** Description changed:
- Fresh install of Ubuntu 18.04. lxd installed from snap. Fresh 18.04
- container. Everything up todate via apt.
+ [impact]
+
+ quasselcore cannot start inside lxd container
+
+ [test case]
+
+ create lxd container, install quassel-core, check quasselcore service:
+
+ $ systemctl status quasselcore
+ ● quasselcore.service - distributed IRC client using a central core component
+ Loaded: loaded (/lib/systemd/system/quasselcore.service; enabled; vendor
preset: enabled)
+ Active: failed (Result: signal) since Tue 2020-06-30 18:32:40 UTC; 4s ago
+ Docs: man:quasselcore(1)
+ Process: 3853 ExecStart=/usr/bin/quasselcore --configdir=${DATADIR}
--logfile=${LOGFILE} --loglevel=${LOGLEVEL} --port=${PORT} --listen=${LISTEN}
(code=killed, signal=SEGV)
+ Main PID: 3853 (code=killed, signal=SEGV)
+
+ Jun 30 18:32:40 lp1814302-f systemd[1]: quasselcore.service: Scheduled
restart job, restart counter is at 7.
+ Jun 30 18:32:40 lp1814302-f systemd[1]: Stopped distributed IRC client using
a central core component.
+ Jun 30 18:32:40 lp1814302-f systemd[1]: quasselcore.service: Start request
repeated too quickly.
+ Jun 30 18:32:40 lp1814302-f systemd[1]: quasselcore.service: Failed with
result 'signal'.
+ Jun 30 18:32:40 lp1814302-f systemd[1]: Failed to start distributed IRC
client using a central core component.
+
+
+ Also, the binary will segfault when run directly due to apparmor denials:
+
+ $ /usr/bin/quasselcore
+ Segmentation fault
+
+ [760149.590802] audit: type=1400 audit(1593542073.962:1058):
+ apparmor="DENIED" operation="file_mmap" namespace="root//lxd-
+ lp1814302-f_<var-snap-lxd-common-lxd>" profile="/usr/bin/quasselcore"
+ name="/usr/bin/quasselcore" pid=2006430 comm="quasselcore"
+ requested_mask="r" denied_mask="r" fsuid=1000110 ouid=1000000
+
+ [regression potential]
+
+ this expands the apparmor profile, so any regression would likely
+ involve problems while starting due to apparmor.
+
+ [scope]
+
+ this is needed for b/f/g.
+
+ this is also needed for e, but that is EOL in weeks and this is not
+ important enough to bother there.
+
+ [original description]
+
+
+ Fresh install of Ubuntu 18.04. lxd installed from snap. Fresh 18.04
container. Everything up todate via apt.
Install quassel-core. Service will not start.
Set "aa-complain /usr/bin/quasselcore" allows quasselcore to start.
I then added "/usr/bin/quasselcore rm," to
"/etc/apparmor.d/usr.bin.quasselcore".
Set "aa-enforce /usr/bin/quasselcore". Restarted main host.
Quasselcore service now starts and I can connect to it.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1814302
Title:
Quasselcore apparmor profile issue in lxd container.
Status in AppArmor:
Invalid
Status in apparmor package in Ubuntu:
Invalid
Status in quassel package in Ubuntu:
In Progress
Status in apparmor source package in Bionic:
Invalid
Status in quassel source package in Bionic:
In Progress
Status in apparmor source package in Focal:
Invalid
Status in quassel source package in Focal:
In Progress
Status in apparmor source package in Groovy:
Invalid
Status in quassel source package in Groovy:
In Progress
Bug description:
[impact]
quasselcore cannot start inside lxd container
[test case]
create lxd container, install quassel-core, check quasselcore service:
$ systemctl status quasselcore
● quasselcore.service - distributed IRC client using a central core component
Loaded: loaded (/lib/systemd/system/quasselcore.service; enabled; vendor
preset: enabled)
Active: failed (Result: signal) since Tue 2020-06-30 18:32:40 UTC; 4s ago
Docs: man:quasselcore(1)
Process: 3853 ExecStart=/usr/bin/quasselcore --configdir=${DATADIR}
--logfile=${LOGFILE} --loglevel=${LOGLEVEL} --port=${PORT} --listen=${LISTEN}
(code=killed, signal=SEGV)
Main PID: 3853 (code=killed, signal=SEGV)
Jun 30 18:32:40 lp1814302-f systemd[1]: quasselcore.service: Scheduled
restart job, restart counter is at 7.
Jun 30 18:32:40 lp1814302-f systemd[1]: Stopped distributed IRC client using
a central core component.
Jun 30 18:32:40 lp1814302-f systemd[1]: quasselcore.service: Start request
repeated too quickly.
Jun 30 18:32:40 lp1814302-f systemd[1]: quasselcore.service: Failed with
result 'signal'.
Jun 30 18:32:40 lp1814302-f systemd[1]: Failed to start distributed IRC
client using a central core component.
Also, the binary will segfault when run directly due to apparmor denials:
$ /usr/bin/quasselcore
Segmentation fault
[760149.590802] audit: type=1400 audit(1593542073.962:1058):
apparmor="DENIED" operation="file_mmap" namespace="root//lxd-
lp1814302-f_<var-snap-lxd-common-lxd>" profile="/usr/bin/quasselcore"
name="/usr/bin/quasselcore" pid=2006430 comm="quasselcore"
requested_mask="r" denied_mask="r" fsuid=1000110 ouid=1000000
[regression potential]
this expands the apparmor profile, so any regression would likely
involve problems while starting due to apparmor.
[scope]
this is needed for b/f/g.
this is also needed for e, but that is EOL in weeks and this is not
important enough to bother there.
[original description]
Fresh install of Ubuntu 18.04. lxd installed from snap. Fresh 18.04
container. Everything up todate via apt.
Install quassel-core. Service will not start.
Set "aa-complain /usr/bin/quasselcore" allows quasselcore to start.
I then added "/usr/bin/quasselcore rm," to
"/etc/apparmor.d/usr.bin.quasselcore".
Set "aa-enforce /usr/bin/quasselcore". Restarted main host.
Quasselcore service now starts and I can connect to it.
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1814302/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
