Ubuntu
lxd package

lxd vga console throws "Operation not permitted" error

Bug #2057927 reported by Tobias Heider on 2024-03-14

22

This bug affects 4 people

Affects		Status	Importance	Assigned to	Milestone
	apparmor (Ubuntu)	Confirmed	Undecided	Unassigned
	lxd (Ubuntu)	Incomplete	Undecided	Unassigned

Bug Description

Since I upgraded to Noble the lxd vga console doesn't work anymore. I am using the lxd latest/stable snap (5.20-f3dd836). When trying to attach a vga console to an lxd vm I get:

unshare: write failed /proc/self/uid_map: Operation not permitted

It seems to be related to apparmor, I can see a matching DENIAL message in dmesg:

[ 4735.233989] audit: type=1400 audit(1710419600.517:300): apparmor="DENIED" operation="capable" class="cap" profile="unprivileged_userns" pid=13157 comm="unshare" capability=21 capname="sys_admin"

Revision history for this message

Launchpad Janitor (janitor) wrote on 2024-03-14:

#1

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apparmor (Ubuntu):
status:	New → Confirmed
Changed in lxd (Ubuntu):
status:	New → Confirmed

Revision history for this message

Dave Jones (waveform) wrote on 2024-03-29:

#3

I see a basically identical message (and dmesg apparmor output) with "lxc profile edit default":

unshare: write failed /proc/self/uid_map: Operation not permitted

And the dmesg entry:

[ 194.625507] audit: type=1400 audit(1711709095.424:293): apparmor="DENIED" operation="capable" class="cap" profile="unprivileged_userns" pid=6885 comm="unshare" capability=21 capname="sys_admin"

Revision history for this message

Thomas Parrott (tomparrott) wrote on 2024-04-20:

#4

Please can you confirm if still an issue on lxd 5.21/stable as this is the current supported version. Thanks

Revision history for this message

Simon Déziel (sdeziel) wrote on 2024-04-22:

#5

I just tested 5.21/stable and couldn't reproduce as it properly disable the /proc/sys/kernel/apparmor_restrict_unprivileged_userns and /proc/sys/kernel/apparmor_restrict_unprivileged_unconfined that would otherwise have caused those denials.

Marking as incomplete until you can reproduce with 5.21/stable (5.20 being EOL). Thanks

Changed in lxd (Ubuntu):
status:	Confirmed → Incomplete

Revision history for this message

Paul Tobias (tobias.pal) wrote on 2024-05-17:

#9

$ lxd --version
5.21.1 LTS
$ lxc console --type=vga testinstance
unshare: write failed /proc/self/uid_map: Operation not permitted

Revision history for this message

Simon Déziel (sdeziel) wrote on 2024-05-17:

#10

@Paul or @Tobias, would you be able to provide a bit more information on your environment in a discourse thread at https://discourse.ubuntu.com/c/lxd/? That would help us hash out a reproducer. Thanks

Revision history for this message

Tobias Heider (tobhe) wrote on 2024-05-19:

#11

@sdeziel It looks like I can't trigger the bug anymore with 5.21.1-d46c406 so whatever my problem was probably got fixed in one of the last updates

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.