autopkgtests fail in LXC testbed

Bug #1502604 reported by Martin Pitt
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Auto Package Testing
Invalid
Undecided
Unassigned
lxc (Ubuntu)
Won't Fix
Medium
Unassigned

Bug Description

This spawned from https://plus.google.com/u/0/+MartinPitti/posts/JE8be51XRZy : lxc's autopkgtests currently fail on armhf/ppc64el where we run autopkgtests in an LXC container (http://autopkgtest.ubuntu.com/packages/l/lxc/wily/armhf/).

The testbeds use a custom and more liberal apparmor profile than the default LXC one (see http://bazaar.launchpad.net/~auto-package-testing-dev/auto-package-testing/trunk/view/head:/slave-admin/setup-adt-lxc.commands):

profile lxc-container-adt flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/lxc/container-base>
  #include <abstractions/lxc/start-container>

  # Nesting
  mount fstype=cgroup -> /sys/fs/cgroup/**,
  mount fstype=proc -> /var/cache/lxc/**,
  mount fstype=sysfs -> /var/cache/lxc/**,
  mount options=(rw,bind) /var/cache/lxc/**/dev/shm/ -> /var/cache/lxc/**/run/shm/,

  # Required for lxc-tests
  mount options=(rw,bind) /lib/** -> /var/lib/lxc**,
  mount options=(rw,rbind) /var/lib/lxcsnaps/** -> /var/lib/lxcsnaps/**,

  # Allow containers to mount /proc, e. g. for sbuild/pbuilder tests
  mount options=(rw,bind),
  mount fstype=devpts,
  mount fstype=proc,
  mount fstype=sysfs,
}

But with just this they hang eternally and time out, and there are also some test failures.

Reproducer: (tested on wily amd64):

  adt-build-lxc ubuntu wily
  echo "lxc.aa_profile = unconfined" | tee -a /var/lib/lxc/adt-wily/config
  adt-run lxc --- lxc -s adt-wily

Revision history for this message
Martin Pitt (pitti) wrote :

With just the default apparmor profile from above I get these AA violations in dmesg:

[889413.230615] type=1400 audit(1443963008.728:498): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-adt" name="/sys/fs/cgroup/" pid=6897 comm="systemd" flags="ro, nosuid, nodev, noexec, remount, strictatime"
[889420.643901] type=1400 audit(1443963016.141:499): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-adt" name="/" pid=7553 comm="systemd-machine" flags="rw, rslave"
[889440.399211] type=1400 audit(1443963035.899:500): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-adt" name="/sys/fs/cgroup/" pid=8165 comm="systemd" flags="ro, nosuid, nodev, noexec, remount, strictatime"

description: updated
Revision history for this message
Martin Pitt (pitti) wrote :

Stèphane asked me to try with this, and it doesn't help:

  lxc.mount.entry = proc dev/.lxc/proc proc create=dir,optional 0 0
  lxc.mount.entry = sys dev/.lxc/sys sysfs create=dir,optional 0 0

I also tried with a completely unconfined LXC profile, that still fails -- it just hangs eternally after "PASS: lxc-tests: /usr/bin/lxc-test-apparmor"

Revision history for this message
Martin Pitt (pitti) wrote :

This is trivially reproducible on an amd64 desktop (I'm running wily, the production machines run vivid) with

  adt-build-lxc ubuntu wily
  echo "lxc.aa_profile = unconfined" | tee -a /var/lib/lxc/adt-wily/config
  adt-run lxc --- lxc -s adt-wily

so setting to "triaged".

Changed in auto-package-testing:
status: New → Triaged
Changed in lxc (Ubuntu):
status: New → Triaged
description: updated
Revision history for this message
Andy Whitcroft (apw) wrote :

Note that this _only_ affects trusty. All kernels in trusty are affected. linux-lts-vivid in trusty shows this behaviour where as linux in vivid does not, as these are essentially identical it seems most likely this is either an lxc profile issue or an appparmor userspace issue.

Revision history for this message
Andy Whitcroft (apw) wrote :

Also note that the first affected versions are those carrying the patch below:

    UBUNTU: SAUCE: (no-up) apparmor: fix mount not handling disconnected paths

Revision history for this message
Andy Whitcroft (apw) wrote :

Please ignore my previous two comments. Wrong bug.

Changed in lxc (Ubuntu):
importance: Undecided → Medium
Revision history for this message
Steve Langasek (vorlon) wrote :

I think this is "wontfix" for autopkgtest now that all of our test runners are either lxd or VMs.

Changed in auto-package-testing:
status: Triaged → Invalid
Changed in lxc (Ubuntu):
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.