Package: lxd Version: 5.0.2-5 Severity: important Dear Maintainer,
I spin up containers using LXD. I'm primarily doing this for learning purposes (for example installing and configuring web services). I launched my first container (test) to get my feet wet by: ``` lxc launch images:debian/12 test ``` When I tried to set hostname in the container via (`hostnamectl set-hostname test.test`), I got `Could not set pretty hostname: Connection timed out` error. journalctl on the container showed errors related to network namespacing: ``` Jun 17 03:03:12 test dbus-daemon[81]: [system] Activating via systemd: service name='org.freedesktop.hostname1' unit='dbus-org.freedesktop.hostname1.service' requested by ':1.7' (uid=0 pid=104 comm="hostnamectl set-hostname test.test") Jun 17 03:03:12 test (ostnamed)[105]: systemd-hostnamed.service: Failed to set up network namespacing: Permission denied Jun 17 03:03:12 test systemd[1]: Starting systemd-hostnamed.service - Hostname Service... Jun 17 03:03:12 test (ostnamed)[105]: systemd-hostnamed.service: Failed at step NETWORK spawning /lib/systemd/systemd-hostnamed: Permission denied Jun 17 03:03:12 test systemd[1]: systemd-hostnamed.service: Main process exited, code=exited, status=225/NETWORK Jun 17 03:03:12 test systemd[1]: systemd-hostnamed.service: Failed with result 'exit-code'. Jun 17 03:03:12 test systemd[1]: Failed to start systemd-hostnamed.service - Hostname Service. Jun 17 03:03:37 test dbus-daemon[81]: [system] Failed to activate service 'org.freedesktop.hostname1': timed out (service_start_timeout=25000ms) ``` dmesg on the host revealed that these errors above are due to AppArmor policy violations: ``` [10673.299973] audit: type=1400 audit(1686970915.519:84): apparmor="DENIED" operation="file_lock" profile="lxd-myself_test_</var/lib/lxd>" pid=12984 comm="(crub_all)" family="unix" sock_type="dgram" protocol=0 requested_mask="send" [10673.299988] audit: type=1400 audit(1686970915.519:85): apparmor="DENIED" operation="file_lock" profile="lxd-myself_test_</var/lib/lxd>" pid=12984 comm="(crub_all)" family="unix" sock_type="dgram" protocol=0 requested_mask="send" [10675.793944] audit: type=1400 audit(1686970918.015:86): apparmor="DENIED" operation="file_lock" profile="lxd-myself_test_</var/lib/lxd>" pid=12991 comm="(ostnamed)" family="unix" sock_type="dgram" protocol=0 requested_mask="send" [10675.793966] audit: type=1400 audit(1686970918.015:87): apparmor="DENIED" operation="file_lock" profile="lxd-myself_test_</var/lib/lxd>" pid=12991 comm="(ostnamed)" family="unix" sock_type="dgram" protocol=0 requested_mask="send" [10750.671804] audit: type=1400 audit(1686970992.896:88): apparmor="DENIED" operation="file_lock" profile="lxd-myself_test_</var/lib/lxd>" pid=13038 comm="(ostnamed)" family="unix" sock_type="dgram" protocol=0 requested_mask="send" [10750.671817] audit: type=1400 audit(1686970992.896:89): apparmor="DENIED" operation="file_lock" profile="lxd-myself_test_</var/lib/lxd>" pid=13038 comm="(ostnamed)" family="unix" sock_type="dgram" protocol=0 requested_mask="send" ``` >From the upstream discussion [1], the workaround is to put AppArmor profile for the container unconfined. To do this, I have to run: ``` lxc config set test raw.lxc "lxc.apparmor.profile=unconfined" ``` See lxc.container.conf(5) manpage [2] for explanation of lxc config key. The upstream discussion stated that this bug should have been already fixed in recent systemd, AppArmor, and Linux kernel versions (at least as shipped in Ubuntu Bionic release). However, I can (still) reproduce it on Debian testing. Thanks. [1]: https://discuss.linuxcontainers.org/t/bionic-containers-on-xenial-host-systemd-hostnamed-unable-to-start/1732 [2]: https://manpages.ubuntu.com/manpages/lunar/en/man5/lxc.container.conf.5.html -- System Information: Debian Release: 12.0 APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 6.1.0-9-amd64 (SMP w/4 CPU threads; PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages lxd depends on: ii adduser 3.134 ii attr 1:2.5.1-4 ii ca-certificates 20230311 ii init-system-helpers 1.65.2 ii libacl1 2.3.1-3 ii libc6 2.36-9 ii libcap2 1:2.66-4 ii libdqlite0 1.11.1-1 ii libgcc-s1 12.2.0-14 ii liblxc-common 1:5.0.2-1 ii liblxc1 1:5.0.2-1 ii libsqlite3-0 3.40.1-2 ii libudev1 252.6-1 ii lxcfs 5.0.3-1 ii lxd-client 5.0.2-5 ii rsync 3.2.7-1 ii squashfs-tools 1:4.5.1-1 ii uidmap 1:4.13+dfsg1-1+b1 ii xz-utils 5.4.1-0.2 Versions of packages lxd recommends: ii apparmor 3.0.8-3 ii dnsmasq-base [dnsmasq-base] 2.89-1 ii lxd-agent 5.0.2-5 Versions of packages lxd suggests: pn btrfs-progs <none> pn ceph-common <none> ii gdisk 1.0.9-2.1 pn lvm2 <none> pn lxd-tools <none> pn zfsutils-linux <none> -- no debconf information
