Ubuntu
lxc package

AppArmor vs unix socket inside LXC containers

Bug #1428490 reported by Toby Corkindale
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
lxc (Ubuntu)
Won't Fix
Undecided
Unassigned

Bug Description

I know this seems like an odd bug, but I've spent all day chasing it down.

I was seeing problems with LDAP lookups inside an LXC container, and strace on getent lookups was showing that attempts to read from /var/run/nslcd/socket were being closed as -1 (EACCESS).

That file/UNIX socket is owned by nslcd, also running inside the LXC.

Back on the host machine, setting the LXC config to set lxc.aa_profile = unconfined (and restarting the container) then allowed that socket to start working freely.

This seems weird, as there's all sorts of other things using UNIX sockets inside containers that still function normally, but I thought I'd mention it, especially in case anyone hits this issue.

Stéphane Graber (stgraber)
affects: lxc → lxc (Ubuntu)
Revision history for this message
John Johansen (jjohansen) wrote :

Toby,

what distro, release and kernel are you using?

And would you be willing to try a custom test kernel?

Revision history for this message
Toby Corkindale (tjc-wintrmute) wrote :

Hi,
It's been 18 months since I reported this bug.
Sorry for the slow response to your question, but it did come about a year after I raised the issue.

This was detected on Ubuntu Server 14.04 LTS.
I am no longer able to tell you which kernel was being run at the time.

I suspect it's still likely to be a problem on the 14.4 LTS, however we moved to 16.04 LTS this year and haven't heard any more complaints from our team. We're also mostly using Docker now rather than LXC.

So... problem probably still exists, but I guess no-one really cares any more.

Revision history for this message
John Johansen (jjohansen) wrote :

Unless we can get more debug info I am marking this won't fix

Changed in lxc (Ubuntu):
status: New → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.