[Bug 1326865] Re: libvirt cannot kill dhcp in containers

Serge Hallyn 1326865 at bugs.launchpad.net
Fri Jun 6 03:31:52 UTC 2014 

Summary:

libvirt runs under its own profile;  it starts a container which starts
dhclient which runs under dhclient's profile;  libvirt, bc it is confined,
cannot signal dhclient unless dhclient's policy allows that.

Ideally libvirt-lxc would start containers under a lxc-libvirt-container
policy, so that dhclient in the container stayed in that policy (or
entered a stacked policy).  Until we have time to do that, having
libvirt run unconfined would bypass the restriction on dhclient accepting
signals.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to isc-dhcp in Ubuntu.
https://bugs.launchpad.net/bugs/1326865

Title:
  libvirt cannot kill dhcp in containers

Status in “isc-dhcp” package in Ubuntu:
  New

Bug description:
  If I create a ubuntu container and start it as a libvirt-lxc
  container, it runs under the host dhcp profile.  Then when I try virsh
  -c lxc:/// destroy c1, libvirtd tries to kill dhcp in the container
  but fails:

  Jun  5 17:54:14 t1 kernel: [ 2563.620698] type=1400 audit(1401983654.375:28): apparmor="DENIED" operation="signal" profile="/sbin/dhclient" pid=4304 comm="libvirtd" requested_mask="receive" denied_mask="receive" signal=term peer="/usr/sbin/libvirtd"
  Jun  5 17:54:14 t1 kernel: [ 2563.660491] type=1400 audit(1401983654.415:29): apparmor="DENIED" operation="signal" profile="/sbin/dhclient" pid=4293 comm="libvirtd" requested_mask="receive" denied_mask="receive" signal=term peer="/usr/sbin/libvirtd"
  Jun  5 17:54:14 t1 kernel: [ 2563.660600] type=1400 audit(1401983654.415:30): apparmor="DENIED" operation="signal" profile="/sbin/dhclient" pid=4293 comm="libvirtd" requested_mask="receive" denied_mask="receive" signal=term peer="/usr/sbin/libvirtd"

  I don't actually understand the mechanisms here (that a profile should
  be able to refuse receiving signals), and it seems like the proper fix
  is to have libvirt-lxc start containers confined in a container
  policy, but Jamie seemed to have another solution, which would be
  great.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/1326865/+subscriptions

More information about the foundations-bugs mailing list