http://bugzilla.opensuse.org/show_bug.cgi?id=1036360 http://bugzilla.opensuse.org/show_bug.cgi?id=1036360#c2 --- Comment #2 from Markos Chandras --- OK seems like the missing files are in the apparmor-profiles package. However, it still doesn't make sense why lxc-start fails to work with apparmor errors even when apparmor is not installed. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1036360 http://bugzilla.opensuse.org/show_bug.cgi?id=1036360#c7 Johannes Kastl changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CONFIRMED --- Comment #7 from Johannes Kastl --- Sorry for the late answer. I can reproduce the issue. I am not sure if it can be solved by adding the right rpm dependency/recommends on apparmor to the lxc package. Can you test this order: - grab a new leap 42.2 machine/VM - Install the apparmor-utils and apparmor-parser packages, which pull in all apparmor packages needed - systemctl start apparmor - install lxc (there should be no error/warning about /etc/init.d/boot.apparmor during installation) - create the container - start the container I get an error regarding fuse, but the start works. lxc-start: utils.c: open_without_symlink: 1626 No such file or directory - Error examining fuse in /usr/lib64/lxc/rootfs/sys/fs/fuse/connections -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1036360 Markos Chandras changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |opensuse_buildservice@ojkas | |tl.de Flags| |needinfo?(opensuse_buildser | |vice@ojkastl.de) -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1036360 http://bugzilla.opensuse.org/show_bug.cgi?id=1036360#c10 --- Comment #10 from Markos Chandras --- (In reply to Johannes Kastl from comment #9)

Sorry for the late answer, I was on and off with this.

zypper in apparmor-profiles and a start of apparmor.service (before installing lxc) is enough to get this going.

And it seems you need apparmor to use lxc, even if you want your containers to be unconfined (which is the default on openSUSE, as apparmor is using some features that are not in the upstream kernel yet, IIRC).

Ok fair enough then.

I think this should be reflected in the packages dependencies, however I am not sure if this is worth a maintenance release for Leap 42.2.

But this is a real problem right. I mean, you 'zypper in lxc' and you expect it to work in 42.2. So in my opinion I think that dependencies need to be fixed there as well. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1036360 http://bugzilla.opensuse.org/show_bug.cgi?id=1036360#c11 --- Comment #11 from Johannes Kastl --- I am working on this (after some delay) and will prepare new packages this weekend. I am in contact with cboltz to see how to handle this the least intrusive way... -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1036360 http://bugzilla.opensuse.org/show_bug.cgi?id=1036360#c13 Markos Chandras changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(markos.chandras@s | |use.com) | --- Comment #13 from Markos Chandras --- (In reply to Johannes Kastl from comment #12)

I got some more information from cboltz.

- apparmor is set to enabled after installation, so after a reboot it should be active - lxc requiring apparmor-abstractions should pull in all needed dependencies - Reloading the service or reloading the profile after installation (i.e. in the %post section) should do the trick if apparmor is already running

I prepared an update in home:ojkastl_buildservice:branches:openSUSE:Leap:42.2:Update and enabled publishing.

Marco, could you test the following:

- systemctl status apparmor.service - install lxc package from the repo given above - systemctl status apparmor.service - sudo lxc-create -t download --name foo ...

This works for me even without a reboot of the machine. If this also works for you, I can try to get this released as an update.

This still does not work for me on a fresh 42.2 vagrant installation vagrant-openSUSE-Leap:/home/vagrant # systemctl status apparmor ● apparmor.service Loaded: not-found (Reason: No such file or directory) Active: inactive (dead) vagrant-openSUSE-Leap:/home/vagrant # zypper ar --priority 10 http://download.opensuse.org/repositories/home:/ojkastl_buildservice:/branch... vagrant-openSUSE-Leap:/home/vagrant # zypper in lxc The following 15 NEW packages are going to be installed: apparmor-abstractions apparmor-parser bsdtar build build-mkbaselibs build-mkdrpms deltarpm libcap-progs libpython3_4m1_0 lxc perl-Crypt-SSLeay perl-YAML perl-YAML-LibYAML python3-base qemu-linux-user The following 7 recommended packages were automatically selected: bsdtar build build-mkdrpms perl-Crypt-SSLeay perl-YAML perl-YAML-LibYAML qemu-linux-user vagrant-openSUSE-Leap:/home/vagrant # systemctl status apparmor ● apparmor.service - Load AppArmor profiles Loaded: loaded (/usr/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled) Active: inactive (dead) vagrant-openSUSE-Leap:/home/vagrant # lxc-create -t download --name foo -- --dist opensuse --release 42.2 --arch amd64 --force-cache --server images.linuxcontainers.org --variant=default Setting up the GPG keyring Downloading the image index Downloading the rootfs Downloading the metadata The image cache is now ready Unpacking the rootfs ... vagrant-openSUSE-Leap:/home/vagrant # lxc-start -F --name foo lxc-start: utils.c: open_without_symlink: 1626 No such file or directory - Error examining fuse in /usr/lib64/lxc/rootfs/sys/fs/fuse/connections lxc-start: lsm/apparmor.c: apparmor_process_label_set: 183 No such file or directory - failed to change apparmor profile to lxc-container-default lxc-start: sync.c: __sync_wait: 51 invalid sequence number 1. expected 4 lxc-start: start.c: __lxc_start: 1192 failed to spawn 'foo' lxc-start: cgfs.c: cgroup_rmdir: 207 Device or resource busy - cgroup_rmdir: failed to delete /sys/fs/cgroup/freezer/lxc/foo lxc-start: cgfs.c: cgroup_rmdir: 207 Device or resource busy - cgroup_rmdir: failed to delete /sys/fs/cgroup/blkio/lxc/foo lxc-start: cgfs.c: cgroup_rmdir: 207 Device or resource busy - cgroup_rmdir: failed to delete /sys/fs/cgroup/devices/lxc/foo lxc-start: cgfs.c: cgroup_rmdir: 207 Device or resource busy - cgroup_rmdir: failed to delete /sys/fs/cgroup/memory/lxc/foo lxc-start: cgfs.c: cgroup_rmdir: 207 Device or resource busy - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpuset/lxc/foo lxc-start: cgfs.c: cgroup_rmdir: 207 Device or resource busy - cgroup_rmdir: failed to delete /sys/fs/cgroup/net_cls,net_prio/lxc/foo lxc-start: cgfs.c: cgroup_rmdir: 207 Device or resource busy - cgroup_rmdir: failed to delete /sys/fs/cgroup/pids/init.scope/lxc/foo lxc-start: cgfs.c: cgroup_rmdir: 207 Device or resource busy - cgroup_rmdir: failed to delete /sys/fs/cgroup/perf_event/lxc/foo lxc-start: cgfs.c: cgroup_rmdir: 207 Device or resource busy - cgroup_rmdir: failed to delete /sys/fs/cgroup/hugetlb/lxc/foo lxc-start: cgfs.c: cgroup_rmdir: 207 Device or resource busy - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct/lxc/foo lxc-start: lxc_start.c: main: 344 The container failed to start. lxc-start: lxc_start.c: main: 348 Additional information can be obtained by setting the --logfile and --logpriority options. Apparmor is not being started after lxc installation. The changes you made in the spec file do not seem to start apparmor unconditionally. It only does it if apparmor was previously enabled. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1036360 http://bugzilla.opensuse.org/show_bug.cgi?id=1036360#c15 --- Comment #15 from Johannes Kastl --- OK, reloading the profile after installation does not work either. Marco, I am forwarding the state that you tested as an Update for 42.2 and 42.3. This does not fix the issue completely, but it eases the burden on the user: Reboot the machine or start apparmor and all is working. https://build.opensuse.org/request/show/511706 https://build.opensuse.org/request/show/511707 -- You are receiving this mail because: You are on the CC list for the bug.