No AppArmor confinement on openSUSE prevents container startup

[morphis]

The template below is mostly useful for bug reports and support questions.
Feel free to remove anything which doesn't apply to you and add more information where it makes sense.

Required information

• Distribution: openSUSE
• Distribution version: 42.2
• The output of "lxc info" or if that fails:
  • Kernel version: 4.4.49-16-default
  • LXC version:
  • LXD version: 2.13 (snap revision 2071)
  • Storage backend in use: dir

Issue description

Install the lxd snap on openSUSE and start a new container via

simon@linux-82h5:~> lxc launch ubuntu:16.04 test
If this is your first time using LXD, you should also run: lxd init
To start your first container, try: lxc launch ubuntu:16.04

Creating test
Starting test                               
error: Failed to run: /snap/lxd/2071/bin/lxd forkstart test /var/snap/lxd/common/lxd/containers /var/snap/lxd/common/lxd/logs/test/lxc.conf: 
Try `lxc info --show-log local:test` for more info

Looking at the log file of the container shows

simon@linux-82h5:~> lxc info --show-log local:test
Name: test
Remote: unix:/var/snap/lxd/common/lxd/unix.socket
Architecture: x86_64
Created: 2017/05/24 13:26 UTC
Status: Stopped
Type: persistent
Profiles: default

Log:

            lxc 20170524132636.144 WARN     lxc_apparmor - lsm/apparmor.c:apparmor_process_label_set:218 - Incomplete AppArmor support in your kernel
            lxc 20170524132636.144 ERROR    lxc_apparmor - lsm/apparmor.c:apparmor_process_label_set:220 - If you really want to start this container, set
            lxc 20170524132636.144 ERROR    lxc_apparmor - lsm/apparmor.c:apparmor_process_label_set:221 - lxc.aa_allow_incomplete = 1
            lxc 20170524132636.144 ERROR    lxc_apparmor - lsm/apparmor.c:apparmor_process_label_set:222 - in your container configuration file
            lxc 20170524132636.144 ERROR    lxc_sync - sync.c:__sync_wait:57 - An error occurred in another process (expected sequence number 5)
            lxc 20170524132636.144 ERROR    lxc_start - start.c:__lxc_start:1346 - Failed to spawn container "test".
            lxc 20170524132636.694 ERROR    lxc_conf - conf.c:run_buffer:405 - Script exited with status 1.
            lxc 20170524132636.694 ERROR    lxc_start - start.c:lxc_fini:546 - Failed to run lxc.hook.post-stop for container "test".
            lxc 20170524132636.694 WARN     lxc_commands - commands.c:lxc_cmd_rsp_recv:172 - Command get_cgroup failed to receive response: Connection reset by peer.
            lxc 20170524132636.694 WARN     lxc_commands - commands.c:lxc_cmd_rsp_recv:172 - Command get_cgroup failed to receive response: Connection reset by peer.

Disabling AppArmor profiles for the container via

$ lxc config set test raw.lxc "lxc.aa_profile=unconfined"

makes the container starting and usable.

LXD needs some kind of auto-detection for such cases.

Steps to reproduce

See description

Information to attach

• any relevant kernel output (dmesg)
• container log (lxc info NAME --show-log)
• main daemon log (/var/log/lxd.log)
• output of the client with --debug
• output of the daemon with --debug

[stgraber]

LXD does have auto-detection through liblxc for that. That's why you got the error and the container was prevented from starting.

If we had let the container start, you'd have been misled into thinking that it's properly confined when it's really not as your system has partial apparmor support (it's not disabled, it's present but doesn't cover everything we need).

So at the LXD level we don't plan on changing that as it's the same code which protects machines that got a new kernel with apparmor coverage regression.

That being said, we should do something about the snap package. Basically detecting OpenSUSE and setting "lxc.aa_allow_incomplete = 1" in such cases as we know that the normal OpenSUSE kernel requires that to function.

[morphis]

So at the LXD level we don't plan on changing that as it's the same code which protects machines that got a new kernel with apparmor coverage regression.

Sounds good to me.

That being said, we should do something about the snap package. Basically detecting OpenSUSE and setting "lxc.aa_allow_incomplete = 1" in such cases as we know that the normal OpenSUSE kernel requires that to function.

If you do that we need to see which other distributions we need to include. I didn't tested Fedora yet but I guess we have there a similar problem.

[stgraber]

Fedora should be fine as it doesn't have apparmor support at all.

The problem is when the kernel advertises apparmor support but doesn't come with the full set of capabilities that we expect.

[morphis]

The problem is when the kernel advertises apparmor support but doesn't come with the full set of capabilities that we expect.

Ok, thanks for the explanation!

[stgraber]

linux-x9qb:~ # grep PRETTY_NAME /etc/os-release 
PRETTY_NAME="openSUSE Leap 42.2"

linux-x9qb:~ # snap install lxd --edge
lxd (edge) git-980ff11 from 'canonical' installed

linux-x9qb:~ # lxd init
Do you want to configure a new storage pool (yes/no) [default=yes]? 
Name of the new storage pool [default=default]: 
Name of the storage backend to use (dir, btrfs) [default=dir]: 
Would you like LXD to be available over the network (yes/no) [default=no]? 
Would you like stale cached images to be updated automatically (yes/no) [default=yes]? 
Would you like to create a new network bridge (yes/no) [default=yes]? 
What should the new bridge be called [default=lxdbr0]? 
What IPv4 address should be used (CIDR subnet notation, “auto” or “none”) [default=auto]? 
What IPv6 address should be used (CIDR subnet notation, “auto” or “none”) [default=auto]? 
LXD has been successfully configured.

linux-x9qb:~ # lxc launch images:alpine/edge c1
If this is your first time using LXD, you should also run: lxd init
To start your first container, try: lxc launch ubuntu:16.04

Creating c1
Starting c1        
                         
linux-x9qb:~ # lxc list
+------+---------+-----------------------+----------------------------------------------+------------+-----------+
| NAME |  STATE  |         IPV4          |                     IPV6                     |    TYPE    | SNAPSHOTS |
+------+---------+-----------------------+----------------------------------------------+------------+-----------+
| c1   | RUNNING | 10.222.180.126 (eth0) | fd42:a607:f94c:a3b4:216:3eff:fe13:71b (eth0) | PERSISTENT | 0         |
+------+---------+-----------------------+----------------------------------------------+------------+-----------+

Fixed in edge, will push to candidate and then stable next.

[stgraber]

(Also had to fight with snapd to get a proper /etc rather than OpenSUSE's)