lxc-attach needs to mount a /proc for apparmor's use

Bug #1452451 reported by Christopher Townsend
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
lxc (Ubuntu)
Fix Released
High
Serge Hallyn

Bug Description

I develop and maintain the unity8-lxc package (lp:unity8-preview-lxc) which uses an unpacked Ubuntu Next Desktop ISO as a privileged rootfs. It uses the lxc-container-default-with-nesting apparmor profile since we'd like to support containers within this.

When I try to do a lxc-start. lxc-wait(RUNNING), and lxc-attach for the first time in my setup script, I get the following error:

lxc_container: lsm/apparmor.c: apparmor_process_label_set: 183 No such file or directory - failed to change apparmor profile to lxc-container-default-with-nesting

I believe this is a race because if I introduce a sleep of say 0.5 seconds between the lxc-wait and lxc-attach, then it works. It also works for any subsequent lxc-start/lxc-wait/lxc-attach after this failure.

Please let me know if I can provide more info.

ProblemType: Bug
DistroRelease: Ubuntu 15.04
Package: lxc 1.1.2-0ubuntu3
ProcVersionSignature: Ubuntu 3.19.0-16.16-generic 3.19.3
Uname: Linux 3.19.0-16-generic x86_64
ApportVersion: 2.17.2-0ubuntu1
Architecture: amd64
CurrentDesktop: Unity
Date: Wed May 6 16:47:14 2015
InstallationDate: Installed on 2013-03-18 (779 days ago)
InstallationMedia: Ubuntu 12.10 "Quantal Quetzal" - Release amd64 (20121017.5)
SourcePackage: lxc
UpgradeStatus: Upgraded to vivid on 2014-10-20 (198 days ago)

Revision history for this message
Christopher Townsend (townsend) wrote :
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Hi,

could you please show a simple script (doing lxc-create && lxc-start && lxc-wait && lxc-attach) that I could reproduce with?

Just to be sure - you get this error running this by hand, right? If it happens at boot time, then you should make sure that the 'lxc' init job has completed before your job begins, since that is the one which will load the apparmor profiles.

Changed in lxc (Ubuntu):
status: New → Incomplete
Revision history for this message
Christopher Townsend (townsend) wrote :

Hi Serge,

This does not happen when doing this by hand, only in a script. And I can't seem to reproduce on a container created using a template. So far, I've only been able to reproduce this when creating the container using the procedure in lp:unity8-preview-lxc. This is a project that was started by stgraber and taken over by me.

Basically, it's a python script that creates a specialized config and uses an unpacked Ubuntu Desktop Next (Unity 8) ISO to start up the Unity 8 session inside the container. If you'd like to try it, you can add ppa:unity8-desktop-session-team/unity8-preview-lxc.

I'll also attach the config and the output of the logs when this issue occurs.

Thanks!

Revision history for this message
Christopher Townsend (townsend) wrote :

I've been trying to capture a log of the failure when running lxc-attach and it seems to cause just enough delay to get by the race. Also, it does not always occur, but more time than not, the error happens leading more credence to this being a race. I've attached the config I use for the container.

Revision history for this message
Serge Hallyn (serge-hallyn) wrote : Re: [Bug 1452451] Re: failed to change apparmor profile to lxc-container-default-with-nesting

I assume that bin/unity8-lxc-compositor is the script you are using. But
how does it get run? Do I just install that package in a container to
reproduce this?

Revision history for this message
Christopher Townsend (townsend) wrote : Re: failed to change apparmor profile to lxc-container-default-with-nesting

Actually, running "sudo unity8-lxc-setup" has a start/wait/attach sequence that is causing failures. Another way I try to reproduce after the whole container is setup is to create a little script with the following:

lxc-start -n unity8-lxc
lxc-wait -t 5 -s RUNNING -n unity8-lxc
lxc-attach -n unity8-lxc -- uname -a

Run that as sudo since it's privileged and I can sometimes get the apparmor error. Keep in mind that after the container starts for the first time, I have never been able to reproduce this issue unless I reboot. Just doing a lxc-stop is not enough.

Also, if you still need some help, you can ping me on irc @ ChrisTownsend.

Changed in lxc (Ubuntu):
status: Incomplete → Triaged
importance: Undecided → Critical
status: Triaged → New
importance: Critical → High
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Which distribution is in the rootfs?

Changed in lxc (Ubuntu):
status: New → Incomplete
Revision history for this message
Christopher Townsend (townsend) wrote :

The rootfs used Vivid and now Wily, but the issue remains with both.

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

I cannot reproduce this.

Would it be possible to coordinate your handing off a broken system to me? Unfortunately I am out tomorrow and Friday, but perhaps sometime next week?

Revision history for this message
Christopher Townsend (townsend) wrote :

Dang, I was afraid you might not be able to reproduce, being a race and all. I'm not sure it's possible to hand off the system as it's my primary development machine.

I think I will take a stab in trying to debug this. A quick looks shows that it is failing in this block in lsm/apparmor.c:

if (aa_change_profile(label) < 0)

Looking in the apparmor source code shows a few places this may fail, especially with the "No such file or directory" errno value.

The call(s) in setprocattr(), particularly procattr_path(). I'm thinking that perhaps the /proc path is not really fully up before lxc_wait says that the container is in a RUNNING state. I'm using SSD's which may or may not make a difference, but they can sometimes add some races due to their fast nature.

Next, I will look into what exactly lxc_wait is querying to know when it is RUNNING...

Revision history for this message
Christopher Townsend (townsend) wrote :

So, if I remove the lxc-wait out of the start/wait/attach sequence, then I always get the failure. This really points to a race where RUNNING is being reported before it is really fully started.

It looks like the RUNNING state is set in start.c, so perhaps it is being set a bit too early where some asynchronous activity isn't really complete yet???? I'll continue to look in that area.

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

This happens if the container config doe snot specify mounting /proc, because there is no (or a wrong) /proc in the container until the container's init mounts it.

So lxc-attach needs to mount a temporary /proc (after switching namespaces) for the sake of setting the lsm label.

Changed in lxc (Ubuntu):
status: Incomplete → Triaged
summary: - failed to change apparmor profile to lxc-container-default-with-nesting
+ lxc-attach needs to mount a /proc for apparmor's use
Changed in lxc (Ubuntu):
assignee: nobody → Serge Hallyn (serge-hallyn)
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Thanks again for opening this bug. A candidate fix has been sent to the lxc-devel mailing list. The workaround is to make sure that the lxc configuration mounts a procfs for the container, using either a lxc.mount.entry or lxc.mount.auto.

Changed in lxc (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.