Ubuntu
lxc package

Fix lxc-execute without rootfs failing apparmor transitions

Bug #993706 reported by Andrew Cowie
20
This bug affects 3 people
Affects Status Importance Assigned to Milestone
lxc (Ubuntu)
Fix Released
Medium
Serge Hallyn
Precise
Fix Released
Undecided
Unassigned
Quantal
Fix Released
Medium
Serge Hallyn

Bug Description

=================================
SRU Justification:
1. impact: lxc-execute fails when apparmor transition is requested (as it is by default)
2. development fix: make sure the container's own proc is mounted before attempting apparmor context transition
3. stable fix: same as development fix
4. test case:
   lxc-execute -n foo /bin/bash
5. Regression potential: apparmor transitions could break for containers if this is done wrong. However, the lxc testsuite passed with these patches
==================================

On a Precise system, LXC is no longer working:

# lxc-execute -n foo /bin/bash
lxc-execute: Permission denied - failed to change apparmor profile to lxc-container-default
lxc-execute: invalid sequence number 1. expected 2
lxc-execute: failed to spawn 'foo'
#

At a minimum, I'm guessing lxc-execute needs a profile similar to lxc-start, but trying to run lxc-start failed with the same error.

AfC

See original description
Andrew Cowie (afcowie)
tags: added: precise
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

thanks for reporting this bug. It is a duplicate of bug 981955. The workaround documented there is to do:

cat > test.conf << EOF
lxc.aa_profile = unconfined
lxc.rootfs = /
EOF

lxc-execute -n test -f test.conf -- /bin/echo hi

Revision history for this message
Andrew Cowie (afcowie) wrote :

Thanks for that. But shouldn't the fix (vice workaround) be adding an entry for lxc-execute to /etc/apparmor.d/ ?

AfC

Revision history for this message
Serge Hallyn (serge-hallyn) wrote : Re: [Bug 993706] Re: apparmor preventing lxc-execute from running

Quoting Andrew Cowie (<email address hidden>):
> *** This bug is a duplicate of bug 981955 ***
> https://bugs.launchpad.net/bugs/981955
>
> Thanks for that. But shouldn't the fix (vice workaround) be adding an
> entry for lxc-execute to /etc/apparmor.d/ ?
>
> AfC

Yes, thanks, we should do that as well.

Revision history for this message
Serge Hallyn (serge-hallyn) wrote : Re: Add a lxc-execute profile (apparmor preventing lxc-execute from running)

Note that the lxc-execute profile will need to be more lenient than the lxc-start one.

@afcowie, if you'd like to propose a patch for this, please feel free, as I won't be able to do it this week.

summary: - apparmor preventing lxc-execute from running
+ Add a lxc-execute profile (apparmor preventing lxc-execute from running)
Changed in lxc (Ubuntu):
status: New → Confirmed
importance: Undecided → Medium
Serge Hallyn (serge-hallyn)
Changed in lxc (Ubuntu):
assignee: nobody → Serge Hallyn (serge-hallyn)
summary: - Add a lxc-execute profile (apparmor preventing lxc-execute from running)
+ Fix lxc-execute without rootfs failing apparmor transitions
tags: added: needssru
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

(The problem is actually that we need to make sure to mount our own /proc, else, when using lxc.rootfs=/, we leave the host's /proc mounted, and the apparmor library tries to set the lxc profile for the wrong task)

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lxc - 0.8.0~rc1-4ubuntu5

---------------
lxc (0.8.0~rc1-4ubuntu5) quantal; urgency=low

  * 0082-umount-old-proc: fix proc auto-mount. If /proc is already mounted,
    make sure that /proc/self points to 1, since we are container init.
    Otherwise, assume proc is an old one, and umount it and remount our own.
    If we keep the old proc mounted, apparmor transitions will by tried for
    wrong task and fail. Also move check for whether apparmor is enabled so
    that it is called by lxc-execute. (LP: #993706)
  * update 0074-lxc-execute-find-init to look for lxc-init in
    LXCINITDIR/lxc/lxc-init
  * debian/control: add cloud-utils to lxc Recommends, as lxc-ubuntu-cloud
    needs it. (LP: 995361)
  * debian/lxc.upstart: load apparmor profiles before auto-starting containers.
    (LP: #989853)
  * pop 06-bash.patch and 0075-lxc-ls-bash. lxc-clone also has bashims, just
    stick to using bash until upstream is also converted (so we are safe
    against patches).
 -- Serge Hallyn <email address hidden> Mon, 07 May 2012 21:22:26 +0000

Changed in lxc (Ubuntu Quantal):
status: Confirmed → Fix Released
Serge Hallyn (serge-hallyn)
description: updated
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in lxc (Ubuntu Precise):
status: New → Confirmed
Revision history for this message
Martin Pitt (pitti) wrote : Please test proposed package

Hello Andrew, or anyone else affected,

Accepted lxc into precise-proposed. The package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in lxc (Ubuntu Precise):
status: Confirmed → Fix Committed
tags: added: verification-needed
Revision history for this message
Andrew Cowie (afcowie) wrote :

Pleased to report that the fix to lxc reached us through our mirror today (!) and that lxc-execute is working now. Nicely done.

AfC

Changed in lxc (Ubuntu Precise):
status: Fix Committed → Fix Released
Revision history for this message
Stéphane Graber (stgraber) wrote :

Marking verification-done based on above comment.

Changed in lxc (Ubuntu Precise):
status: Fix Released → Fix Committed
tags: added: verification-done
removed: verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lxc - 0.7.5-3ubuntu56

---------------
lxc (0.7.5-3ubuntu56) precise-proposed; urgency=low

  * Fix Ubuntu template to install the host architecture of the required
    mutli-arch packages (when using qemu-user-static) instead of hardcoded
    "amd64" version. (LP: #999187)

lxc (0.7.5-3ubuntu55) precise-proposed; urgency=low

  * 0082-umount-old-proc: fix proc auto-mount. If /proc is already mounted,
    make sure that /proc/self points to 1, since we are container init.
    Otherwise, assume proc is an old one, and umount it and remount our own.
    If we keep the old proc mounted, apparmor transitions will by tried for
    wrong task and fail. Also move check for whether apparmor is enabled so
    that it is called by lxc-execute. (LP: #993706)
  * debian/control: add cloud-utils to lxc Recommends, as lxc-ubuntu-cloud
    needs it. (LP: #995361)
  * debian/lxc.upstart: load apparmor profiles before auto-starting containers.
    (LP: #989853)
  * debian/control: add apparmor to lxc Depends (LP: #997681)
  * debian/local/lxc-start-ephemeral: quote $line so its contents don't get
    expanded (LP: #997687)
 -- Stephane Graber <email address hidden> Tue, 15 May 2012 12:00:18 -0400

Changed in lxc (Ubuntu Precise):
status: Fix Committed → Fix Released
Serge Hallyn (serge-hallyn)
tags: removed: needssru
Revision history for this message
NeilGreenwood (neil-greenwood) wrote :

I guess given the release date that this fix is in Raring? Should I raise a new bug since I'm getting a similar error in Raring?

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

@Neil,

yes, please do raise a new bug.

Revision history for this message
NeilGreenwood (neil-greenwood) wrote :

Raised https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1188501

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.