[pkg-lxc-devel] Bug#1033917: Bug#1033917: lxc: apparmor profile no longer allows unprivileged guest systemd-logind to start (since bookworm)

Forest forestix at sonic.net
Tue Apr 4 23:42:22 BST 2023 

>What's weird is that the problem was already happening in buster and
>bullseye.

That doesn't seem to be true, AFAICT.  Bullseye (both my usual Bullseye
guest and a freshly installed one) does not exhibit the 25 second hang.  A
freshly installed Buster guest doesn't, either.  Not even with the default
config instead of nesting.conf.

To be precise:  Although Bullseye and Buster do generate apparmor mount
errors in the host's syslog, the 25 second hang is new with Bookworm guests.
Maybe multiple problems are in play here?

>I guess it is plausible that /etc/lxc/default.conf has been updated in
>your upgrade, resetting the lxc-apparmor-profile to something that won't
>work for unprivileged containers.

Nope. I haven't upgraded the Bullseye host machine on which I discovered the
hang, and it occurs on both that host and a newly installed Bookworm host.
Also, I checked default.conf on both hosts just now, and it matches the one
in lxc_5.0.2-1_amd64.deb.

>The missing lines in apparmor rules have been added in
>lxc-default-with-nesting rules of apparmor for lxc 5.

My fresh Bookworm VM has lxc 5, and those four additional lines are present
in /etc/apparmor.d/lxc/lxc-default-with-nesting.  The contents of
/usr/share/lxc/config/nesting.conf are also identical.  Even when including
it in my container config, the 25 second hang persists.

>the solution lies either within LXD
>(which generates custom profiles for each containers), or with creating
>a dedicated apparmor profile that you use only on unprivileged
>containers.

I tried LXD as a workaround.  Turns out it is not a suitable replacement in
my case.

I would be happy to try a modified apparmor profile.  Ideally even get it
added into Bookworm's lxc package, or accepted upstream, so Bookworm doesn't
arrive in this broken state for lxc users.

I tried modifying the apparmor profile based on the host's syslog messages.
Despite using exactly the same mount options that appeared in the logs, the
errors and the 25 second hang persisted.  (And I did remember to reload the
profile with apparmor_parser -r.)  I wonder if the info="failed flags match"
in those syslog messages is supposed to hint that something more is needed.

It seems like we're missing some information here.

More information about the Pkg-lxc-devel mailing list