[Bug 1326865] [NEW] libvirt cannot kill dhcp in containers
Serge Hallyn
1326865 at bugs.launchpad.net
Thu Jun 5 16:02:14 UTC 2014
Public bug reported:
If I create a ubuntu container and start it as a libvirt-lxc container,
it runs under the host dhcp profile. Then when I try virsh -c lxc:///
destroy c1, libvirtd tries to kill dhcp in the container but fails:
Jun 5 17:54:14 t1 kernel: [ 2563.620698] type=1400 audit(1401983654.375:28): apparmor="DENIED" operation="signal" profile="/sbin/dhclient" pid=4304 comm="libvirtd" requested_mask="receive" denied_mask="receive" signal=term peer="/usr/sbin/libvirtd"
Jun 5 17:54:14 t1 kernel: [ 2563.660491] type=1400 audit(1401983654.415:29): apparmor="DENIED" operation="signal" profile="/sbin/dhclient" pid=4293 comm="libvirtd" requested_mask="receive" denied_mask="receive" signal=term peer="/usr/sbin/libvirtd"
Jun 5 17:54:14 t1 kernel: [ 2563.660600] type=1400 audit(1401983654.415:30): apparmor="DENIED" operation="signal" profile="/sbin/dhclient" pid=4293 comm="libvirtd" requested_mask="receive" denied_mask="receive" signal=term peer="/usr/sbin/libvirtd"
I don't actually understand the mechanisms here (that a profile should
be able to refuse receiving signals), and it seems like the proper fix
is to have libvirt-lxc start containers confined in a container policy,
but Jamie seemed to have another solution, which would be great.
** Affects: isc-dhcp (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to isc-dhcp in Ubuntu.
https://bugs.launchpad.net/bugs/1326865
Title:
libvirt cannot kill dhcp in containers
Status in “isc-dhcp” package in Ubuntu:
New
Bug description:
If I create a ubuntu container and start it as a libvirt-lxc
container, it runs under the host dhcp profile. Then when I try virsh
-c lxc:/// destroy c1, libvirtd tries to kill dhcp in the container
but fails:
Jun 5 17:54:14 t1 kernel: [ 2563.620698] type=1400 audit(1401983654.375:28): apparmor="DENIED" operation="signal" profile="/sbin/dhclient" pid=4304 comm="libvirtd" requested_mask="receive" denied_mask="receive" signal=term peer="/usr/sbin/libvirtd"
Jun 5 17:54:14 t1 kernel: [ 2563.660491] type=1400 audit(1401983654.415:29): apparmor="DENIED" operation="signal" profile="/sbin/dhclient" pid=4293 comm="libvirtd" requested_mask="receive" denied_mask="receive" signal=term peer="/usr/sbin/libvirtd"
Jun 5 17:54:14 t1 kernel: [ 2563.660600] type=1400 audit(1401983654.415:30): apparmor="DENIED" operation="signal" profile="/sbin/dhclient" pid=4293 comm="libvirtd" requested_mask="receive" denied_mask="receive" signal=term peer="/usr/sbin/libvirtd"
I don't actually understand the mechanisms here (that a profile should
be able to refuse receiving signals), and it seems like the proper fix
is to have libvirt-lxc start containers confined in a container
policy, but Jamie seemed to have another solution, which would be
great.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/1326865/+subscriptions
More information about the foundations-bugs
mailing list