[pkg-apparmor] Bug#880502: [pkg-lxc-devel] Bug#880502: lxc: cannot start container with kernel 4.13.10

Antonio Terceiro terceiro at debian.org
Thu Nov 2 15:06:57 UTC 2017 

Control: severity -1 important

On Thu, Nov 02, 2017 at 11:04:10AM -0200, Antonio Terceiro wrote:
> On Wed, Nov 01, 2017 at 03:38:23PM +0100, Evgeni Golov wrote:
> > Ohai,
> > 
> > On Wed, Nov 01, 2017 at 12:00:12PM -0200, Antonio Terceiro wrote:
> > > >       lxc-start 20171101123914.655 ERROR    lxc_apparmor - lsm/apparmor.c:apparmor_process_label_set:220 - If you really want to start this container, set
> > > >       lxc-start 20171101123914.655 ERROR    lxc_apparmor - lsm/apparmor.c:apparmor_process_label_set:221 - lxc.aa_allow_incomplete = 1
> > > >       lxc-start 20171101123914.655 ERROR    lxc_apparmor - lsm/apparmor.c:apparmor_process_label_set:222 - in your container configuration file
> > > So, I tried downgrading the kernel to the one in testing, rebooted, and
> > > now I can start containers again, So this is being caused by a change in
> > > the kernel between 4.13.4-2 and 4.13.10-1
> > > 
> > > I still need to study the lxc code path that is being triggered to be
> > > able to provide more useful information. Since the issue is definitively
> > > related to apparmor, I am also copying the apparmor team in case they
> > > have any input to provide.
> > 
> > Can you try to set "lxc.aa_allow_incomplete = 1" in your config?
> > LXC expects Ubuntus patched kernels when it comes to AppArmor, not the
> > upstream ones :(
> > 
> > And I think Debian enabled AppArmor by default in the latest kernels.
> 
> Didn't help. At least now we have a different error message:
> 
> lxc-start 20171102130036.516 ERROR    lxc_apparmor - lsm/apparmor.c:apparmor_process_label_set:234 - No such file or directory - failed to change apparmor profile to lxc-container-default-cgns
> lxc-start 20171102130036.516 ERROR    lxc_sync - sync.c:__sync_wait:57 - An error occurred in another process (expected sequence number 5)
> lxc-start 20171102130036.564 ERROR    lxc_container - lxccontainer.c:wait_on_daemonized_start:754 - Received container state "ABORTING" instead of "RUNNING"
> lxc-start 20171102130036.564 ERROR    lxc_start - start.c:__lxc_start:1530 - Failed to spawn container "test".
> lxc-start 20171102130036.564 ERROR    lxc_start_ui - tools/lxc_start.c:main:368 - The container failed to start.
> lxc-start 20171102130036.564 ERROR    lxc_start_ui - tools/lxc_start.c:main:370 - To get more details, run the container in foreground mode.
> lxc-start 20171102130036.564 ERROR    lxc_start_ui - tools/lxc_start.c:main:372 - Additional information can be obtained by setting the --logfile and --logpriority options.
> 
> I guess we will need to fix the apparmor support in lxc to work with the
> upstream kernel. :-/

A brief summary of our IRC conversation from earlier.

I can also reproduce this on:

- stable, booting with security=apparmor
- unstable, with the latest upstream code, built from git
- with or without the apparmor package installed

The workaround that works is using the setting in the container
configuration:

lxc.aa_profile = unconfined

with disables apparmor entirely.

I have just uploaded lxc 1:2.0.9-4 setting this for all containers. This
is not the greatest solution, but it's also not worse than the state of
affairs before apparmor was enabled by default in the Debian kernel: it
was already not possible to use lxc with apparmor in Debian.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-apparmor-team/attachments/20171102/7a488b86/attachment.sig>

More information about the pkg-apparmor-team mailing list