Bug#972064: Problem with tomcat9 in Linux Container (LXC) and default AppArmor configuration (lxc.apparmor.profile = lxc-container-default-cgns)
Jan Michael Greiner
jan0michael at yahoo.com
Mon Oct 12 12:14:27 BST 2020
> This looks like an issue with the configuration of the LXC container,
> could you check in the logs of the host why the permission was denied?
> If the container isn't unprivileged this is maybe an issue with
> AppArmor, adding this line to the container conf file might help:
>
> lxc.apparmor.profile: unconfined
>
> Emmanuel Bourg
Hello Emmanuel,
thank you very much.
Yes,
lxc.apparmor.profile = unconfined
in the container config file solved the problem (even /usr/libexec/tomcat9/tomcat-update-policy.sh is not a problem any more).
Extract from syslog on the lxc host:
Oct 12 12:33:17 nc17 kernel: [225722.636199] audit: type=1400 audit(1602498797.587:74): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=3355 comm="(resolved)" flags="rw, rslave"
Oct 12 12:33:17 nc17 kernel: [225722.656621] audit: type=1400 audit(1602498797.607:75): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=3359 comm="(resolved)" flags="rw, rslave"
Oct 12 12:33:17 nc17 kernel: [225722.689041] audit: type=1400 audit(1602498797.639:76): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=3364 comm="(resolved)" flags="rw, rslave"
Oct 12 12:33:17 nc17 kernel: [225722.714377] audit: type=1400 audit(1602498797.667:77): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=3367 comm="(resolved)" flags="rw, rslave"
Oct 12 12:33:17 nc17 kernel: [225722.735685] audit: type=1400 audit(1602498797.687:78): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=3370 comm="(resolved)" flags="rw, rslave"
Oct 12 12:33:17 nc17 kernel: [225722.752513] audit: type=1400 audit(1602498797.703:79): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=3374 comm="(olicy.sh)" flags="rw, rslave"
I am not yet familiar with AppArmor. I will do further research on this. If I am able to find a better solution than "unconfined" (maybe an AppArmor profile derived from lxc-container-default-cgns), I will post the results here.
Best regards,
Jan Michael Greiner
More information about the pkg-java-maintainers
mailing list