Hi! Thanks for replying. On Sat, 30 Mar 2019 14:51:47 +0100 Pierre-Elliott =?utf-8?B?QsOpY3Vl?= <p...@debian.org> wrote: > Le mercredi 27 mars 2019 à 22:08:49-0700, Regis Smith a écrit : > > Package: lxc > > Version: 1:3.1.0+really3.0.3-6 > > Severity: important > > > > Dear Maintainer, > > > > * What led up to the situation? > > > > apt update; apt upgrade > > > > * What exactly did you do (or not do) that was effective (or > > ineffective)? > > > > As a normal user: > > $ lxc-start -n test > > > > * What was the outcome of this action? > > > > lxc-start: test: lxccontainer.c: wait_on_daemonized_start: 833 No such file or directory - Failed to receive the container state > > lxc-start: test: tools/lxc_start.c: main: 330 The container failed to start > > lxc-start: test: tools/lxc_start.c: main: 333 To get more details, run the container in foreground mode > > lxc-start: test: tools/lxc_start.c: main: 336 Additional information can be obtained by setting the --logfile and --logpriority options > > > > If I run it in the foreground instead I get > > > > $ lxc-start -n test -F > > lxc-start: test: lsm/apparmor.c: apparmor_prepare: 974 Cannot use generated profile: apparmor_parser not available > > lxc-start: test: start.c: lxc_init: 899 Failed to initialize LSM > > lxc-start: test: start.c: __lxc_start: 1917 Failed to initialize container "test" > > lxc-start: test: tools/lxc_start.c: main: 330 The container failed to start > > lxc-start: test: tools/lxc_start.c: main: 336 Additional information can be obtained by setting the --logfile and --logpriority options > > > > * What outcome did you expect instead? > > > > A running container. These used to work up until recently. Now I can't stop > > already running containers because I won't be able to restart them. > > Hi, > > Thanks for submitting this bug. > > As you can see, it is possible to get more debug via the --logfile and > the --logpriority options. > > That said, the first line with the -F option says it all: > > > lxc-start: test: lsm/apparmor.c: apparmor_prepare: 974 Cannot use > > generated profile: apparmor_parser not available > > It means that you're lacking the apparmor_parser command, which is > shipped by apparmor. It probably means that you refused to install > apparmor on your host.
Actually, I do have apparmor installed, and I can run apparmor_parser as root. aa-status shows all the related "lxc-container-*" in enforce mode. Priveleged containers work fine, but I can not start unprivileged containers. Both privileged and unpriveleged worked fine before the updates over the past several weeks. > > You have multiple choices. The first one being installing apparmor, and > the second one being to edit your container's configuration (or the > /etc/lxc/default.conf file) to change the lxc.apparmor.profile > parameter. > > This bugreport raises an interesting question regarding the tradeoff I attached the log from running $ lxc-start -n test --logpriority DEBUG --logfile lxc.log I commented out "apparmor.profile = generated" and it still doesn't work. I'd like to get this working with apparmor, since it's the default. However, I'd love to hear from anyone who has unprivileged containers working on an up-to-date Buster. The fickleness of LXC in Stretch wore me out, so I was quite pleased when it worked reliably in Buster, up until now. Regis
lxc-start test 20190330180301.167 INFO confile - confile.c:set_config_idmaps:1605 - Read uid map: type u nsid 0 hostid 100000 range 65536 lxc-start test 20190330180301.167 INFO confile - confile.c:set_config_idmaps:1605 - Read uid map: type g nsid 0 hostid 100000 range 65536 lxc-start test 20190330180301.168 INFO lxccontainer - lxccontainer.c:do_lxcapi_start:961 - Set process title to [lxc monitor] /home/rsmith/.local/share/lxc test lxc-start test 20190330180301.168 INFO lsm - lsm/lsm.c:lsm_init:50 - LSM security driver AppArmor lxc-start test 20190330180301.169 INFO seccomp - seccomp.c:parse_config_v2:759 - Processing "reject_force_umount # comment this to allow umount -f; not recommended" lxc-start test 20190330180301.169 INFO seccomp - seccomp.c:do_resolve_add_rule:505 - Set seccomp rule to reject force umounts lxc-start test 20190330180301.169 INFO seccomp - seccomp.c:parse_config_v2:937 - Added native rule for arch 0 for reject_force_umount action 0(kill) lxc-start test 20190330180301.169 INFO seccomp - seccomp.c:do_resolve_add_rule:505 - Set seccomp rule to reject force umounts lxc-start test 20190330180301.169 INFO seccomp - seccomp.c:parse_config_v2:946 - Added compat rule for arch 1073741827 for reject_force_umount action 0(kill) lxc-start test 20190330180301.169 INFO seccomp - seccomp.c:do_resolve_add_rule:505 - Set seccomp rule to reject force umounts lxc-start test 20190330180301.169 INFO seccomp - seccomp.c:parse_config_v2:956 - Added compat rule for arch 1073741886 for reject_force_umount action 0(kill) lxc-start test 20190330180301.169 INFO seccomp - seccomp.c:do_resolve_add_rule:505 - Set seccomp rule to reject force umounts lxc-start test 20190330180301.169 INFO seccomp - seccomp.c:parse_config_v2:966 - Added native rule for arch -1073741762 for reject_force_umount action 0(kill) lxc-start test 20190330180301.169 INFO seccomp - seccomp.c:parse_config_v2:759 - Processing "[all]" lxc-start test 20190330180301.169 INFO seccomp - seccomp.c:parse_config_v2:759 - Processing "kexec_load errno 1" lxc-start test 20190330180301.169 INFO seccomp - seccomp.c:parse_config_v2:937 - Added native rule for arch 0 for kexec_load action 327681(errno) lxc-start test 20190330180301.169 INFO seccomp - seccomp.c:parse_config_v2:946 - Added compat rule for arch 1073741827 for kexec_load action 327681(errno) lxc-start test 20190330180301.169 INFO seccomp - seccomp.c:parse_config_v2:956 - Added compat rule for arch 1073741886 for kexec_load action 327681(errno) lxc-start test 20190330180301.169 INFO seccomp - seccomp.c:parse_config_v2:966 - Added native rule for arch -1073741762 for kexec_load action 327681(errno) lxc-start test 20190330180301.169 INFO seccomp - seccomp.c:parse_config_v2:759 - Processing "open_by_handle_at errno 1" lxc-start test 20190330180301.169 INFO seccomp - seccomp.c:parse_config_v2:937 - Added native rule for arch 0 for open_by_handle_at action 327681(errno) lxc-start test 20190330180301.169 INFO seccomp - seccomp.c:parse_config_v2:946 - Added compat rule for arch 1073741827 for open_by_handle_at action 327681(errno) lxc-start test 20190330180301.169 INFO seccomp - seccomp.c:parse_config_v2:956 - Added compat rule for arch 1073741886 for open_by_handle_at action 327681(errno) lxc-start test 20190330180301.169 INFO seccomp - seccomp.c:parse_config_v2:966 - Added native rule for arch -1073741762 for open_by_handle_at action 327681(errno) lxc-start test 20190330180301.169 INFO seccomp - seccomp.c:parse_config_v2:759 - Processing "init_module errno 1" lxc-start test 20190330180301.169 INFO seccomp - seccomp.c:parse_config_v2:937 - Added native rule for arch 0 for init_module action 327681(errno) lxc-start test 20190330180301.169 INFO seccomp - seccomp.c:parse_config_v2:946 - Added compat rule for arch 1073741827 for init_module action 327681(errno) lxc-start test 20190330180301.169 INFO seccomp - seccomp.c:parse_config_v2:956 - Added compat rule for arch 1073741886 for init_module action 327681(errno) lxc-start test 20190330180301.169 INFO seccomp - seccomp.c:parse_config_v2:966 - Added native rule for arch -1073741762 for init_module action 327681(errno) lxc-start test 20190330180301.169 INFO seccomp - seccomp.c:parse_config_v2:759 - Processing "finit_module errno 1" lxc-start test 20190330180301.169 INFO seccomp - seccomp.c:parse_config_v2:937 - Added native rule for arch 0 for finit_module action 327681(errno) lxc-start test 20190330180301.169 INFO seccomp - seccomp.c:parse_config_v2:946 - Added compat rule for arch 1073741827 for finit_module action 327681(errno) lxc-start test 20190330180301.169 INFO seccomp - seccomp.c:parse_config_v2:956 - Added compat rule for arch 1073741886 for finit_module action 327681(errno) lxc-start test 20190330180301.169 INFO seccomp - seccomp.c:parse_config_v2:966 - Added native rule for arch -1073741762 for finit_module action 327681(errno) lxc-start test 20190330180301.169 INFO seccomp - seccomp.c:parse_config_v2:759 - Processing "delete_module errno 1" lxc-start test 20190330180301.169 INFO seccomp - seccomp.c:parse_config_v2:937 - Added native rule for arch 0 for delete_module action 327681(errno) lxc-start test 20190330180301.169 INFO seccomp - seccomp.c:parse_config_v2:946 - Added compat rule for arch 1073741827 for delete_module action 327681(errno) lxc-start test 20190330180301.169 INFO seccomp - seccomp.c:parse_config_v2:956 - Added compat rule for arch 1073741886 for delete_module action 327681(errno) lxc-start test 20190330180301.169 INFO seccomp - seccomp.c:parse_config_v2:966 - Added native rule for arch -1073741762 for delete_module action 327681(errno) lxc-start test 20190330180301.169 INFO seccomp - seccomp.c:parse_config_v2:970 - Merging compat seccomp contexts into main context lxc-start test 20190330180301.171 DEBUG terminal - terminal.c:lxc_terminal_peer_default:707 - No such device - The process does not have a controlling terminal lxc-start test 20190330180301.171 DEBUG conf - conf.c:chown_mapped_root:3190 - trying to chown "/dev/pts/1" to 1000 lxc-start test 20190330180301.240 ERROR apparmor - lsm/apparmor.c:apparmor_prepare:974 - Cannot use generated profile: apparmor_parser not available lxc-start test 20190330180301.240 ERROR start - start.c:lxc_init:899 - Failed to initialize LSM lxc-start test 20190330180301.240 DEBUG conf - conf.c:idmaptool_on_path_and_privileged:2860 - The binary "/usr/bin/newuidmap" does have the setuid bit set lxc-start test 20190330180301.240 DEBUG conf - conf.c:idmaptool_on_path_and_privileged:2860 - The binary "/usr/bin/newgidmap" does have the setuid bit set lxc-start test 20190330180301.240 DEBUG conf - conf.c:lxc_map_ids:2952 - Functional newuidmap and newgidmap binary found lxc-start test 20190330180301.250 ERROR start - start.c:__lxc_start:1917 - Failed to initialize container "test" lxc-start test 20190330180301.251 DEBUG lxccontainer - lxccontainer.c:wait_on_daemonized_start:830 - First child 32372 exited lxc-start test 20190330180301.251 ERROR lxccontainer - lxccontainer.c:wait_on_daemonized_start:833 - No such file or directory - Failed to receive the container state lxc-start test 20190330180301.251 ERROR lxc_start - tools/lxc_start.c:main:330 - The container failed to start lxc-start test 20190330180301.251 ERROR lxc_start - tools/lxc_start.c:main:333 - To get more details, run the container in foreground mode lxc-start test 20190330180301.251 ERROR lxc_start - tools/lxc_start.c:main:336 - Additional information can be obtained by setting the --logfile and --logpriority options
