$ modprobe shiftfs
$ sudo snap set lxd shiftfs.enable=true
$ sudo systemctl restart snap.lxd.daemon
Now it is enabled:
$ lxc info | grep shiftfs
shiftfs: "true"
$ lxc exec d-testapparmor -- mount | grep shift
/var/snap/lxd/common/lxd/storage-pools/default2/containers/d-testapparmor/rootfs on / type shiftfs (rw,relatime,passthrough=3)
/var/snap/lxd/common/lxd/storage-pools/default2/containers/d-testapparmor/rootfs on /snap type shiftfs (rw,relatime,passthrough=3)
And with that I can reproduce the bug:
$ lxc exec d-testapparmor -- aa-status
apparmor module is loaded.
0 profiles are loaded.
0 profiles are in enforce mode.
0 profiles are in complain mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
$ lxc exec d-testapparmor -- apparmor_parser -r /etc/apparmor.d/sbin.dhclient
AppArmor parser error for /etc/apparmor.d/sbin.dhclient in /etc/apparmor.d/tunables/home at line 25: Could not process include directory '/etc/apparmor.d/tunables/home.d' in 'tunables/home.d'
Installing the host kernel from proposed.
=> 5.0.0.14.15
ubuntu@disco-test-aa-stack:~$ sudo apt install linux-generic linux-headers-generic linux-image-generic
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
linux-headers-5.0.0-14 linux-headers-5.0.0-14-generic linux-image-5.0.0-14-generic linux-modules-5.0.0-14-generic linux-modules-extra-5.0.0-14-generic
Suggested packages:
fdutils linux-doc-5.0.0 | linux-source-5.0.0 linux-tools
The following NEW packages will be installed:
linux-headers-5.0.0-14 linux-headers-5.0.0-14-generic linux-image-5.0.0-14-generic linux-modules-5.0.0-14-generic linux-modules-extra-5.0.0-14-generic
The following packages will be upgraded:
linux-generic linux-headers-generic linux-image-generic
3 upgraded, 5 newly installed, 0 to remove and 8 not upgraded.
Need to get 67.1 MB of archives.
After this operation, 334 MB of additional disk space will be used.
Do you want to continue? [Y/n] Y
Get:1 http://archive.ubuntu.com/ubuntu disco-proposed/main amd64 linux-modules-5.0.0-14-generic amd64 5.0.0-14.15 [13.7 MB]
6% [1 linux-modules-5.0.0-14-generic 4743 kB/13.7 MB 35%]
Get:2 http://archive.ubuntu.com/ubuntu disco-proposed/main amd64 linux-image-5.0.0-14-generic amd64 5.0.0-14.15 [8350 kB]
Get:3 http://archive.ubuntu.com/ubuntu disco-proposed/main amd64 linux-modules-extra-5.0.0-14-generic amd64 5.0.0-14.15 [33.2 MB]
Get:4 http://archive.ubuntu.com/ubuntu disco-proposed/main amd64 linux-generic amd64 5.0.0.14.15 [1860 B]
Get:5 http://archive.ubuntu.com/ubuntu disco-proposed/main amd64 linux-image-generic amd64 5.0.0.14.15 [2484 B]
Get:6 http://archive.ubuntu.com/ubuntu disco-proposed/main amd64 linux-headers-5.0.0-14 all 5.0.0-14.15 [10.7 MB]
Get:7 http://archive.ubuntu.com/ubuntu disco-proposed/main amd64 linux-headers-5.0.0-14-generic amd64 5.0.0-14.15 [1170 kB]
Get:8 http://archive.ubuntu.com/ubuntu disco-proposed/main amd64 linux-headers-generic amd64 5.0.0.14.15 [2440 B]
Fetched 67.1 MB in 13s (5048 kB/s)
Selecting previously unselected package linux-modules-5.0.0-14-generic.
(Reading database ... 67632 files and directories currently installed.)
Preparing to unpack .../0-linux-modules-5.0.0-14-generic_5.0.0-14.15_amd64.deb ...
Unpacking linux-modules-5.0.0-14-generic (5.0.0-14.15) ...
Selecting previously unselected package linux-image-5.0.0-14-generic.
Preparing to unpack .../1-linux-image-5.0.0-14-generic_5.0.0-14.15_amd64.deb ...
Unpacking linux-image-5.0.0-14-generic (5.0.0-14.15) ...
Selecting previously unselected package linux-modules-extra-5.0.0-14-generic.
Preparing to unpack .../2-linux-modules-extra-5.0.0-14-generic_5.0.0-14.15_amd64.deb ...
Unpacking linux-modules-extra-5.0.0-14-generic (5.0.0-14.15) ...
Preparing to unpack .../3-linux-generic_5.0.0.14.15_amd64.deb ...
Unpacking linux-generic (5.0.0.14.15) over (5.0.0.13.14) ...
Preparing to unpack .../4-linux-image-generic_5.0.0.14.15_amd64.deb ...
Unpacking linux-image-generic (5.0.0.14.15) over (5.0.0.13.14) ...
Selecting previously unselected package linux-headers-5.0.0-14.
Preparing to unpack .../5-linux-headers-5.0.0-14_5.0.0-14.15_all.deb ...
Unpacking linux-headers-5.0.0-14 (5.0.0-14.15) ...
Selecting previously unselected package linux-headers-5.0.0-14-generic.
Preparing to unpack .../6-linux-headers-5.0.0-14-generic_5.0.0-14.15_amd64.deb ...
Unpacking linux-headers-5.0.0-14-generic (5.0.0-14.15) ...
Preparing to unpack .../7-linux-headers-generic_5.0.0.14.15_amd64.deb ...
Unpacking linux-headers-generic (5.0.0.14.15) over (5.0.0.13.14) ...
Setting up linux-headers-5.0.0-14 (5.0.0-14.15) ...
Setting up linux-headers-5.0.0-14-generic (5.0.0-14.15) ...
Setting up linux-modules-5.0.0-14-generic (5.0.0-14.15) ...
Setting up linux-headers-generic (5.0.0.14.15) ...
Setting up linux-image-5.0.0-14-generic (5.0.0-14.15) ...
I: /vmlinuz is now a symlink to boot/vmlinuz-5.0.0-14-generic
I: /initrd.img is now a symlink to boot/initrd.img-5.0.0-14-generic
Setting up linux-modules-extra-5.0.0-14-generic (5.0.0-14.15) ...
Setting up linux-image-generic (5.0.0.14.15) ...
Setting up linux-generic (5.0.0.14.15) ...
Processing triggers for linux-image-5.0.0-14-generic (5.0.0-14.15) ...
/etc/kernel/postinst.d/initramfs-tools:
update-initramfs: Generating /boot/initrd.img-5.0.0-14-generic
cryptsetup: WARNING: The initramfs image may not contain cryptsetup binaries
nor crypto modules. If that's on purpose, you may want to uninstall the
'cryptsetup-initramfs' package in order to disable the cryptsetup initramfs
integration and avoid this warning.
/etc/kernel/postinst.d/zz-update-grub:
Sourcing file `/etc/default/grub'
Sourcing file `/etc/default/grub.d/40-force-partuuid.cfg'
Sourcing file `/etc/default/grub.d/50-cloudimg-settings.cfg'
Sourcing file `/etc/default/grub.d/init-select.cfg'
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-5.0.0-14-generic
Found initrd image: /boot/initrd.img-5.0.0-14-generic
Found linux image: /boot/vmlinuz-5.0.0-13-generic
Found initrd image: /boot/initrd.img-5.0.0-13-generic
done
Install worked fine, now rebooting into it.
$ uname -a
Linux disco-test-aa-stack 5.0.0-14-generic #15-Ubuntu SMP Wed Apr 24 15:39:57 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
Still using shiftfs
$ lxc info | grep shiftfs
shiftfs: "true"
$ lxc exec d-testapparmor -- mount | grep shift
/var/snap/lxd/common/lxd/storage-pools/default2/containers/d-testapparmor/rootfs on / type shiftfs (rw,relatime,passthrough=3)
/var/snap/lxd/common/lxd/storage-pools/default2/containers/d-testapparmor/rootfs on /snap type shiftfs (rw,relatime,passthrough=3)
Profiles now load ok:
$ lxc exec d-testapparmor -- aa-status
apparmor module is loaded.
27 profiles are loaded.
27 profiles are in enforce mode.
Ordering was important:
$ modprobe shiftfs lxd/common/ lxd/storage- pools/default2/ containers/ d-testapparmor/ rootfs on / type shiftfs (rw,relatime, passthrough= 3) lxd/common/ lxd/storage- pools/default2/ containers/ d-testapparmor/ rootfs on /snap type shiftfs (rw,relatime, passthrough= 3)
$ sudo snap set lxd shiftfs.enable=true
$ sudo systemctl restart snap.lxd.daemon
Now it is enabled:
$ lxc info | grep shiftfs
shiftfs: "true"
$ lxc exec d-testapparmor -- mount | grep shift
/var/snap/
/var/snap/
And with that I can reproduce the bug:
$ lxc exec d-testapparmor -- aa-status d/sbin. dhclient d/sbin. dhclient in /etc/apparmor. d/tunables/ home at line 25: Could not process include directory '/etc/apparmor. d/tunables/ home.d' in 'tunables/home.d'
apparmor module is loaded.
0 profiles are loaded.
0 profiles are in enforce mode.
0 profiles are in complain mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
$ lxc exec d-testapparmor -- apparmor_parser -r /etc/apparmor.
AppArmor parser error for /etc/apparmor.
Installing the host kernel from proposed.
=> 5.0.0.14.15
ubuntu@ disco-test- aa-stack: ~$ sudo apt install linux-generic linux-headers- generic linux-image-generic headers- 5.0.0-14 linux-headers- 5.0.0-14- generic linux-image- 5.0.0-14- generic linux-modules- 5.0.0-14- generic linux-modules- extra-5. 0.0-14- generic headers- 5.0.0-14 linux-headers- 5.0.0-14- generic linux-image- 5.0.0-14- generic linux-modules- 5.0.0-14- generic linux-modules- extra-5. 0.0-14- generic generic linux-image-generic archive. ubuntu. com/ubuntu disco-proposed/main amd64 linux-modules- 5.0.0-14- generic amd64 5.0.0-14.15 [13.7 MB] 5.0.0-14- generic 4743 kB/13.7 MB 35%] archive. ubuntu. com/ubuntu disco-proposed/main amd64 linux-image- 5.0.0-14- generic amd64 5.0.0-14.15 [8350 kB] archive. ubuntu. com/ubuntu disco-proposed/main amd64 linux-modules- extra-5. 0.0-14- generic amd64 5.0.0-14.15 [33.2 MB] archive. ubuntu. com/ubuntu disco-proposed/main amd64 linux-generic amd64 5.0.0.14.15 [1860 B] archive. ubuntu. com/ubuntu disco-proposed/main amd64 linux-image-generic amd64 5.0.0.14.15 [2484 B] archive. ubuntu. com/ubuntu disco-proposed/main amd64 linux-headers- 5.0.0-14 all 5.0.0-14.15 [10.7 MB] archive. ubuntu. com/ubuntu disco-proposed/main amd64 linux-headers- 5.0.0-14- generic amd64 5.0.0-14.15 [1170 kB] archive. ubuntu. com/ubuntu disco-proposed/main amd64 linux-headers- generic amd64 5.0.0.14.15 [2440 B] 5.0.0-14- generic. modules- 5.0.0-14- generic_ 5.0.0-14. 15_amd64. deb ... 5.0.0-14- generic (5.0.0-14.15) ... 5.0.0-14- generic. image-5. 0.0-14- generic_ 5.0.0-14. 15_amd64. deb ... 5.0.0-14- generic (5.0.0-14.15) ... extra-5. 0.0-14- generic. modules- extra-5. 0.0-14- generic_ 5.0.0-14. 15_amd64. deb ... extra-5. 0.0-14- generic (5.0.0-14.15) ... generic_ 5.0.0.14. 15_amd64. deb ... image-generic_ 5.0.0.14. 15_amd64. deb ... 5.0.0-14. headers- 5.0.0-14_ 5.0.0-14. 15_all. deb ... 5.0.0-14 (5.0.0-14.15) ... 5.0.0-14- generic. headers- 5.0.0-14- generic_ 5.0.0-14. 15_amd64. deb ... 5.0.0-14- generic (5.0.0-14.15) ... headers- generic_ 5.0.0.14. 15_amd64. deb ... generic (5.0.0.14.15) over (5.0.0.13.14) ... 5.0.0-14 (5.0.0-14.15) ... 5.0.0-14- generic (5.0.0-14.15) ... 5.0.0-14- generic (5.0.0-14.15) ... generic (5.0.0.14.15) ... 5.0.0-14- generic (5.0.0-14.15) ... 5.0.0-14- generic img-5.0. 0-14-generic extra-5. 0.0-14- generic (5.0.0-14.15) ... 5.0.0-14- generic (5.0.0-14.15) ... postinst. d/initramfs- tools: img-5.0. 0-14-generic -initramfs' package in order to disable the cryptsetup initramfs postinst. d/zz-update- grub: grub.d/ 40-force- partuuid. cfg' grub.d/ 50-cloudimg- settings. cfg' grub.d/ init-select. cfg' 5.0.0-14- generic img-5.0. 0-14-generic 5.0.0-13- generic img-5.0. 0-13-generic
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
linux-
Suggested packages:
fdutils linux-doc-5.0.0 | linux-source-5.0.0 linux-tools
The following NEW packages will be installed:
linux-
The following packages will be upgraded:
linux-generic linux-headers-
3 upgraded, 5 newly installed, 0 to remove and 8 not upgraded.
Need to get 67.1 MB of archives.
After this operation, 334 MB of additional disk space will be used.
Do you want to continue? [Y/n] Y
Get:1 http://
6% [1 linux-modules-
Get:2 http://
Get:3 http://
Get:4 http://
Get:5 http://
Get:6 http://
Get:7 http://
Get:8 http://
Fetched 67.1 MB in 13s (5048 kB/s)
Selecting previously unselected package linux-modules-
(Reading database ... 67632 files and directories currently installed.)
Preparing to unpack .../0-linux-
Unpacking linux-modules-
Selecting previously unselected package linux-image-
Preparing to unpack .../1-linux-
Unpacking linux-image-
Selecting previously unselected package linux-modules-
Preparing to unpack .../2-linux-
Unpacking linux-modules-
Preparing to unpack .../3-linux-
Unpacking linux-generic (5.0.0.14.15) over (5.0.0.13.14) ...
Preparing to unpack .../4-linux-
Unpacking linux-image-generic (5.0.0.14.15) over (5.0.0.13.14) ...
Selecting previously unselected package linux-headers-
Preparing to unpack .../5-linux-
Unpacking linux-headers-
Selecting previously unselected package linux-headers-
Preparing to unpack .../6-linux-
Unpacking linux-headers-
Preparing to unpack .../7-linux-
Unpacking linux-headers-
Setting up linux-headers-
Setting up linux-headers-
Setting up linux-modules-
Setting up linux-headers-
Setting up linux-image-
I: /vmlinuz is now a symlink to boot/vmlinuz-
I: /initrd.img is now a symlink to boot/initrd.
Setting up linux-modules-
Setting up linux-image-generic (5.0.0.14.15) ...
Setting up linux-generic (5.0.0.14.15) ...
Processing triggers for linux-image-
/etc/kernel/
update-initramfs: Generating /boot/initrd.
cryptsetup: WARNING: The initramfs image may not contain cryptsetup binaries
nor crypto modules. If that's on purpose, you may want to uninstall the
'cryptsetup
integration and avoid this warning.
/etc/kernel/
Sourcing file `/etc/default/grub'
Sourcing file `/etc/default/
Sourcing file `/etc/default/
Sourcing file `/etc/default/
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-
Found initrd image: /boot/initrd.
Found linux image: /boot/vmlinuz-
Found initrd image: /boot/initrd.
done
Install worked fine, now rebooting into it.
$ uname -a
Linux disco-test-aa-stack 5.0.0-14-generic #15-Ubuntu SMP Wed Apr 24 15:39:57 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
Still using shiftfs lxd/common/ lxd/storage- pools/default2/ containers/ d-testapparmor/ rootfs on / type shiftfs (rw,relatime, passthrough= 3) lxd/common/ lxd/storage- pools/default2/ containers/ d-testapparmor/ rootfs on /snap type shiftfs (rw,relatime, passthrough= 3)
$ lxc info | grep shiftfs
shiftfs: "true"
$ lxc exec d-testapparmor -- mount | grep shift
/var/snap/
/var/snap/
Profiles now load ok:
$ lxc exec d-testapparmor -- aa-status
apparmor module is loaded.
27 profiles are loaded.
27 profiles are in enforce mode.
Summarizing - kernel in proposed verified