[Debian-ha-maintainers] Bug#979450: booth: autopkgtest fails on ci-worker-ppc64el-01 (but apparently not on other ppc64el workers)
wferi at niif.hu
wferi at niif.hu
Thu Jan 28 10:59:45 GMT 2021
Paul Gevers <elbrus at debian.org> writes:
> On 27-01-2021 22:41, Valentin Vidic wrote:
>
>> On Wed, Jan 27, 2021 at 10:37:56PM +0100, Paul Gevers wrote:
>>
>>> debian at ci-worker-ppc64el-01:~$ sudo cat /etc/lxc/default.conf
>>> # MANAGED WITH CHEF; DON'T CHANGE BY HAND
>>> lxc.net.0.type = veth
>>> lxc.net.0.link = virbr0
>>> lxc.net.0.flags = up
>>> lxc.apparmor.profile = generated
>>> lxc.apparmor.allow_nesting = 1
>>
>> I think this is only for new containers and for the existing ones these
>> options would be in /var/lib/lxc/<container>/config. Also apparmor
>> should log mount failures in kernel log or somewhere...
>
> We generate fresh containers on a daily basis.
Hi Paul,
These systemd messages are emitted during service setup, before the
service binary is even started, and are very much characteristic to the
Apparmor misconfiguration described in the LXC 3 NEWS file. I can
readily reproduce them with another systemd-hardened package:
systemd[697]: coturn.service: Failed to set up mount namespacing: Permission denied
systemd[697]: coturn.service: Failed at step NAMESPACE spawning /usr/bin/turnserver: Permission denied
and such messages are neatly paired with these in the host syslog:
audit: type=1400 audit(1611830306.349:157): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=27587 comm="(rnserver)" flags="rw, rslave"
Can you see such messages? Are you sure that the failed runs had
lxc.apparmor.profile = generated
lxc.apparmor.allow_nesting = 1
in their LXC configuration?
--
Feri
More information about the Debian-ha-maintainers
mailing list