Package: lxc Version: 1:3.1.0-1 Severity: important Hi,
I freshly installed lxc on my testing box and could not run a container with weird error messages root@BOTOX:/etc/apparmor.d# lxc-start autopkgtest-unstable-amd64 -F lxc-start: autopkgtest-unstable-amd64: lsm/lsm.c: lsm_process_label_set_at: 174 No such file or directory - Failed to set AppArmor label "lxc-container-default-cgns" lxc-start: autopkgtest-unstable-amd64: lsm/apparmor.c: apparmor_process_label_set: 1102 Failed to change AppArmor profile to lxc-container-default-cgns lxc-start: autopkgtest-unstable-amd64: sync.c: __sync_wait: 62 An error occurred in another process (expected sequence number 5) lxc-start: autopkgtest-unstable-amd64: start.c: __lxc_start: 1972 Failed to spawn container "autopkgtest-unstable-amd64" lxc-start: autopkgtest-unstable-amd64: tools/lxc_start.c: main: 330 The container failed to start lxc-start: autopkgtest-unstable-amd64: tools/lxc_start.c: main: 336 Additional information can be obtained by setting the --logfile and --logpriority options This is caused by this AppArmor DENIED Jan 09 21:44:50 BOTOX audit[15070]: AVC apparmor="DENIED" operation="change_profile" info="label not found" error=-2 profile="unconfined" name="lxc-container-default-cgns" pid=15070 comm="lxc-start" Jan 09 21:44:50 BOTOX kernel: audit: type=1400 audit(1547066690.033:61): apparmor="DENIED" operation="change_profile" info="label not found" error=-2 profile="unconfined" name="lxc-container-default-cgns" pid=15070 comm="lxc-start" After running apparmor_parser to load the lxc-configuration profile it works root@BOTOX:/etc/apparmor.d# apparmor_parser -r -W -T /etc/apparmor.d/lxc-containers root@BOTOX:/etc/apparmor.d# lxc-start autopkgtest-unstable-amd64 -F systemd 240 running in system mode. (+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD -IDN2 +IDN -PCRE2 default-hierarchy=hybrid) Detected virtualization lxc. Detected architecture x86-64. I assume a reboot would have helped as well, possibly this just needs to be added to postinst? -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (900, 'testing'), (500, 'stable'), (400, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages lxc depends on: ii debconf [debconf-2.0] 1.5.69 ii libc6 2.28-2 ii libcap2 1:2.25-1.2 ii libgnutls30 3.6.5-2 ii liblxc1 1:3.1.0-1 ii libseccomp2 2.3.3-3 ii libselinux1 2.8-1+b1 ii lsb-base 10.2018112800 Versions of packages lxc recommends: ii bridge-utils 1.5-16 ii debootstrap 1.0.112 ii dirmngr 2.2.12-1 ii dnsmasq-base [dnsmasq-base] 2.80-1 ii gnupg 2.2.12-1 ii iproute2 4.19.0-2 ii iptables 1.8.2-3 ii libpam-cgfs 1:3.1.0-1 ii lxc-templates 3.0.3-1 ii lxcfs 3.0.3-2 ii nftables 0.9.0-2 ii openssl 1.1.1a-1 ii rsync 3.1.3-1 ii uidmap 1:4.5-1.1 Versions of packages lxc suggests: ii apparmor 2.13.2-3 ii btrfs-progs 4.19.1-1 ii lvm2 2.03.02-1 pn python3-lxc <none> -- debconf information: * lxc/auto_update_config: true
