[Touch-packages] [Bug 1813622] Re: systemd-resolved, systemd-networkd and others fail to start in lxc container with v240 systemd

Dimitri John Ledkov Mon, 28 Jan 2019 16:01:15 -0800

Jan 28 23:50:06 ottawa audit[10278]: AVC apparmor="DENIED" operation="mount" 
info="failed flags match" error=-13 
profile="lxd-improved-kodiak_</var/snap/lxd/common/lxd>" 
name="/run/systemd/unit-root/home/" pid=10278 comm="(networkd)" flags="ro, 
nosuid, nodev, remount, bind"
Jan 28 23:50:06 ottawa kernel: audit: type=1400 audit(1548719406.237:332): 
apparmor="DENIED" operation="mount" info="failed flags match" error=-13 
profile="lxd-improved-kodiak_</var/snap/lxd/common/lxd>" 
name="/run/systemd/unit-root/home/" pid=10278 comm="(networkd)" flags="ro, 
nosuid, nodev, remount, bind"
Jan 28 23:50:06 ottawa audit[10310]: AVC apparmor="DENIED" operation="mount" 
info="failed flags match" error=-13 
profile="lxd-improved-kodiak_</var/snap/lxd/common/lxd>" 
name="/run/systemd/unit-root/home/" pid=10310 comm="(networkd)" flags="ro, 
nosuid, nodev, remount, bind"
Jan 28 23:50:06 ottawa kernel: audit: type=1400 audit(1548719406.273:333): 
apparmor="DENIED" operation="mount" info="failed flags match" error=-13 
profile="lxd-improved-kodiak_</var/snap/lxd/common/lxd>" 
name="/run/systemd/unit-root/home/" pid=10310 comm="(networkd)" flags="ro, 
nosuid, nodev, remount, bind"



So systemd v240 tries to setup mount namespace to further contain
execution, and it appears that this is no longer possible inside the lxd
container, due to apparmor denies.

I'm not sure if this is a bug/feature of systemd | snapd | lxd |
apparmor, as all of these are involved.

** Summary changed:

- systemd-resolved fails to start in a container
+ systemd-resolved, systemd-networkd and others fail to start in lxc container 
with v240 systemd

** Also affects: lxd (Ubuntu)
   Importance: Undecided
       Status: New

** Also affects: apparmor (Ubuntu)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1813622

Title:
  systemd-resolved, systemd-networkd and others fail to start in lxc
  container with v240 systemd

Status in apparmor package in Ubuntu:
  New
Status in lxd package in Ubuntu:
  New
Status in systemd package in Ubuntu:
  Confirmed

Bug description:
  This is a regression from 239-7ubuntu15 to 240-5ubuntu1.

  Steps to reproduce:

  lxc launch ubuntu-daily:disco rbasak-resolv
  lxc exec rbasak-resolv bash
  systemctl status systemd-resolved  # observe running
  echo "deb http://archive.ubuntu.com/ubuntu/ disco-proposed main universe 
multiverse restricted" >> /etc/apt/sources.list
  apt update
  # Update to 240-5ubuntu1 from proposed
  apt install systemd libsystemd0 systemd-sysv libnss-systemd libpam-systemd
  reboot
  lxc exec rbasak-resolv bash
  systemctl status systemd-resolved  # observe failed

  ● systemd-resolved.service - Network Name Resolution
     Loaded: loaded (/lib/systemd/system/systemd-resolved.service; enabled; 
vendor preset: enabled)
     Active: failed (Result: exit-code) since Mon 2019-01-28 16:50:37 UTC; 2min 
28s ago
       Docs: man:systemd-resolved.service(8)
             https://www.freedesktop.org/wiki/Software/systemd/resolved
             
https://www.freedesktop.org/wiki/Software/systemd/writing-network-configuration-managers
             
https://www.freedesktop.org/wiki/Software/systemd/writing-resolver-clients
    Process: 290 ExecStart=/lib/systemd/systemd-resolved (code=exited, 
status=226/NAMESPACE)
   Main PID: 290 (code=exited, status=226/NAMESPACE)

  Jan 28 16:50:37 rbasak-resolv systemd[1]: systemd-resolved.service: Service 
has no hold-off time (RestartSec=0), scheduling restart.
  Jan 28 16:50:37 rbasak-resolv systemd[1]: systemd-resolved.service: Scheduled 
restart job, restart counter is at 5.
  Jan 28 16:50:37 rbasak-resolv systemd[1]: Stopped Network Name Resolution.
  Jan 28 16:50:37 rbasak-resolv systemd[1]: systemd-resolved.service: Start 
request repeated too quickly.
  Jan 28 16:50:37 rbasak-resolv systemd[1]: systemd-resolved.service: Failed 
with result 'exit-code'.
  Jan 28 16:50:37 rbasak-resolv systemd[1]: Failed to start Network Name 
Resolution.

  This causes /etc/resolv.conf to point to a file that isn't created, so
  all name resolution fails. As far as I can determine, landing this in
  the release pocket would cause all default LXD containers to stop
  working.

  In my case it breaks "autopkgtest -U --apt-pocket=proposed ... -- lxd
  ubuntu-daily:disco"

  Tagging block-proposed as migration would regress the release pocket,
  and marking Critical as it breaks the system (presumably only in a
  container though, and it is only in proposed currently).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1813622/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1813622] Re: systemd-resolved, systemd-networkd and others fail to start in lxc container with v240 systemd

Reply via email to