Ubuntu
lxc package

unconfined containers are not starting

Bug #987371 reported by Serge Hallyn
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Invalid
Undecided
Unassigned
Precise
Invalid
Undecided
Unassigned
Quantal
Invalid
Undecided
Unassigned
linux (Ubuntu)
Fix Released
Undecided
Unassigned
Precise
Fix Released
Undecided
Unassigned
Quantal
Fix Released
Undecided
Unassigned
lxc (Ubuntu)
Invalid
Critical
Unassigned
Precise
Invalid
Undecided
Unassigned
Quantal
Invalid
Critical
Unassigned

Bug Description

lxc-create -t ubuntu -n p1
lxc-start -n p1

That works.

Uncomment the 'lxc.aa_profile = unconfined' in /var/lib/lxc/p1/config, and now

lxc-start -n p1

does not work.

The relevant code in src/lxc/start.c does:

        if (aa_change_profile(handler->conf->aa_profile) < 0) {
                SYSERROR("failed to change apparmor profile to %s", handler->conf->aa_profile);
                return -1;
        }

By default (when it works), hander->conf->aa_profile is set to

lxc-container-default

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Sorry, the relevant error message is:

lxc-start: No such file or directory - failed to change apparmor profile to unconfined

Changed in lxc (Ubuntu):
status: New → Confirmed
importance: Undecided → Critical
Revision history for this message
John Johansen (jjohansen) wrote :

I have a test kernel at

http://people.canonical.com/~jj/linux-image-3.2.0-23-generic_3.2.0-23.36~aa_amd64.deb

and believe this to be the same as Bug #978038

Revision history for this message
Brad Figg (brad-figg) wrote : Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 987371

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

That kernel fixes it, thanks.

Changed in linux (Ubuntu):
status: Incomplete → Fix Committed
Changed in apparmor (Ubuntu):
status: New → Invalid
Changed in lxc (Ubuntu):
status: Confirmed → Invalid
Revision history for this message
Christopher Armstrong (radix) wrote :

It looks like this bug prevents switching to ANY profile, not just unconfined.

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

@Christopher,

To support switching to any other profile than unconfined or "lxc-*", you need to add a transition rule to /etc/apparmor.d/local/usr.bin.lxc-start (see /etc/apparmor.d/usr.bin.lxc-start for the default profile).

If you still have trouble, please open a new bug, showing the relevant profiles and 'sudo aa-status' output, plus the file 'outout' resulting from doing 'lxc-start -n <container> -l DEBUG -o outout'.

Revision history for this message
Christopher Armstrong (radix) wrote :

My mistake, it is working to switch to different containers. I think I just hadn't actually reloaded my apparmor profiles when I tried using the one I had just created.

Tim Gardner (timg-tpi)
Changed in linux (Ubuntu Precise):
status: New → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 3.4.0-3.8

---------------
linux (3.4.0-3.8) quantal; urgency=low

  [ Andy Whitcroft ]

  * [Config] include include/generated/compile.h
    - LP: #942569
  * [Config] fix up postinst to ensure we know which error is which
    - LP: #1002388

  [ Herton Ronaldo Krzesinski ]

  * SAUCE: async_populate_rootfs: fix build warnings
    - LP: #1003417

  [ John Johansen ]

  * Revert "SAUCE: AppArmor: Add the ability to mediate mount"
  * SAUCE: apparmor: Add the ability to mediate mount
  * SAUCE: AppArmor: basic networking rules
  * SAUCE: apparmor: fix profile lookup for unconfined
    - LP: #978038, #987371
  * SAUCE: apparmor: fix long path failure due to disconnected path
    - LP: #955892

  [ Mario Limonciello ]

  * SAUCE: dell-laptop: rfkill blacklist Dell XPS 13z, 15
    - LP: #901410

  [ Stefan Bader ]

  * (config) Built-in xen-acpi-processor

  [ Tim Gardner ]

  * [Config] CONFIG_NET_DSA=m
    - LP: #1004148
  * [Config] Ensure CONFIG_XEN_ACPI_PROCESSOR=y for amd64
 -- Leann Ogasawara <email address hidden> Fri, 25 May 2012 11:38:33 -0700

Changed in linux (Ubuntu Quantal):
status: Fix Committed → Fix Released
Revision history for this message
Luis Henriques (henrix) wrote :

This bug is awaiting verification that the kernel for precise in -proposed solves the problem (3.2.0-25.40). Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-precise' to 'verification-done-precise'.

If verification is not done by one week from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-precise
Revision history for this message
Stéphane Graber (stgraber) wrote :

Confirmed on a precise VM, lxc.aa_profile = unconfined now works as expected.
Testing a few other containers I couldn't spot any obvious regression.

tags: added: verification-done-precise
removed: verification-needed-precise
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (21.0 KiB)

This bug was fixed in the package linux - 3.2.0-25.40

---------------
linux (3.2.0-25.40) precise-proposed; urgency=low

  [Luis Henriques]

  * Release Tracking Bug
    - LP: #1003534

  [ Andy Whitcroft ]

  * [Config] control.stub is an intermediate product not a dependancy
    - LP: #992414
  * [Config] include include/generated/compile.h
    - LP: #942569

  [ Dave Martin ]

  * SAUCE: rtc: pl031: Enable module alias autogeneration for AMBA drivers
    - LP: #1000831

  [ Herton Ronaldo Krzesinski ]

  * Revert "SAUCE: ite-cir: postpone ISR registration"
    - LP: #1002484
  * SAUCE: async_populate_rootfs: fix build warnings
    - LP: #1003417

  [ Ike Panhc ]

  * [Config] add highbank flavour
    - LP: #1000831

  [ John Johansen ]

  * SAUCE: apparmor: fix long path failure due to disconnected path
    - LP: #955892
  * SAUCE: apparmor: fix profile lookup for unconfined
    - LP: #978038, #987371

  [ Mark Langsdorf ]

  * SAUCE: arm highbank: add support for pl320-ipc driver
    - LP: #1000831

  [ Rob Herring ]

  * SAUCE: input: add a key driver for highbank
    - LP: #1000831
  * SAUCE: ARM: highbank: Add smc calls to enable/disable the L2
    - LP: #1000831
  * SAUCE: force DMA buffers to non-bufferable on highbank
    - LP: #1000831
  * SAUCE: net: calxedaxgmac: fix net timeout recovery
    - LP: #1000831

  [ Tim Gardner ]

  * [Config] perarch and indep tools builds need separate build directories
  * [Config] CONFIG_XEN_ACPI_PROCESSOR=y
    - LP: #898112

  [ Upstream Kernel Changes ]

  * Revert "autofs: work around unhappy compat problem on x86-64"
    - LP: #1002482
  * Input: wacom - cleanup feature report for bamboos
    - LP: #568064
  * Input: wacom - remove unused bamboo HID parsing
    - LP: #568064
  * Input: wacom - add some comments to wacom_parse_hid
    - LP: #568064
  * Input: wacom - relax Bamboo stylus ID check
    - LP: #568064
  * Input: wacom - read 3rd gen Bamboo Touch HID data
    - LP: #568064
  * Input: wacom - 3rd gen Bamboo P&Touch packet support
    - LP: #568064
  * Input: wacom - ignore unwanted bamboo packets
    - LP: #568064
  * HID: wacom: Move parsing to a separate function
    - LP: #568064
  * HID: wacom: Initial driver for Wacom Intuos4 Wireless (Bluetooth)
    - LP: #568064
  * Input: wacom - add support for Cintiq 24HD
    - LP: #568064
  * Input: wacom - add LED support for Cintiq 24HD
    - LP: #568064
  * Input: wacom - add missing LEDS_CLASS to Kconfig
    - LP: #568064
  * Input: wacom - fix 3rd-gen Bamboo MT when 4+ fingers are in use
    - LP: #568064
  * power_supply: allow a power supply to explicitly point to powered
    device
    - LP: #568064
  * power_supply: add "powers" links to self-powered HID devices
    - LP: #568064
  * HID: wiimote: fix invalid power_supply_powers call
    - LP: #568064
  * HID: wacom: Fix invalid power_supply_powers calls
    - LP: #568064
  * ARM: 7178/1: fault.c: Port OOM changes into do_page_fault
    - LP: #951043
  * ARM: 7368/1: fault.c: correct how the tsk->[maj|min]_flt gets
    incremented
    - LP: #951043
  * hugepages: fix use after free bug in "quota" handling
    - LP: #990368
    - CVE-2012-2133
  * provide disable_cpufreq() functio...

Changed in linux (Ubuntu Precise):
status: Fix Committed → Fix Released
Serge Hallyn (serge-hallyn)
Changed in lxc (Ubuntu Precise):
status: New → Invalid
Changed in apparmor (Ubuntu Precise):
status: New → Invalid
Revision history for this message
Adam Conrad (adconrad) wrote : Update Released

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.