Ubuntu
apparmor package

Bug #2038567
Comment #8

Comment 8 for bug 2038567

Revision history for this message

John Chittum (jchittum) wrote on 2023-10-06: Re: Mantic 6.5.0-7 kernel causes regression in LXD container usage

Repeating a bit with a Jammy container (hence new comment)

### PRE CONDITION

this is using the custom Mantic VM _and_ has apparmor_restrict_unprivileged_unconfined disabled

sudo bash -c "echo 0 > /proc/sys/kernel/apparmor_restrict_unprivileged_unconfined"

1. start a jammy container

lxc launch ubuntu:jammy
Creating the instance
Instance name is: alive-bee
Starting alive-bee

2. see some apparmor denies in journal

Oct 06 12:32:57 mantic-cust-vm kernel: audit: type=1400 audit(1696595577.647:954): apparmor="DENIED" operation="mount" class="mount" info="failed flags match" error=-13 profile="lxd-alive-bee_</var/snap/lxd/common/lxd>" name="/run/systemd/unit-root/proc/" pid=5421 comm="(d-logind)" fstype="proc" srcname="proc" flags="rw, nosuid, nodev, noexec"
Oct 06 12:33:01 mantic-cust-vm kernel: kauditd_printk_skb: 20 callbacks suppressed
Oct 06 12:33:01 mantic-cust-vm kernel: audit: type=1400 audit(1696595581.539:975): apparmor="DENIED" operation="file_inherit" class="file" namespace="root//lxd-alive-bee_<var-snap-lxd-common-lxd>" profile="snap.lxd.hook.install" name="/apparmor/.null" pid=5538 comm="snap-exec" requested_mask="wr" denied_mask="wr" fsuid=1000000 ouid=0
Oct 06 12:33:03 mantic-cust-vm kernel: audit: type=1400 audit(1696595583.771:976): apparmor="DENIED" operation="file_inherit" class="net" namespace="root//lxd-alive-bee_<var-snap-lxd-common-lxd>" profile="/snap/snapd/20092/usr/lib/snapd/snap-confine" pid=5784 comm="snap-confine" family="netlink" sock_type="raw" protocol=15 requested_mask="send receive" denied_mask="send receive"
Oct 06 12:33:03 mantic-cust-vm kernel: audit: type=1400 audit(1696595583.779:977): apparmor="DENIED" operation="file_inherit" class="file" namespace="root//lxd-alive-bee_<var-snap-lxd-common-lxd>" profile="snap.lxd.hook.configure" name="/apparmor/.null" pid=5784 comm="snap-exec" requested_mask="wr" denied_mask="wr" fsuid=1000000 ouid=0
Oct 06 12:33:03 mantic-cust-vm kernel: audit: type=1400 audit(1696595583.791:978): apparmor="DENIED" operation="file_inherit" class="file" namespace="root//lxd-alive-bee_<var-snap-lxd-common-lxd>" profile="/snap/snapd/20092/usr/lib/snapd/snap-confine" name="/apparmor/.null" pid=5784 comm="aa-exec" requested_mask="wr" denied_mask="wr" fsuid=1000000 ouid=0
Oct 06 12:33:04 mantic-cust-vm kernel: audit: type=1400 audit(1696595584.007:979): apparmor="DENIED" operation="mount" class="mount" info="failed flags match" error=-13 profile="lxd-alive-bee_</var/snap/lxd/common/lxd>" name="/run/systemd/unit-root/proc/" pid=5933 comm="(imedated)" fstype="proc" srcname="proc" flags="rw, nosuid, nodev, noexec"

3. snap changes is Done

root@alive-bee:~# snap changes
ID Status Spawn Ready Summary
1 Done 9 days ago, at 02:11 UTC today at 12:33 UTC Initialize system state
2 Done today at 12:32 UTC today at 12:33 UTC Initialize device

4. cloud-init is done

root@alive-bee:~# cloud-init status
status: done

So using the latest released jammy container is also now launching "successfully." Unsure how the other apparmor things denies affect container performance. Running a quick spot check of my machine (Jammy) launching a Jammy container