[pkg-lxc-devel] Bug#925899: lxc: Unprivileged containers fail to start after recent updates
Regis Smith
rsmith at whistlin.com
Sat Mar 30 18:19:02 GMT 2019
Hi! Thanks for replying.
On Sat, 30 Mar 2019 14:51:47 +0100 Pierre-Elliott =?utf-8?B?QsOpY3Vl?=
<peb at debian.org> wrote:
> Le mercredi 27 mars 2019 à 22:08:49-0700, Regis Smith a écrit :
> > Package: lxc
> > Version: 1:3.1.0+really3.0.3-6
> > Severity: important
> >
> > Dear Maintainer,
> >
> > * What led up to the situation?
> >
> > apt update; apt upgrade
> >
> > * What exactly did you do (or not do) that was effective (or
> > ineffective)?
> >
> > As a normal user:
> > $ lxc-start -n test
> >
> > * What was the outcome of this action?
> >
> > lxc-start: test: lxccontainer.c: wait_on_daemonized_start: 833 No
such file or directory - Failed to receive the container state
> > lxc-start: test: tools/lxc_start.c: main: 330 The container failed
to start
> > lxc-start: test: tools/lxc_start.c: main: 333 To get more details,
run the container in foreground mode
> > lxc-start: test: tools/lxc_start.c: main: 336 Additional
information can be obtained by setting the --logfile and --logpriority
options
> >
> > If I run it in the foreground instead I get
> >
> > $ lxc-start -n test -F
> > lxc-start: test: lsm/apparmor.c: apparmor_prepare: 974 Cannot use
generated profile: apparmor_parser not available
> > lxc-start: test: start.c: lxc_init: 899 Failed to initialize LSM
> > lxc-start: test: start.c: __lxc_start: 1917 Failed to initialize
container "test"
> > lxc-start: test: tools/lxc_start.c: main: 330 The container failed
to start
> > lxc-start: test: tools/lxc_start.c: main: 336 Additional
information can be obtained by setting the --logfile and --logpriority
options
> >
> > * What outcome did you expect instead?
> >
> > A running container. These used to work up until recently. Now I
can't stop
> > already running containers because I won't be able to restart them.
>
> Hi,
>
> Thanks for submitting this bug.
>
> As you can see, it is possible to get more debug via the --logfile
and
> the --logpriority options.
>
> That said, the first line with the -F option says it all:
>
> > lxc-start: test: lsm/apparmor.c: apparmor_prepare: 974 Cannot use
> > generated profile: apparmor_parser not available
>
> It means that you're lacking the apparmor_parser command, which is
> shipped by apparmor. It probably means that you refused to install
> apparmor on your host.
Actually, I do have apparmor installed, and I can run apparmor_parser
as root. aa-status shows all the related "lxc-container-*" in enforce
mode. Priveleged containers work fine, but I can not start unprivileged
containers. Both privileged and unpriveleged worked fine before the
updates over the past several weeks.
>
> You have multiple choices. The first one being installing apparmor,
and
> the second one being to edit your container's configuration (or the
> /etc/lxc/default.conf file) to change the lxc.apparmor.profile
> parameter.
>
> This bugreport raises an interesting question regarding the tradeoff
I attached the log from running
$ lxc-start -n test --logpriority DEBUG --logfile lxc.log
I commented out "apparmor.profile = generated" and it still doesn't
work. I'd like to get this working with apparmor, since it's the
default. However, I'd love to hear from anyone who has unprivileged
containers working on an up-to-date Buster. The fickleness of LXC in
Stretch wore me out, so I was quite pleased when it worked reliably in
Buster, up until now.
Regis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: lxc.log
Type: text/x-log
Size: 7729 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-lxc-devel/attachments/20190330/ea25ed32/attachment.bin>
More information about the Pkg-lxc-devel
mailing list