447 comm="systemd" fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev, noexec"
[17945.731133] audit: type=1400 audit(1428400530.895:122): apparmor="DENIED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default" name="/sys/fs/cgroup/memory/" pid=28447 comm="systemd" fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev, noexec"

The workaround is to change the container config to use "lxc.aa_profile = unconfined", but I suppose we actually want the default profile to work.

ProblemType: Bug
DistroRelease: Ubuntu 15.04
Package: lxc 1.1.1-0ubuntu4
ProcVersionSignature: Ubuntu 3.19.0-12.12-generic 3.19.3
Uname: Linux 3.19.0-12-generic x86_64
ApportVersion: 2.17-0ubuntu1
Architecture: amd64
CurrentDesktop: Unity
Date: Tue Apr 7 11:55:09 2015
EcryptfsInUse: Yes
KernLog:

SourcePackage: lxc
UpgradeStatus: No upgrade log present (probably fresh install)
defaults.conf:
 lxc.network.type = veth
 lxc.network.link = lxcbr0
 lxc.network.flags = up
 lxc.network.hwaddr = 00:16:3e:xx:xx:xx
lxc.conf: lxc.lxcpath = /srv/lxc

Revision history for this message
Martin Pitt (pitti) wrote :
Changed in lxc (Ubuntu):
importance: Undecided → High
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in lxc (Ubuntu):
status: New → Confirmed
Revision history for this message
Stéphane Graber (stgraber) wrote :

You don't appear to have lxcfs running.

Revision history for this message
Martin Pitt (pitti) wrote :

Whatever it was, it's working on current vivid now. Sorry for the noise.

Changed in lxc (Ubuntu):
status: Confirmed → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.