[Bug 1326865] Re: libvirt cannot kill dhcp in containers

Jamie Strandboge jamie at ubuntu.com
Thu Jun 5 21:49:33 UTC 2014 

John and I agree that probably the best thing is to no longer ship an
apparmor profile for libvirtd. That would give it the "unconfined" label
and it would therefore be able to kill processes in the libvirt-lxc
container.

That said, using libvirt-lxc at all is likely pretty dangerous operation
if you don't trust the container since there isn't any apparmor
confinement for the container like with lxc. Even if you did trust the
container, apparmor policy could be loaded from within the container and
apply to the host system, which is obviously bad and can lead to
unpredictable behavior. It might be a reasonable idea to either disable
the feature or invest time in a libvirt-lxc apparmor driver (istr quite
a bit of work on an selinux driver for libvirt-lxc and may remember
others trying to get apparmor support too).

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to isc-dhcp in Ubuntu.
https://bugs.launchpad.net/bugs/1326865

Title:
  libvirt cannot kill dhcp in containers

Status in “isc-dhcp” package in Ubuntu:
  New

Bug description:
  If I create a ubuntu container and start it as a libvirt-lxc
  container, it runs under the host dhcp profile.  Then when I try virsh
  -c lxc:/// destroy c1, libvirtd tries to kill dhcp in the container
  but fails:

  Jun  5 17:54:14 t1 kernel: [ 2563.620698] type=1400 audit(1401983654.375:28): apparmor="DENIED" operation="signal" profile="/sbin/dhclient" pid=4304 comm="libvirtd" requested_mask="receive" denied_mask="receive" signal=term peer="/usr/sbin/libvirtd"
  Jun  5 17:54:14 t1 kernel: [ 2563.660491] type=1400 audit(1401983654.415:29): apparmor="DENIED" operation="signal" profile="/sbin/dhclient" pid=4293 comm="libvirtd" requested_mask="receive" denied_mask="receive" signal=term peer="/usr/sbin/libvirtd"
  Jun  5 17:54:14 t1 kernel: [ 2563.660600] type=1400 audit(1401983654.415:30): apparmor="DENIED" operation="signal" profile="/sbin/dhclient" pid=4293 comm="libvirtd" requested_mask="receive" denied_mask="receive" signal=term peer="/usr/sbin/libvirtd"

  I don't actually understand the mechanisms here (that a profile should
  be able to refuse receiving signals), and it seems like the proper fix
  is to have libvirt-lxc start containers confined in a container
  policy, but Jamie seemed to have another solution, which would be
  great.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/1326865/+subscriptions

More information about the foundations-bugs mailing list