| 2019-04-15 13:20:51 |
Christian Ehrhardt |
bug |
|
|
added bug |
| 2019-04-15 14:20:29 |
Christian Ehrhardt |
bug task added |
|
apparmor (Ubuntu) |
|
| 2019-04-15 14:21:53 |
Christian Ehrhardt |
summary |
Migrations to Disco trigger "Unable to find security driver for model apparmor" |
apparmor no more starting in Disco LXD containers |
|
| 2019-04-15 14:22:45 |
Christian Ehrhardt |
description |
This most likely is related to my KVM-in-LXD setup but it worked fine for years and I'd like to sort out what broke. I have migrated to Disco's qemu 3.1 already which makes me doubts generic issues in qemu 3.1 in general.
The virt tests that run cross release work fine starting from X/B/C but all those chains fail at mirgating to Disco now with:
$ lxc exec testkvm-cosmic-from -- virsh migrate --unsafe --live kvmguest-bionic-normal
qemu+ssh://10.21.151.207/system
error: unsupported configuration: Unable to find security driver for model apparmor
I need to analyze what changed |
In LXD apparmor now skips starting:
Formerly:
root@testkvm-bionic-from:~# systemctl status apparmor
● apparmor.service - AppArmor initialization
Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled)
Active: active (exited) since Mon 2019-04-15 13:09:07 UTC; 1h 8min ago
Docs: man:apparmor(7)
http://wiki.apparmor.net/
Process: 90 ExecStart=/etc/init.d/apparmor start (code=exited, status=0/SUCCESS)
Main PID: 90 (code=exited, status=0/SUCCESS)
Apr 15 13:09:07 testkvm-bionic-from systemd[1]: apparmor.service: Failed to reset devices.list: Operation not permitted
Apr 15 13:09:07 testkvm-bionic-from systemd[1]: Starting AppArmor initialization...
Apr 15 13:09:07 testkvm-bionic-from apparmor[90]: * Starting AppArmor profiles
Apr 15 13:09:07 testkvm-bionic-from apparmor[90]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd
Apr 15 13:09:07 testkvm-bionic-from apparmor[90]: ...done.
Apr 15 13:09:07 testkvm-bionic-from systemd[1]: Started AppArmor initialization.
Now:
root@testkvm-disco-to:~# systemctl status apparmor
● apparmor.service - Load AppArmor profiles
Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled)
Active: active (exited) since Mon 2019-04-15 13:56:12 UTC; 21min ago
Docs: man:apparmor(7)
https://gitlab.com/apparmor/apparmor/wikis/home/
Process: 101 ExecStart=/lib/apparmor/apparmor.systemd reload (code=exited, status=0/SUCCESS)
Main PID: 101 (code=exited, status=0/SUCCESS)
Apr 15 13:56:12 testkvm-disco-to systemd[1]: Starting Load AppArmor profiles...
Apr 15 13:56:12 testkvm-disco-to apparmor.systemd[101]: Not starting AppArmor in container
Apr 15 13:56:12 testkvm-disco-to systemd[1]: Started Load AppArmor profiles.
---
This bug started as:
Migrations to Disco trigger "Unable to find security driver for model apparmor"
This most likely is related to my KVM-in-LXD setup but it worked fine for years and I'd like to sort out what broke. I have migrated to Disco's qemu 3.1 already which makes me doubts generic issues in qemu 3.1 in general.
The virt tests that run cross release work fine starting from X/B/C but all those chains fail at mirgating to Disco now with:
$ lxc exec testkvm-cosmic-from -- virsh migrate --unsafe --live kvmguest-bionic-normal
qemu+ssh://10.21.151.207/system
error: unsupported configuration: Unable to find security driver for model apparmor
I need to analyze what changed |
|
| 2019-04-15 14:32:39 |
Christian Ehrhardt |
description |
In LXD apparmor now skips starting:
Formerly:
root@testkvm-bionic-from:~# systemctl status apparmor
● apparmor.service - AppArmor initialization
Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled)
Active: active (exited) since Mon 2019-04-15 13:09:07 UTC; 1h 8min ago
Docs: man:apparmor(7)
http://wiki.apparmor.net/
Process: 90 ExecStart=/etc/init.d/apparmor start (code=exited, status=0/SUCCESS)
Main PID: 90 (code=exited, status=0/SUCCESS)
Apr 15 13:09:07 testkvm-bionic-from systemd[1]: apparmor.service: Failed to reset devices.list: Operation not permitted
Apr 15 13:09:07 testkvm-bionic-from systemd[1]: Starting AppArmor initialization...
Apr 15 13:09:07 testkvm-bionic-from apparmor[90]: * Starting AppArmor profiles
Apr 15 13:09:07 testkvm-bionic-from apparmor[90]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd
Apr 15 13:09:07 testkvm-bionic-from apparmor[90]: ...done.
Apr 15 13:09:07 testkvm-bionic-from systemd[1]: Started AppArmor initialization.
Now:
root@testkvm-disco-to:~# systemctl status apparmor
● apparmor.service - Load AppArmor profiles
Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled)
Active: active (exited) since Mon 2019-04-15 13:56:12 UTC; 21min ago
Docs: man:apparmor(7)
https://gitlab.com/apparmor/apparmor/wikis/home/
Process: 101 ExecStart=/lib/apparmor/apparmor.systemd reload (code=exited, status=0/SUCCESS)
Main PID: 101 (code=exited, status=0/SUCCESS)
Apr 15 13:56:12 testkvm-disco-to systemd[1]: Starting Load AppArmor profiles...
Apr 15 13:56:12 testkvm-disco-to apparmor.systemd[101]: Not starting AppArmor in container
Apr 15 13:56:12 testkvm-disco-to systemd[1]: Started Load AppArmor profiles.
---
This bug started as:
Migrations to Disco trigger "Unable to find security driver for model apparmor"
This most likely is related to my KVM-in-LXD setup but it worked fine for years and I'd like to sort out what broke. I have migrated to Disco's qemu 3.1 already which makes me doubts generic issues in qemu 3.1 in general.
The virt tests that run cross release work fine starting from X/B/C but all those chains fail at mirgating to Disco now with:
$ lxc exec testkvm-cosmic-from -- virsh migrate --unsafe --live kvmguest-bionic-normal
qemu+ssh://10.21.151.207/system
error: unsupported configuration: Unable to find security driver for model apparmor
I need to analyze what changed |
In LXD apparmor now skips starting.
Steps to reproduce:
1. start LXD container
$ lxc launch ubuntu-daily:d d-testapparmor
(disco to trigger the issue, cosmic as reference)
2. check the default profiles loaded
$ aa-status
=> This will in cosmic and up to recently disco list plenty of profiles active even in the default install.
Cosmic:
25 profiles are loaded.
25 profiles are in enforce mode.
Disco:
15 profiles are loaded.
15 profiles are in enforce mode.
All those 15 remaining are from snaps.
The service of apparmor.service actually states that it refuses to start.
$ systemctl status apparmor
...
Apr 15 13:56:12 testkvm-disco-to apparmor.systemd[101]: Not starting AppArmor in container
Since some apparmor seems to work I need to debug it further why so many are missing initially and why it affects me in libvirt.
--- --- ---
This bug started as:
Migrations to Disco trigger "Unable to find security driver for model apparmor"
This most likely is related to my KVM-in-LXD setup but it worked fine for years and I'd like to sort out what broke. I have migrated to Disco's qemu 3.1 already which makes me doubts generic issues in qemu 3.1 in general.
The virt tests that run cross release work fine starting from X/B/C but all those chains fail at mirgating to Disco now with:
$ lxc exec testkvm-cosmic-from -- virsh migrate --unsafe --live kvmguest-bionic-normal
qemu+ssh://10.21.151.207/system
error: unsupported configuration: Unable to find security driver for model apparmor
I need to analyze what changed |
|
| 2019-04-15 14:38:55 |
Christian Ehrhardt |
description |
In LXD apparmor now skips starting.
Steps to reproduce:
1. start LXD container
$ lxc launch ubuntu-daily:d d-testapparmor
(disco to trigger the issue, cosmic as reference)
2. check the default profiles loaded
$ aa-status
=> This will in cosmic and up to recently disco list plenty of profiles active even in the default install.
Cosmic:
25 profiles are loaded.
25 profiles are in enforce mode.
Disco:
15 profiles are loaded.
15 profiles are in enforce mode.
All those 15 remaining are from snaps.
The service of apparmor.service actually states that it refuses to start.
$ systemctl status apparmor
...
Apr 15 13:56:12 testkvm-disco-to apparmor.systemd[101]: Not starting AppArmor in container
Since some apparmor seems to work I need to debug it further why so many are missing initially and why it affects me in libvirt.
--- --- ---
This bug started as:
Migrations to Disco trigger "Unable to find security driver for model apparmor"
This most likely is related to my KVM-in-LXD setup but it worked fine for years and I'd like to sort out what broke. I have migrated to Disco's qemu 3.1 already which makes me doubts generic issues in qemu 3.1 in general.
The virt tests that run cross release work fine starting from X/B/C but all those chains fail at mirgating to Disco now with:
$ lxc exec testkvm-cosmic-from -- virsh migrate --unsafe --live kvmguest-bionic-normal
qemu+ssh://10.21.151.207/system
error: unsupported configuration: Unable to find security driver for model apparmor
I need to analyze what changed |
In LXD apparmor now skips starting.
Steps to reproduce:
1. start LXD container
$ lxc launch ubuntu-daily:d d-testapparmor
(disco to trigger the issue, cosmic as reference)
2. check the default profiles loaded
$ aa-status
=> This will in cosmic and up to recently disco list plenty of profiles active even in the default install.
Cosmic:
25 profiles are loaded.
25 profiles are in enforce mode.
Disco:
15 profiles are loaded.
15 profiles are in enforce mode.
All those 15 remaining are from snaps.
The service of apparmor.service actually states that it refuses to start.
$ systemctl status apparmor
...
Apr 15 13:56:12 testkvm-disco-to apparmor.systemd[101]: Not starting AppArmor in container
I can get those profiles (the default installed ones) loaded, for example:
$ sudo apparmor_parser -r /etc/apparmor.d/sbin.dhclient
makes it appear
22 profiles are in enforce mode.
/sbin/dhclient
Since some apparmor seems to work I need to debug it further why so many are missing initially and why it affects me in libvirt.
--- --- ---
This bug started as:
Migrations to Disco trigger "Unable to find security driver for model apparmor"
This most likely is related to my KVM-in-LXD setup but it worked fine for years and I'd like to sort out what broke. I have migrated to Disco's qemu 3.1 already which makes me doubts generic issues in qemu 3.1 in general.
The virt tests that run cross release work fine starting from X/B/C but all those chains fail at mirgating to Disco now with:
$ lxc exec testkvm-cosmic-from -- virsh migrate --unsafe --live kvmguest-bionic-normal
qemu+ssh://10.21.151.207/system
error: unsupported configuration: Unable to find security driver for model apparmor
I need to analyze what changed |
|
| 2019-04-15 14:43:08 |
Christian Ehrhardt |
description |
In LXD apparmor now skips starting.
Steps to reproduce:
1. start LXD container
$ lxc launch ubuntu-daily:d d-testapparmor
(disco to trigger the issue, cosmic as reference)
2. check the default profiles loaded
$ aa-status
=> This will in cosmic and up to recently disco list plenty of profiles active even in the default install.
Cosmic:
25 profiles are loaded.
25 profiles are in enforce mode.
Disco:
15 profiles are loaded.
15 profiles are in enforce mode.
All those 15 remaining are from snaps.
The service of apparmor.service actually states that it refuses to start.
$ systemctl status apparmor
...
Apr 15 13:56:12 testkvm-disco-to apparmor.systemd[101]: Not starting AppArmor in container
I can get those profiles (the default installed ones) loaded, for example:
$ sudo apparmor_parser -r /etc/apparmor.d/sbin.dhclient
makes it appear
22 profiles are in enforce mode.
/sbin/dhclient
Since some apparmor seems to work I need to debug it further why so many are missing initially and why it affects me in libvirt.
--- --- ---
This bug started as:
Migrations to Disco trigger "Unable to find security driver for model apparmor"
This most likely is related to my KVM-in-LXD setup but it worked fine for years and I'd like to sort out what broke. I have migrated to Disco's qemu 3.1 already which makes me doubts generic issues in qemu 3.1 in general.
The virt tests that run cross release work fine starting from X/B/C but all those chains fail at mirgating to Disco now with:
$ lxc exec testkvm-cosmic-from -- virsh migrate --unsafe --live kvmguest-bionic-normal
qemu+ssh://10.21.151.207/system
error: unsupported configuration: Unable to find security driver for model apparmor
I need to analyze what changed |
In LXD apparmor now skips starting.
Steps to reproduce:
1. start LXD container
$ lxc launch ubuntu-daily:d d-testapparmor
(disco to trigger the issue, cosmic as reference)
2. check the default profiles loaded
$ aa-status
=> This will in cosmic and up to recently disco list plenty of profiles active even in the default install.
Cosmic:
25 profiles are loaded.
25 profiles are in enforce mode.
Disco:
15 profiles are loaded.
15 profiles are in enforce mode.
All those 15 remaining are from snaps.
The service of apparmor.service actually states that it refuses to start.
$ systemctl status apparmor
...
Apr 15 13:56:12 testkvm-disco-to apparmor.systemd[101]: Not starting AppArmor in container
I can get those profiles (the default installed ones) loaded, for example:
$ sudo apparmor_parser -r /etc/apparmor.d/sbin.dhclient
makes it appear
22 profiles are in enforce mode.
/sbin/dhclient
I was wondering as in my case I found my guest with no (=0) profiles loaded. But as shown above after "apparmor_parser -r" and package install profiles seemed fine. Then the puzzle was solved, on package install they
will call apparmor_parser via the dh_apparmor snippet and it is fine.
To fully disable all of them:
$ lxc stop <container>
$ lxc start <container>
$ lxc exec d-testapparmor aa-status
apparmor module is loaded.
0 profiles are loaded.
0 profiles are in enforce mode.
0 profiles are in complain mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
That would match the service doing an early exit as shown in systemctl status output above. The package install or manual load works, but none are loaded by the service automatically e.g. on container restart.
--- --- ---
This bug started as:
Migrations to Disco trigger "Unable to find security driver for model apparmor"
This most likely is related to my KVM-in-LXD setup but it worked fine for years and I'd like to sort out what broke. I have migrated to Disco's qemu 3.1 already which makes me doubts generic issues in qemu 3.1 in general.
The virt tests that run cross release work fine starting from X/B/C but all those chains fail at mirgating to Disco now with:
$ lxc exec testkvm-cosmic-from -- virsh migrate --unsafe --live kvmguest-bionic-normal
qemu+ssh://10.21.151.207/system
error: unsupported configuration: Unable to find security driver for model apparmor
I need to analyze what changed |
|
| 2019-04-15 15:27:56 |
Jamie Strandboge |
libvirt (Ubuntu): status |
New |
Invalid |
|
| 2019-04-15 15:27:58 |
Jamie Strandboge |
apparmor (Ubuntu): status |
New |
Triaged |
|
| 2019-04-15 15:28:01 |
Jamie Strandboge |
apparmor (Ubuntu): assignee |
|
Jamie Strandboge (jdstrand) |
|
| 2019-04-15 15:28:06 |
Jamie Strandboge |
apparmor (Ubuntu): importance |
Undecided |
High |
|
| 2019-04-15 15:38:03 |
Jamie Strandboge |
bug task added |
|
apparmor |
|
| 2019-04-15 15:38:09 |
Jamie Strandboge |
apparmor: status |
New |
Triaged |
|
| 2019-04-15 17:00:15 |
Jamie Strandboge |
summary |
apparmor no more starting in Disco LXD containers |
apparmor does not start in Disco LXD containers |
|
| 2019-04-15 18:26:19 |
Dan Watkins |
bug |
|
|
added subscriber Dan Watkins |
| 2019-04-15 20:34:53 |
Jamie Strandboge |
bug task added |
|
linux (Ubuntu) |
|
| 2019-04-15 20:35:01 |
Jamie Strandboge |
linux (Ubuntu): status |
New |
Confirmed |
|
| 2019-04-15 20:35:15 |
Jamie Strandboge |
linux (Ubuntu): assignee |
|
John Johansen (jjohansen) |
|
| 2019-04-15 21:03:46 |
Jamie Strandboge |
apparmor (Ubuntu): status |
Triaged |
In Progress |
|
| 2019-04-15 22:48:12 |
Christian Brauner |
attachment added |
|
UBUNTU: SAUCE: shiftfs: use correct llseek method for https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1824812/+attachment/5256074/+files/0001-UBUNTU-SAUCE-shiftfs-use-correct-llseek-method-for-d.patch |
|
| 2019-04-15 22:50:05 |
Christian Brauner |
bug |
|
|
added subscriber Christian Brauner |
| 2019-04-15 22:50:12 |
Christian Brauner |
bug |
|
|
added subscriber Ubuntu Containers Team |
| 2019-04-15 22:53:48 |
Tyler Hicks |
attachment added |
|
dir-seek.c https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1824812/+attachment/5256075/+files/dir-seek.c |
|
| 2019-04-15 22:55:22 |
Tyler Hicks |
bug |
|
|
added subscriber Tyler Hicks |
| 2019-04-15 23:36:03 |
Tyler Hicks |
linux (Ubuntu): assignee |
John Johansen (jjohansen) |
Christian Brauner (cbrauner) |
|
| 2019-04-15 23:36:15 |
Tyler Hicks |
linux (Ubuntu): status |
Confirmed |
In Progress |
|
| 2019-04-16 00:22:39 |
Ubuntu Foundations Team Bug Bot |
tags |
|
patch |
|
| 2019-04-16 00:22:47 |
Ubuntu Foundations Team Bug Bot |
bug |
|
|
added subscriber Ubuntu Review Team |
| 2019-04-16 08:51:12 |
Stéphane Graber |
tags |
patch |
patch shiftfs |
|
| 2019-04-16 09:15:40 |
Launchpad Janitor |
apparmor (Ubuntu): status |
In Progress |
Fix Released |
|
| 2019-04-23 13:32:52 |
Kleber Sacilotto de Souza |
nominated for series |
|
Ubuntu Disco |
|
| 2019-04-23 13:32:52 |
Kleber Sacilotto de Souza |
bug task added |
|
libvirt (Ubuntu Disco) |
|
| 2019-04-23 13:32:52 |
Kleber Sacilotto de Souza |
bug task added |
|
apparmor (Ubuntu Disco) |
|
| 2019-04-23 13:32:52 |
Kleber Sacilotto de Souza |
bug task added |
|
linux (Ubuntu Disco) |
|
| 2019-04-23 13:33:25 |
Kleber Sacilotto de Souza |
bug task deleted |
libvirt (Ubuntu Disco) |
|
|
| 2019-04-23 13:33:29 |
Kleber Sacilotto de Souza |
bug task deleted |
apparmor (Ubuntu Disco) |
|
|
| 2019-04-23 13:48:40 |
Kleber Sacilotto de Souza |
linux (Ubuntu Disco): status |
New |
Fix Committed |
|
| 2019-04-26 15:35:53 |
Ubuntu Kernel Bot |
tags |
patch shiftfs |
patch shiftfs verification-needed-disco |
|
| 2019-05-06 09:07:15 |
Ubuntu Kernel Bot |
tags |
patch shiftfs verification-needed-disco |
patch shiftfs verification-needed-bionic verification-needed-disco |
|
| 2019-05-07 13:50:24 |
Christian Ehrhardt |
tags |
patch shiftfs verification-needed-bionic verification-needed-disco |
patch shiftfs verification-done-disco verification-needed-bionic |
|
| 2019-05-08 22:51:42 |
Connor Kuehl |
tags |
patch shiftfs verification-done-disco verification-needed-bionic |
patch shiftfs verification-done-bionic verification-done-disco |
|
| 2019-05-14 19:06:48 |
Launchpad Janitor |
linux (Ubuntu Disco): status |
Fix Committed |
Fix Released |
|
| 2019-05-14 19:06:48 |
Launchpad Janitor |
cve linked |
|
2017-5715 |
|
| 2019-05-14 19:06:48 |
Launchpad Janitor |
cve linked |
|
2017-5753 |
|
| 2019-05-14 19:06:48 |
Launchpad Janitor |
cve linked |
|
2017-5754 |
|
| 2019-05-14 19:06:48 |
Launchpad Janitor |
cve linked |
|
2018-12126 |
|
| 2019-05-14 19:06:48 |
Launchpad Janitor |
cve linked |
|
2018-12127 |
|
| 2019-05-14 19:06:48 |
Launchpad Janitor |
cve linked |
|
2018-12130 |
|
| 2019-05-14 19:06:48 |
Launchpad Janitor |
cve linked |
|
2018-3620 |
|
| 2019-05-14 19:06:48 |
Launchpad Janitor |
cve linked |
|
2018-3639 |
|
| 2019-05-14 19:06:48 |
Launchpad Janitor |
cve linked |
|
2018-3646 |
|
| 2019-05-14 19:06:48 |
Launchpad Janitor |
cve linked |
|
2019-11683 |
|
| 2019-05-14 19:06:48 |
Launchpad Janitor |
cve linked |
|
2019-1999 |
|
| 2019-05-14 19:06:48 |
Launchpad Janitor |
cve linked |
|
2019-3874 |
|
| 2019-05-14 19:06:48 |
Launchpad Janitor |
cve linked |
|
2019-3882 |
|
| 2019-05-14 19:06:48 |
Launchpad Janitor |
cve linked |
|
2019-3887 |
|
| 2019-05-14 19:06:48 |
Launchpad Janitor |
cve linked |
|
2019-9500 |
|
| 2019-05-14 19:06:48 |
Launchpad Janitor |
cve linked |
|
2019-9503 |
|
| 2019-05-21 13:04:12 |
Launchpad Janitor |
linux (Ubuntu): status |
In Progress |
Fix Released |
|
| 2019-12-17 19:58:46 |
Jamie Strandboge |
apparmor: status |
Triaged |
Fix Released |
|
