unconfined containers are not starting

Bug #987371 reported by Serge Hallyn on 2012-04-23
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Undecided
Unassigned
Precise
Undecided
Unassigned
Quantal
Undecided
Unassigned
linux (Ubuntu)
Undecided
Unassigned
Precise
Undecided
Unassigned
Quantal
Undecided
Unassigned
lxc (Ubuntu)
Critical
Unassigned
Precise
Undecided
Unassigned
Quantal
Critical
Unassigned

Bug Description

lxc-create -t ubuntu -n p1
lxc-start -n p1

That works.

Uncomment the 'lxc.aa_profile = unconfined' in /var/lib/lxc/p1/config, and now

lxc-start -n p1

does not work.

The relevant code in src/lxc/start.c does:

        if (aa_change_profile(handler->conf->aa_profile) < 0) {
                SYSERROR("failed to change apparmor profile to %s", handler->conf->aa_profile);
                return -1;
        }

By default (when it works), hander->conf->aa_profile is set to

lxc-container-default

Serge Hallyn (serge-hallyn) wrote :

Sorry, the relevant error message is:

lxc-start: No such file or directory - failed to change apparmor profile to unconfined

Changed in lxc (Ubuntu):
status: New → Confirmed
importance: Undecided → Critical
John Johansen (jjohansen) wrote :

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 987371

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Serge Hallyn (serge-hallyn) wrote :

That kernel fixes it, thanks.

Changed in linux (Ubuntu):
status: Incomplete → Fix Committed
Changed in apparmor (Ubuntu):
status: New → Invalid
Changed in lxc (Ubuntu):
status: Confirmed → Invalid
Christopher Armstrong (radix) wrote :

It looks like this bug prevents switching to ANY profile, not just unconfined.

Serge Hallyn (serge-hallyn) wrote :

@Christopher,

To support switching to any other profile than unconfined or "lxc-*", you need to add a transition rule to /etc/apparmor.d/local/usr.bin.lxc-start (see /etc/apparmor.d/usr.bin.lxc-start for the default profile).

If you still have trouble, please open a new bug, showing the relevant profiles and 'sudo aa-status' output, plus the file 'outout' resulting from doing 'lxc-start -n <container> -l DEBUG -o outout'.

Christopher Armstrong (radix) wrote :

My mistake, it is working to switch to different containers. I think I just hadn't actually reloaded my apparmor profiles when I tried using the one I had just created.

Tim Gardner (timg-tpi) on 2012-05-22
Changed in linux (Ubuntu Precise):
status: New → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 3.4.0-3.8

---------------
linux (3.4.0-3.8) quantal; urgency=low

  [ Andy Whitcroft ]

  * [Config] include include/generated/compile.h
    - LP: #942569
  * [Config] fix up postinst to ensure we know which error is which
    - LP: #1002388

  [ Herton Ronaldo Krzesinski ]

  * SAUCE: async_populate_rootfs: fix build warnings
    - LP: #1003417

  [ John Johansen ]

  * Revert "SAUCE: AppArmor: Add the ability to mediate mount"
  * SAUCE: apparmor: Add the ability to mediate mount
  * SAUCE: AppArmor: basic networking rules
  * SAUCE: apparmor: fix profile lookup for unconfined
    - LP: #978038, #987371
  * SAUCE: apparmor: fix long path failure due to disconnected path
    - LP: #955892

  [ Mario Limonciello ]

  * SAUCE: dell-laptop: rfkill blacklist Dell XPS 13z, 15
    - LP: #901410

  [ Stefan Bader ]

  * (config) Built-in xen-acpi-processor

  [ Tim Gardner ]

  * [Config] CONFIG_NET_DSA=m
    - LP: #1004148
  * [Config] Ensure CONFIG_XEN_ACPI_PROCESSOR=y for amd64
 -- Leann Ogasawara <email address hidden> Fri, 25 May 2012 11:38:33 -0700

Changed in linux (Ubuntu Quantal):
status: Fix Committed → Fix Released
Luis Henriques (henrix) wrote :

This bug is awaiting verification that the kernel for precise in -proposed solves the problem (3.2.0-25.40). Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-precise' to 'verification-done-precise'.

If verification is not done by one week from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-precise
Stéphane Graber (stgraber) wrote :

Confirmed on a precise VM, lxc.aa_profile = unconfined now works as expected.
Testing a few other containers I couldn't spot any obvious regression.

tags: added: verification-done-precise
removed: verification-needed-precise
Launchpad Janitor (janitor) wrote :
Download full text (21.0 KiB)

This bug was fixed in the package linux - 3.2.0-25.40

---------------
linux (3.2.0-25.40) precise-proposed; urgency=low

  [Luis Henriques]

  * Release Tracking Bug
    - LP: #1003534

  [ Andy Whitcroft ]

  * [Config] control.stub is an intermediate product not a dependancy
    - LP: #992414
  * [Config] include include/generated/compile.h
    - LP: #942569

  [ Dave Martin ]

  * SAUCE: rtc: pl031: Enable module alias autogeneration for AMBA drivers
    - LP: #1000831

  [ Herton Ronaldo Krzesinski ]

  * Revert "SAUCE: ite-cir: postpone ISR registration"
    - LP: #1002484
  * SAUCE: async_populate_rootfs: fix build warnings
    - LP: #1003417

  [ Ike Panhc ]

  * [Config] add highbank flavour
    - LP: #1000831

  [ John Johansen ]

  * SAUCE: apparmor: fix long path failure due to disconnected path
    - LP: #955892
  * SAUCE: apparmor: fix profile lookup for unconfined
    - LP: #978038, #987371

  [ Mark Langsdorf ]

  * SAUCE: arm highbank: add support for pl320-ipc driver
    - LP: #1000831

  [ Rob Herring ]

  * SAUCE: input: add a key driver for highbank
    - LP: #1000831
  * SAUCE: ARM: highbank: Add smc calls to enable/disable the L2
    - LP: #1000831
  * SAUCE: force DMA buffers to non-bufferable on highbank
    - LP: #1000831
  * SAUCE: net: calxedaxgmac: fix net timeout recovery
    - LP: #1000831

  [ Tim Gardner ]

  * [Config] perarch and indep tools builds need separate build directories
  * [Config] CONFIG_XEN_ACPI_PROCESSOR=y
    - LP: #898112

  [ Upstream Kernel Changes ]

  * Revert "autofs: work around unhappy compat problem on x86-64"
    - LP: #1002482
  * Input: wacom - cleanup feature report for bamboos
    - LP: #568064
  * Input: wacom - remove unused bamboo HID parsing
    - LP: #568064
  * Input: wacom - add some comments to wacom_parse_hid
    - LP: #568064
  * Input: wacom - relax Bamboo stylus ID check
    - LP: #568064
  * Input: wacom - read 3rd gen Bamboo Touch HID data
    - LP: #568064
  * Input: wacom - 3rd gen Bamboo P&Touch packet support
    - LP: #568064
  * Input: wacom - ignore unwanted bamboo packets
    - LP: #568064
  * HID: wacom: Move parsing to a separate function
    - LP: #568064
  * HID: wacom: Initial driver for Wacom Intuos4 Wireless (Bluetooth)
    - LP: #568064
  * Input: wacom - add support for Cintiq 24HD
    - LP: #568064
  * Input: wacom - add LED support for Cintiq 24HD
    - LP: #568064
  * Input: wacom - add missing LEDS_CLASS to Kconfig
    - LP: #568064
  * Input: wacom - fix 3rd-gen Bamboo MT when 4+ fingers are in use
    - LP: #568064
  * power_supply: allow a power supply to explicitly point to powered
    device
    - LP: #568064
  * power_supply: add "powers" links to self-powered HID devices
    - LP: #568064
  * HID: wiimote: fix invalid power_supply_powers call
    - LP: #568064
  * HID: wacom: Fix invalid power_supply_powers calls
    - LP: #568064
  * ARM: 7178/1: fault.c: Port OOM changes into do_page_fault
    - LP: #951043
  * ARM: 7368/1: fault.c: correct how the tsk->[maj|min]_flt gets
    incremented
    - LP: #951043
  * hugepages: fix use after free bug in "quota" handling
    - LP: #990368
    - CVE-2012-2133
  * provide disable_cpufreq() functio...

Changed in linux (Ubuntu Precise):
status: Fix Committed → Fix Released
Changed in lxc (Ubuntu Precise):
status: New → Invalid
Changed in apparmor (Ubuntu Precise):
status: New → Invalid

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers