[Bug 1085996] New: LXD container network setup fails on OpenSuse with apparmor denials
http://bugzilla.opensuse.org/show_bug.cgi?id=1085996 Bug ID: 1085996 Summary: LXD container network setup fails on OpenSuse with apparmor denials Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.0 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: AppArmor Assignee: suse-beta@cboltz.de Reporter: bzeller@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Creating and setting up LXD containers did work with openSuse Leap 42.x, however on newer versions (Leap15 and Tumbleweed) this started to fail: https://github.com/lxc/lxd/issues/4340 This seems to point into the direction of a problem with the openSuse kernel or maybe missing patches (see comment https://github.com/lxc/lxd/issues/4340#issuecomment-374273862). Network setup fails even though the container apparmor profiles should allow it: Some of the apparmor failures (more info to be found in the LXD bug): type=AVC msg=audit(1521468900.083:152): apparmor="DENIED" operation="create" namespace="root//lxd-crazy_<var-snap-lxd-common-lxd>" profile="unconfined" pid=4014 comm="dhclient" family="packet" sock_type="raw" protocol=768 type=AVC msg=audit(1521468900.459:153): apparmor="DENIED" operation="create" namespace="root//lxd-crazy_<var-snap-lxd-common-lxd>" profile="unconfined" pid=4068 comm="ifconfig" family="inet" sock_type="dgram" protocol=0 type=AVC msg=audit(1521468900.459:154): apparmor="DENIED" operation="create" namespace="root//lxd-crazy_<var-snap-lxd-common-lxd>" profile="unconfined" pid=4068 comm="ifconfig" family="inet6" sock_type="dgram" protocol=0 type=AVC msg=audit(1521468900.459:155): apparmor="DENIED" operation="create" namespace="root//lxd-crazy_<var-snap-lxd-common-lxd>" profile="unconfined" pid=4068 comm="ifconfig" family="inet" sock_type="dgram" protocol=0 type=AVC msg=audit(1521468900.459:156): apparmor="DENIED" operation="create" namespace="root//lxd-crazy_<var-snap-lxd-common-lxd>" profile="unconfined" pid=4068 comm="ifconfig" family="inet6" sock_type="dgram" protocol=0 type=AVC msg=audit(1521468901.219:157): apparmor="DENIED" operation="create" namespace="root//lxd-crazy_<var-snap-lxd-common-lxd>" profile="unconfined" pid=4096 comm="snapd" family="inet" sock_type="stream" protocol=6 type=AVC msg=audit(1521468901.219:158): apparmor="DENIED" operation="create" namespace="root//lxd-crazy_<var-snap-lxd-common-lxd>" profile="unconfined" pid=4096 comm="snapd" family="inet6" sock_type="stream" protocol=6 type=AVC msg=audit(1521468901.219:159): apparmor="DENIED" operation="create" namespace="root//lxd-crazy_<var-snap-lxd-common-lxd>" profile="unconfined" pid=4096 comm="snapd" family="inet6" sock_type="stream" protocol=6 type=AVC msg=audit(1521468901.235:160): apparmor="DENIED" operation="create" namespace="root//lxd-crazy_<var-snap-lxd-common-lxd>" profile="unconfined" pid=4094 comm="rsyslogd" family="inet" sock_type="dgram" protocol=0 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1085996
Christian Boltz
http://bugzilla.opensuse.org/show_bug.cgi?id=1085996
Goldwyn Rodrigues
http://bugzilla.opensuse.org/show_bug.cgi?id=1085996
http://bugzilla.opensuse.org/show_bug.cgi?id=1085996#c1
Goldwyn Rodrigues
http://bugzilla.opensuse.org/show_bug.cgi?id=1085996
http://bugzilla.opensuse.org/show_bug.cgi?id=1085996#c2
--- Comment #2 from John Johansen
From the logs this can not even be attributed to the difference between ubuntu carrying fine grained mediation of af_unix sockets, and suse just the broader coarse grained socket mediation, as all of the denials are around inet and inet6.
There is something different in the setup between what lxd or the system setup that is leading to these denials that we need to trace down. As for the comment in the lxd issue, that was not meant as a definitive its an opensuse kernel issue. It was very much a suse is carrying a slightly different patchset than ubuntu or the upstream kernel (which currently has no network mediation), and that is the place where I would start looking. So far however I don't have enough info to determine what the difference is that is causing this. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1085996
http://bugzilla.opensuse.org/show_bug.cgi?id=1085996#c3
--- Comment #3 from Benjamin Zeller
http://bugzilla.opensuse.org/show_bug.cgi?id=1085996
http://bugzilla.opensuse.org/show_bug.cgi?id=1085996#c4
--- Comment #4 from John Johansen
http://bugzilla.opensuse.org/show_bug.cgi?id=1085996
http://bugzilla.opensuse.org/show_bug.cgi?id=1085996#c5
--- Comment #5 from Benjamin Zeller
http://bugzilla.opensuse.org/show_bug.cgi?id=1085996
http://bugzilla.opensuse.org/show_bug.cgi?id=1085996#c6
--- Comment #6 from Benjamin Zeller
http://bugzilla.opensuse.org/show_bug.cgi?id=1085996
http://bugzilla.opensuse.org/show_bug.cgi?id=1085996#c7
--- Comment #7 from John Johansen
http://bugzilla.opensuse.org/show_bug.cgi?id=1085996
http://bugzilla.opensuse.org/show_bug.cgi?id=1085996#c8
--- Comment #8 from Goldwyn Rodrigues
http://bugzilla.opensuse.org/show_bug.cgi?id=1085996
http://bugzilla.opensuse.org/show_bug.cgi?id=1085996#c9
--- Comment #9 from John Johansen
http://bugzilla.opensuse.org/show_bug.cgi?id=1085996
http://bugzilla.opensuse.org/show_bug.cgi?id=1085996#c10
--- Comment #10 from Benjamin Zeller
http://bugzilla.opensuse.org/show_bug.cgi?id=1085996
http://bugzilla.opensuse.org/show_bug.cgi?id=1085996#c11
--- Comment #11 from Goldwyn Rodrigues
participants (1)
-
bugzilla_noreply@novell.com