Ubuntu
lxc package

Regression: Kernel update breaks all lxc-containers lxc-start failing with (apparmor="DENIED" operation="mount")

Bug #1507959 reported by Stefan Huehner on 2015-10-20
70
This bug affects 12 people
Affects Status Importance Assigned to Milestone
lxc (Ubuntu)
Fix Released
Undecided
Unassigned
Also affects project (?) Also affects distribution/package Nominate for series

Bug Description

Hello,
The following recent kernel update completely break our lxc-start usage on precise both with precise original kernel 3.2 + also the trusty-lts-stack using 3.13

After installing those new kernel updates all lxc-start of a container fail with:
"Permission denied - mount failed '/dev/pts/ptmx'->'/dev/ptmx'"

with strace pointing to:
13695 mount("/dev/pts/ptmx", "/dev/ptmx", 0x7f4d68c85d37, MS_BIND, NULL) = -1 EACCES (Permission denied)

and dmesg showing:
Oct 20 10:59:00 titan226 kernel: [ 663.508664] type=1400
                audit(1445331540.807:29): apparmor="DENIED" operation="mount"
                info="failed type match" error=-13 profile="/usr/bin/lxc-start"
                name="/dev/ptmx" pid=2897 comm="lxc-start"
                srcname="/dev/pts/ptmx" flags="rw, bind"

After downgrading kernel version the problem immediately dissappeared and the lxc-start for containers works again as before.

Bad versions:
ii linux-image-3.13.0-66-generic 3.13.0-66.108~precise1 Linux kernel image for version 3.13.0 on 64 bit x86 SMP
ii linux-image-3.2.0-92-generic 3.2.0-92.130 Linux kernel image for version 3.2.0 on 64 bit x86 SMP

Good versions:
ii linux-image-3.13.0-61-generic 3.13.0-61.100~precise1 Linux kernel image for version 3.13.0 on 64 bit x86 SMP
ii linux-image-3.2.0-88-generic 3.2.0-88.126 Linux kernel image for version 3.2.0 on 64 bit x86 SMP

From kernel changelog maybe this other issue here maybe causing it but not verified:
  * SAUCE: (no-up) apparmor: fix mount not handling disconnected paths
    - LP: #1496430
---
AlsaVersion: Advanced Linux Sound Architecture Driver Version k3.13.0-61-generic.
AplayDevices: Error: [Errno 2] No such file or directory
ApportVersion: 2.0.1-0ubuntu17.11
Architecture: amd64
ArecordDevices: Error: [Errno 2] No such file or directory
AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/by-path', '/dev/snd/controlC0', '/dev/snd/hwC0D0', '/dev/snd/pcmC0D3p', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1:
CRDA: Error: [Errno 2] No such file or directory
Card0.Amixer.info: Error: [Errno 2] No such file or directory
Card0.Amixer.values: Error: [Errno 2] No such file or directory
DistroRelease: Ubuntu 12.04
HibernationDevice: RESUME=UUID=ee5d3bc2-531d-4fbf-ba3f-033c27498274
IwConfig: Error: [Errno 2] No such file or directory
MachineType: FUJITSU PRIMERGY MX130 S1
MarkForUpload: True
Package: linux (not installed)
ProcEnviron:
 LANGUAGE=en_US
 TERM=xterm
 PATH=(custom, no user)
 LANG=en_US.UTF-8
 SHELL=/bin/bash
ProcFB: 0 radeondrmfb
ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-3.13.0-61-generic root=UUID=8c11de07-6403-46cf-994b-15750a7404ba ro rootdelay=80
ProcVersionSignature: Ubuntu 3.13.0-61.100~precise1-generic 3.13.11-ckt22
RelatedPackageVersions:
 linux-restricted-modules-3.13.0-61-generic N/A
 linux-backports-modules-3.13.0-61-generic N/A
 linux-firmware 1.79.18
RfKill: Error: [Errno 2] No such file or directory
Tags: precise
Uname: Linux 3.13.0-61-generic x86_64
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups:

dmi.bios.date: 01/18/2011
dmi.bios.vendor: FUJITSU // Phoenix Technologies Ltd.
dmi.bios.version: 6.00 R1.01.2974.A1
dmi.board.asset.tag: -
dmi.board.name: D2974
dmi.board.vendor: FUJITSU
dmi.board.version: S26361-D2974-A1
dmi.chassis.type: 3
dmi.chassis.vendor: FUJITSU
dmi.chassis.version: MX130S1F
dmi.modalias: dmi:bvnFUJITSU//PhoenixTechnologiesLtd.:bvr6.00R1.01.2974.A1:bd01/18/2011:svnFUJITSU:pnPRIMERGYMX130S1:pvr:rvnFUJITSU:rnD2974:rvrS26361-D2974-A1:cvnFUJITSU:ct3:cvrMX130S1F:
dmi.product.name: PRIMERGY MX130 S1
dmi.sys.vendor: FUJITSU

See original description
Brad Figg (brad-figg) wrote : Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 1507959

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
tags: added: trusty
Stefan Huehner (stefan-huehner) wrote : AcpiTables.txt

apport information

tags: added: apport-collected precise
description: updated
Stefan Huehner (stefan-huehner) wrote : AlsaDevices.txt

apport information

Stefan Huehner (stefan-huehner) wrote : BootDmesg.txt

apport information

Stefan Huehner (stefan-huehner) wrote : Card0.Codecs.codec.0.txt

apport information

Stefan Huehner (stefan-huehner) wrote : CurrentDmesg.txt

apport information

Stefan Huehner (stefan-huehner) wrote : Lspci.txt

apport information

Stefan Huehner (stefan-huehner) wrote : Lsusb.txt

apport information

Stefan Huehner (stefan-huehner) wrote : PciMultimedia.txt

apport information

Stefan Huehner (stefan-huehner) wrote : ProcCpuinfo.txt

apport information

Stefan Huehner (stefan-huehner) wrote : ProcInterrupts.txt

apport information

Stefan Huehner (stefan-huehner) wrote : ProcModules.txt

apport information

Stefan Huehner (stefan-huehner) wrote : UdevDb.txt

apport information

Stefan Huehner (stefan-huehner) wrote : UdevLog.txt

apport information

Stefan Huehner (stefan-huehner) wrote : WifiSyslog.txt

apport information

Stefan Huehner (stefan-huehner) wrote :

For info: that apport info above is from system in which we already downgraded running kernel version to -61- to work around the problem

Changed in linux (Ubuntu):
status: Incomplete → Confirmed
Marc Reymann (mreymann) wrote :

Same problem here:

root@shuttle:~# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 12.04.5 LTS
Release: 12.04
Codename: precise
root@shuttle:~# uname -a
Linux shuttle 3.2.0-92-generic #130-Ubuntu SMP Mon Oct 5 21:43:10 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
root@shuttle:~# lxc-start --name Test
lxc-start: Permission denied - mount failed '/dev/pts/ptmx'->'/dev/ptmx'
lxc-start: failed to setup the new pts instance
lxc-start: failed to setup the container
lxc-start: invalid sequence number 1. expected 2
lxc-start: failed to spawn 'Test'

Doug C (n-doug) wrote :

Same problem here.

Problem surfaced moving from 3.16.0-50-generic to 3.16.0-51-generic

Linux soup-HP-ProBook-4530s-SSD 3.16.0-50-generic #67~14.04.1-Ubuntu SMP Fri Oct 2 22:07:51 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

Daniel (hackie) wrote :

3.13.0-65-generic is ok. The problem was clearly introduced in 3.13.0-66-generic.

Christoph Mitasch (cmitasch) wrote :

same problem with latest precise 3.2.x kernel.

 root@host:~# cat /proc/version
Linux version 3.2.0-92-generic (buildd@lgw01-16) (gcc version 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5) ) #130-Ubuntu SMP Mon Oct 5 21:43:10 UTC 2015
root@host:~# lxc-start -n test
lxc-start: Permission denied - mount failed '/dev/pts/ptmx'->'/dev/ptmx'
lxc-start: failed to setup the new pts instance
lxc-start: failed to setup the container
lxc-start: invalid sequence number 1. expected 2
lxc-start: failed to spawn 'test'

tapczan (tapczan) wrote :

This bug was also introduced after update kernel from 3.19.0-30-generic to 3.19.0-31-generic. LXC version is 1.0.7-0ubuntu0.1.

Add line to /etc/apparmor.d/abstractions/lxc/start-container fixes issue:

mount options=bind /dev/pts/** -> /dev/**,

Kirils Solovjovs (linux-kirils) wrote :

This has been resolved as per suggestion of tapczan in lxc (1.0.7-0ubuntu0.10) on 2015-11-03.

affects: linux (Ubuntu) → lxc (Ubuntu)
Changed in lxc (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.
Subscribing...

Other bug subscribers