Ubuntu
lxc package

apparmor makes it impossible to install postgresql-common on Precise

Bug #925024 reported by Gary Poster
20
This bug affects 2 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Confirmed
High
John Johansen
lxc (Ubuntu)
Confirmed
High
Unassigned

Bug Description

Repro:

$ sudo lxc-create -t ubuntu -n precise -f /etc/lxc/local.conf -- -r precise -a i686 -b gary
$ sudo lxc-start -n precise
[log in as root]
root@precise:~# apt-get install postgresql-common
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  openssl postgresql-client-common ssl-cert
Suggested packages:
  ca-certificates openssl-blacklist
The following NEW packages will be installed:
  openssl postgresql-client-common postgresql-common ssl-cert
0 upgraded, 4 newly installed, 0 to remove and 0 not upgraded.
Need to get 643 kB of archives.
After this operation, 1618 kB of additional disk space will be used.
Do you want to continue [Y/n]? Y
Get:1 http://archive.ubuntu.com/ubuntu/ precise/main openssl i386 1.0.0e-3ubuntu1 [510 kB]
Get:2 http://archive.ubuntu.com/ubuntu/ precise/main postgresql-client-common all 128 [25.6 kB]
Get:3 http://archive.ubuntu.com/ubuntu/ precise/main ssl-cert all 1.0.28 [12.2 kB]
Get:4 http://archive.ubuntu.com/ubuntu/ precise/main postgresql-common all 128 [94.9 kB]
Fetched 643 kB in 1s (482 kB/s)
Preconfiguring packages ...
Selecting previously unselected package openssl.
(Reading database ... 12500 files and directories currently installed.)
Unpacking openssl (from .../openssl_1.0.0e-3ubuntu1_i386.deb) ...
Selecting previously unselected package postgresql-client-common.
Unpacking postgresql-client-common (from .../postgresql-client-common_128_all.deb) ...
Selecting previously unselected package ssl-cert.
Unpacking ssl-cert (from .../ssl-cert_1.0.28_all.deb) ...
Selecting previously unselected package postgresql-common.
Unpacking postgresql-common (from .../postgresql-common_128_all.deb) ...
Adding 'diversion of /usr/bin/pg_config to /usr/bin/pg_config.libpq-dev by postgresql-common'
dpkg: unrecoverable fatal error, aborting:
 failed to fstat previous diversions file: No such file or directory
E: Sub-process /usr/bin/dpkg returned an error code (2)

Workaround (thanks to wgrant):
 sudo ln -s /etc/apparmor.d/usr.bin.lxc-start /etc/apparmor.d/disable/
 sudo apparmor_parser -R /etc/apparmor.d/usr.bin.lxc-start

Then it should work.

Ideally we'd be able to keep apparmor involved.
---
AlsaVersion: Advanced Linux Sound Architecture Driver Version 1.0.24.
ApportVersion: 1.91-0ubuntu1
Architecture: amd64
ArecordDevices:
 **** List of CAPTURE Hardware Devices ****
 card 0: NVidia [HDA NVidia], device 0: Cirrus Analog [Cirrus Analog]
   Subdevices: 1/1
   Subdevice #0: subdevice #0
AudioDevicesInUse:
 USER PID ACCESS COMMAND
 /dev/snd/controlC0: gary 1953 F.... pulseaudio
CRDA: Error: command ['iw', 'reg', 'get'] failed with exit code 1: nl80211 not found.
Card0.Amixer.info:
 Card hw:0 'NVidia'/'HDA NVidia at 0xe7480000 irq 21'
   Mixer name : 'Cirrus Logic CS4206'
   Components : 'HDA:10134206,106b4b00,00100301'
   Controls : 18
   Simple ctrls : 9
CurrentDmesg:
 Error: command ['sh', '-c', 'dmesg | comm -13 --nocheck-order /var/log/dmesg -'] failed with exit code 1: comm: /var/log/dmesg: Permission denied
 dmesg: write failed: Broken pipe
DistroRelease: Ubuntu 12.04
MachineType: Apple Inc. MacBookPro5,3
NonfreeKernelModules: wl nvidia
Package: lxc 0.7.5-3ubuntu16
PackageArchitecture: amd64
ProcEnviron:
 PATH=(custom, user)
 SHELL=/bin/bash
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.2.0-12-generic root=UUID=44d3af31-0b7b-42d9-a0ff-d3cfb63f282d ro quiet splash vt.handoff=7
ProcVersionSignature: Ubuntu 3.2.0-12.21-generic 3.2.2
Tags: precise running-unity precise running-unity
Uname: Linux 3.2.0-12-generic x86_64
UpgradeStatus: Upgraded to precise on 2012-01-23 (9 days ago)
UserGroups: libvirtd sudo
WifiSyslog:

dmi.bios.date: 06/15/09
dmi.bios.vendor: Apple Inc.
dmi.bios.version: MBP53.88Z.00AC.B03.0906151647
dmi.board.asset.tag: Base Board Asset Tag#
dmi.board.name: Mac-F22587C8
dmi.board.vendor: Apple Inc.
dmi.chassis.asset.tag: Asset Tag#
dmi.chassis.type: 10
dmi.chassis.vendor: Apple Inc.
dmi.chassis.version: Mac-F22587C8
dmi.modalias: dmi:bvnAppleInc.:bvrMBP53.88Z.00AC.B03.0906151647:bd06/15/09:svnAppleInc.:pnMacBookPro5,3:pvr1.0:rvnAppleInc.:rnMac-F22587C8:rvr:cvnAppleInc.:ct10:cvrMac-F22587C8:
dmi.product.name: MacBookPro5,3
dmi.product.version: 1.0
dmi.sys.vendor: Apple Inc.

See original description
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

[16034.570611] type=1400 audit(1328123820.845:116): apparmor="ALLOWED" operation="getattr" info="Failed name lookup - deleted entry" error=-2 parent=14666 profile="/usr/bin/lxc-start//lxc_container" name="/var/lib/dpkg/diversions" pid=14707 comm="dpkg" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

This doesn't really make sense to me. 1. the policy does not do anything with /var. 2. this message actually happened after I set the lxc-start profile to 'complain.'

Changed in lxc (Ubuntu):
importance: Undecided → High
status: New → Confirmed
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Correction: looks like i used '--reload' rather than '--replace' as apparmor_parser argument, and it silently failed.

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

type=AVC msg=audit(1328128176.535:236): apparmor="ALLOWED" operation="getattr" info="Failed name lookup - deleted entry" error=-2 parent=25194 profile="/usr/bin/lxc-start//lxc_container" name="/var/lib/dpkg/diversions" pid=25229 comm="dpkg" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
type=SYSCALL msg=audit(1328128176.535:236): arch=c000003e syscall=5 success=no exit=-2 a0=7 a1=7fff3b8e3ae0 a2=7fff3b8e3ae0 a3=8 items=0 ppid=467 pid=25229 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4294967295 comm="dpkg" exe="/usr/bin/dpkg" key=(null)

So indeed it appears to be a failure in the re-attaching of the paths.

Revision history for this message
Brad Figg (brad-figg) wrote : Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 925024

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
tags: added: precise
Revision history for this message
Gary Poster (gary) wrote : AcpiTables.txt

apport information

tags: added: apport-collected running-unity
description: updated
Revision history for this message
Gary Poster (gary) wrote : AlsaDevices.txt

apport information

Revision history for this message
Gary Poster (gary) wrote : AplayDevices.txt

apport information

Revision history for this message
Gary Poster (gary) wrote : Card0.Amixer.values.txt

apport information

Revision history for this message
Gary Poster (gary) wrote : Card0.Codecs.codec.0.txt

apport information

Revision history for this message
Gary Poster (gary) wrote : Dependencies.txt

apport information

Revision history for this message
Gary Poster (gary) wrote : IwConfig.txt

apport information

Revision history for this message
Gary Poster (gary) wrote : Lspci.txt

apport information

Revision history for this message
Gary Poster (gary) wrote : Lsusb.txt

apport information

Revision history for this message
Gary Poster (gary) wrote : PciMultimedia.txt

apport information

Revision history for this message
Gary Poster (gary) wrote : ProcCpuinfo.txt

apport information

Revision history for this message
Gary Poster (gary) wrote : ProcInterrupts.txt

apport information

Revision history for this message
Gary Poster (gary) wrote : ProcModules.txt

apport information

Revision history for this message
Gary Poster (gary) wrote : PulseSinks.txt

apport information

Revision history for this message
Gary Poster (gary) wrote : PulseSources.txt

apport information

Revision history for this message
Gary Poster (gary) wrote : RfKill.txt

apport information

Revision history for this message
Gary Poster (gary) wrote : UdevDb.txt

apport information

Revision history for this message
Gary Poster (gary) wrote : UdevLog.txt

apport information

Changed in linux (Ubuntu):
status: Incomplete → Confirmed
Revision history for this message
Brad Figg (brad-figg) wrote : Test with newer development kernel (3.2.0-13.22)

Thank you for taking the time to file a bug report on this issue.

However, given the number of bugs that the Kernel Team receives during any development cycle it is impossible for us to review them all. Therefore, we occasionally resort to using automated bots to request further testing. This is such a request.

We have noted that there is a newer version of the development kernel than the one you last tested when this issue was found. Please test again with the newer kernel and indicate in the bug if this issue still exists or not.

You can update to the latest development kernel by simply running the following commands in a terminal window:

    sudo apt-get update
    sudo apt-get upgrade

If the bug still exists, change the bug status from Incomplete to Confirmed. If the bug no longer exists, change the bug status from Incomplete to Fix Released.

If you want this bot to quit automatically requesting kernel tests, add a tag named: bot-stop-nagging.

 Thank you for your help, we really do appreciate it.

Changed in linux (Ubuntu):
status: Confirmed → Incomplete
tags: added: kernel-request-3.2.0-13.22
Gary Poster (gary)
Changed in linux (Ubuntu):
status: Incomplete → Confirmed
Revision history for this message
Brad Figg (brad-figg) wrote : Test with newer development kernel (3.2.0-14.23)

Thank you for taking the time to file a bug report on this issue.

However, given the number of bugs that the Kernel Team receives during any development cycle it is impossible for us to review them all. Therefore, we occasionally resort to using automated bots to request further testing. This is such a request.

We have noted that there is a newer version of the development kernel than the one you last tested when this issue was found. Please test again with the newer kernel and indicate in the bug if this issue still exists or not.

You can update to the latest development kernel by simply running the following commands in a terminal window:

    sudo apt-get update
    sudo apt-get upgrade

If the bug still exists, change the bug status from Incomplete to Confirmed. If the bug no longer exists, change the bug status from Incomplete to Fix Released.

If you want this bot to quit automatically requesting kernel tests, add a tag named: bot-stop-nagging.

 Thank you for your help, we really do appreciate it.

Changed in linux (Ubuntu):
status: Confirmed → Incomplete
tags: added: kernel-request-3.2.0-14.23
Serge Hallyn (serge-hallyn)
tags: added: bot-stop-nagging
Brad Figg (brad-figg)
Changed in linux (Ubuntu):
importance: Undecided → Medium
Joseph Salisbury (jsalisbury)
Changed in linux (Ubuntu):
status: Incomplete → Confirmed
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

@Brad,

I would consider this a high priority bug. This pretty much means that containers cannot be protected by apparmor, because we can't predict when they might be - for no apparent reason - unable to access some file which they should be able to access.

Antonio Rosales (arosales)
tags: added: rls-p-tracking
Serge Hallyn (serge-hallyn)
Changed in lxc (Ubuntu):
status: Confirmed → Invalid
Changed in linux (Ubuntu):
status: Confirmed → In Progress
assignee: nobody → John Johansen (jjohansen)
John Johansen (jjohansen)
Changed in linux (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
James Page (james-page) wrote :

I'm still seeing this issue; oneiric lxc container on latest precise kernel:

Selecting previously deselected package ssl-cert.
Unpacking ssl-cert (from .../ssl-cert_1.0.28_all.deb) ...
Selecting previously deselected package postgresql-common.
Unpacking postgresql-common (from .../postgresql-common_122ubuntu1_all.deb) ...
Adding 'diversion of /usr/bin/pg_config to /usr/bin/pg_config.libpq-dev by postgresql-common'
dpkg: unrecoverable fatal error, aborting:
 failed to fstat previous diversions file: No such file or directory
E: Sub-process /usr/bin/dpkg returned an error code (2)

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Hi James,

can you confirm that if you

/etc/init.d/apparmor stop
/etc/init.d/apparmor teardown

it then proceeds?

Interesting that it's always dpkg-divert. I wonder what it does under the covers to trigger this?

Changed in linux (Ubuntu):
status: Fix Released → Confirmed
Changed in lxc (Ubuntu):
status: Invalid → Confirmed
Changed in linux (Ubuntu):
importance: Medium → High
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.