same scenario ( create new xenial container as base and clone ( copy) ) on empty xenial vm was finished without errors. looks like it is probably not upstream specific around xenial-overlayfs:lxc-apparmor(unconfined) but some specific related with set of configurations for osa( aio) ?
I can see that it was classified as "ALLOWED" by apparmor. Maybe some specific security settings are transform this "warning" "info="Failed name lookup - disconnected path" to "error while loading shared libraries: libcap.so.2: cannot stat shared object: Permission denied" ?
same scenario ( create new xenial container as base and clone ( copy) ) on empty xenial vm was finished without errors. looks like it is probably not upstream specific around xenial- overlayfs: lxc-apparmor( unconfined) but some specific related with set of configurations for osa( aio) ?
logs from /var/log/ audit/audit. log: 1472586116. 191:962154) : apparmor="ALLOWED" operation="getattr" info="Failed name lookup - disconnected path" error=-13 profile= "/{usr/ ,}bin/ping" name="source- xenial- amd64/rootfs/ etc/ld. so.cache" pid=26478 comm="ping" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 1472586116. 191:962154) : arch=c000003e syscall=5 success=no exit=-13 a0=3 a1=7ffd5814fc00 a2=7ffd5814fc00 a3=7f0bf6109480 items=0 ppid=26460 pid=26478 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=9279 comm="ping" exe="/bin/ping" key=(null) 1472586116. 191:962155) : apparmor="ALLOWED" operation="getattr" info="Failed name lookup - disconnected path" error=-13 profile= "/{usr/ ,}bin/ping" name="source- xenial- amd64/rootfs/ lib/x86_ 64-linux- gnu/libcap. so.2.24" pid=26478 comm="ping" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 1472586116. 191:962155) : arch=c000003e syscall=5 success=no exit=-13 a0=3 a1=7ffd5814fc50 a2=7ffd5814fc50 a3=2e6f732e70616362 items=0 ppid=26460 pid=26478 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=9279 comm="ping" exe="/bin/ping" key=(null)
------
type=AVC msg=audit(
type=SYSCALL msg=audit(
type=AVC msg=audit(
type=SYSCALL msg=audit(
------
I can see that it was classified as "ALLOWED" by apparmor. Maybe some specific security settings are transform this "warning" "info="Failed name lookup - disconnected path" to "error while loading shared libraries: libcap.so.2: cannot stat shared object: Permission denied" ?