[Bug 1654624] Re: dhcp apparmor profile complains about lxd client

Seth Arnold 1654624 at bugs.launchpad.net
Tue Jan 31 23:43:51 UTC 2017 

Hadmut, AppArmor's stacking support was intended to allow supporting
unmodified Ubuntu inside LXD containers. If you're feeling up for some
experimentation, you could try to disable this feature by setting the
kernel.unprivileged_userns_apparmor_policy sysctl to 0 early in a system
boot, preferably before LXD starts. This should cause the attempts to
set policy within LXDs to fail, and either the services will then refuse
to start or they'll fall back to their old behaviour. (This reflects my
lack of familiarity with LXD.)

I'll note that this is a wild guess; I'd feel more comfortable giving
this advice on IRC than in a public bug tracker where it might do more
harm than good. But I'm cautiously optimistic that this might give you a
system you'd be happier using.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to isc-dhcp in Ubuntu.
https://bugs.launchpad.net/bugs/1654624

Title:
  dhcp apparmor profile complains about lxd client

Status in apparmor package in Ubuntu:
  Confirmed
Status in isc-dhcp package in Ubuntu:
  Confirmed

Bug description:
  Hi,

  strange problem recently occured:

  I'm having some ubuntu machines running in LXD (nothing unusual, just
  based on the regular ubuntu LXD images) on a ubuntu host. Worked well
  for some time.

  But now the host generates messages like


  Jan  6 19:17:05 monstrum kernel: [ 1063.263531] audit: type=1400
  audit(1483726625.388:247): apparmor="DENIED" operation="file_perm"
  namespace="root//lxd-rackadmin_<var-lib-lxd>" profile="/sbin/dhclient"
  name="/apparmor/.null" pid=5125 comm="dhclient" requested_mask="w"
  denied_mask="w" fsuid=165536 ouid=0

  
  in /var/log/kern.log. 

  For some reason the apparmor running on the host interferes with the
  containers.

  ProblemType: Bug
  DistroRelease: Ubuntu 16.04
  Package: isc-dhcp-client 4.3.3-5ubuntu12.6
  ProcVersionSignature: Ubuntu 4.4.0-57.78-generic 4.4.35
  Uname: Linux 4.4.0-57-generic x86_64
  ApportVersion: 2.20.1-0ubuntu2.4
  Architecture: amd64
  CurrentDesktop: LXDE
  Date: Fri Jan  6 19:19:12 2017
  SourcePackage: isc-dhcp
  UpgradeStatus: Upgraded to xenial on 2016-04-06 (275 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1654624/+subscriptions

More information about the foundations-bugs mailing list