-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
apparmor profile breaks systemd PrivateNetwork=yes #4333
Comments
The workaround in our images is to have Privatenetwork=no on systemd >= 254. The real fix is running an updated apparmor along with the change in LXC profile that we merged a few days ago. Closing as there's nothing actionable at this stage. We have already merged the apparmor policy change that would fix that and we've already been shipping with a workaround in our images for weeks now. |
I'm running into this issue as well as it made the systemd autopkgtest fail on Debian stable and eventually arrived at this bug report after some digging.
I wonder what can be done about this in Debian stable. |
@mbiebl it was an apparmor parser bug which @mihalicyn fixed a little while back. So you need to either get the apparmor userspace updated to the 3.0.12 bugfix release or have the content of 3.0.10, 3.0.11 and 3.0.12 applied to your current apparmor version. Once that's done, then it should be safe to apply 890de07 to LXC. |
@stgraber ok, the issue I'm seeing is a different issue then, because upgrading apparmor to 3.0.12 and applying the above commit on top of lxc 5.0.2 did not help. The only thing that helped so far was upgrading the kernel from 6.1.38 (bookworm) to trixie (6.4.11). The apparmor denial log messages are exactly the same, which is why I thought it's the same issue. |
Maybe this is a different issue... in a clean minimal install of bookworm (apparmor 3.0.8, lxc 5.0.2, kernel 6.1.38) I get the error initially reported. However, if I install kernel 6.4.4 from bookworm-backports, then starting a service with PrivateNetwork=yes works just fine. |
Yes, that's what I meant -- sorry for any confusion! |
Required information
Issue description
It has been discovered that lxc containers with the default apparmor profile are preventing systemd services with
PrivateNetwork=yes
from starting. There is a bug in Debian that I've been able to reproduce with the steps below; another bug has been reported against LXD which I think has the same root cause.On the host, the following message appears in the kernel logs when the service fails to start:
I am aware of #820, but as that's five years old I'm hoping there is some other reason why this isn't working properly.
I have tried to modify the generated apparmor profile snippet as defined in
src/lxc/lsm/apparmor.c
'sAA_PROFILE_UNIX_SOCKETS
withunix (send)
and even justunix
, but that didn't seem to help. Admittedly, I'm not super experienced with apparmor, so maybe that's not the correct way to allow the access that is currently being denied within the container.Steps to reproduce
This is easy to reproduce in a container with the default apparmor profile enabled. From the Debian bug report:
Known workarounds
PrivateNetwork=no
in affected service files (requires manual editing of configuration files)The text was updated successfully, but these errors were encountered: