[pkg-lxc-devel] Bug#880502: [pkg-apparmor] Bug#880502: lxc: cannot start container with kernel 4.13.10

Felix Geyer fgeyer at debian.org
Fri Nov 3 18:10:08 UTC 2017 

Hi,

On 02.11.2017 20:09, Evgeni Golov wrote:
> Hi,
> 
> On Thu, Nov 02, 2017 at 07:09:10PM +0100, Christian Boltz wrote:
>> seeing the AppArmor denials would be helpful to get this fixed ;-)
> 
> I think the issue is different.
> 
> Looking at the LXC log, we see the following:
> lxc-start 20171102130036.516 ERROR    lxc_apparmor - lsm/apparmor.c:apparmor_process_label_set:234 - No such file or directory - failed to change apparmor profile to lxc-container-default-cgns
> 
> And indeed, we see no profiles:
> # aa-status
> apparmor module is loaded.
> 0 profiles are loaded.
> 0 profiles are in enforce mode.
> 0 profiles are in complain mode.
> 0 processes have profiles defined.
> 0 processes are in enforce mode.
> 0 processes are in complain mode.
> 0 processes are unconfined but have a profile defined.
> 
> I think the issue is that when LXC is installed *before* AppArmor is
> enabled, the postinst snippet generated by dh_apparmor [1] is not
> registering any profiles. And now that AppArmor is enabled, the profile
> is missing and cannot be applied.

There are two issues:

lxc expects mount mediation to be present in AppArmor. This isn't upstream (yet) so it's missing
from the Debian kernel too.
As already mentioned there is a lxc.aa_allow_incomplete setting to ignore this check.
However lxc-apparmor-load doesn't honor this setting and still skips loading profiles.


More fundamentally lxc makes the assumption that the AppArmor userspace tools are available if
AppArmor is active in the kernel.
When starting a container lxc detects that AppArmor is active and tries to transition to a
profile. This fails if the apparmor package hasn't been installed as lxc has no way to load profiles.


To fix this:
- lxc needs to stop checking for AppArmor mount mediation. This might makes sense for distros that
ship a kernel with the AppArmor patchset but not for everyone else.
- lxc must allow for the AppArmor userspace tools to be absent. This could be done by checking if
the binaries are present on the system or by checking for ENOENT after aa_change_profile() calls.

Felix

More information about the Pkg-lxc-devel mailing list