Canonical Juju

Can't deploy nested focal LXDs on an impish host

Bug #1948425 reported by Barry Price on 2021-10-22

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	Canonical Juju	Triaged	Low	Unassigned

Bug Description

Using the lxd/localhost provider on an impish amd64 host, running the latest Juju snap:

https://paste.ubuntu.com/p/tPxpyv4jrZ/

I've only tested focal guests on impish, but can test other series if that's helpful.

Syslog is full of repeated apparmor DENIED messages like these, seems to be the same targets each time (netstat and snmp):

Oct 22 14:53:50 x1c9 kernel: [100445.847161] audit: type=1400 audit(1634889229.997:201586): apparmor="DENIED" operation="open" namespace="root//lxd-juju-b43d75-0_<var-snap-lxd-common-lxd>" profile="snap.juju-db.daemon" name="/proc/709/net/netstat" pid=6088 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=1000000 ouid=1000000
Oct 22 14:53:50 x1c9 kernel: [100445.847170] audit: type=1400 audit(1634889229.997:201587): apparmor="DENIED" operation="open" namespace="root//lxd-juju-b43d75-0_<var-snap-lxd-common-lxd>" profile="snap.juju-db.daemon" name="/proc/709/net/snmp" pid=6088 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=1000000 ouid=1000000

Tags:

Simon Richardson (simonrichardson) on 2021-10-22

Changed in juju:
status:	New → Triaged
importance:	Undecided → Medium
milestone:	none → 2.9-next

Revision history for this message

Barry Price (barryprice) wrote on 2021-10-22:

Decided to work around this by starting up a multipass VM, manually adding that to my model as machine 0, then deploying LXDs onto that, but I see the same issue:

0 started 10.214.6.65 manual:10.214.6.65 focal Manually provisioned machine
0/lxd/0 pending juju-789e09-0-lxd-0 focal Container started
0/lxd/1 pending juju-789e09-0-lxd-1 focal Container started

So this isn't necessarily LXD-specific on the provider side after all - updated bug title.

summary:

- Can't deploy nested LXDs using the LXD provider
+ Can't deploy nested focal LXDs on an impish host

Revision history for this message

Juan Jimenez (juan.jimenez) wrote on 2021-12-16:

When I run LXD my kernel ring buffer gets 2 messages per second like the following:

audit: type=1400 audit(1639672400.005:56710): apparmor="DENIED" operation="open" namespace="root//lxd-juju-25e091-0_<var-snap-lxd-common-lxd>" profile="snap.juju-db.daemon" name="/proc/911/net/snmp" pid=217059 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=1000000 ouid=1000000

And in syslog I have some like these:

audit: type=1400 audit(1639639794.117:278): apparmor="DENIED" operation="open" namespace="root//lxd-juju-25e091-0_<var-snap-lxd-common-lxd>" profile="snap.juju-db.daemon" name="/sys/block/" pid=12096 comm="mongod" requested_mask="r" denied_mask="r" fsuid=1000000 ouid=0

Revision history for this message

Canonical Juju QA Bot (juju-qa-bot) wrote on 2022-11-03:

This Medium-priority bug has not been updated in 60 days, so we're marking it Low importance. If you believe this is incorrect, please update the importance.

Changed in juju:
importance:	Medium → Low
tags:	added: expirebugs-bot

Ian Booth (wallyworld) on 2023-04-25

Changed in juju:
milestone:	2.9-next → none

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.