New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Regression in LXC Profiles for LXC/LXD 3.0 #4393

Closed
trevorgfrancis opened this Issue Apr 3, 2018 · 5 comments

Comments

2 participants
@trevorgfrancis

trevorgfrancis commented Apr 3, 2018

Required information

Ubuntu 16.04
Linux f8-c1-n12 4.13.0-37-generic #42~16.04.1-Ubuntu SMP Wed Mar 7 16:03:28 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

lxd 3.0.0 6418 canonical -

Issue description

launching container with raw LXD commands fails:

Error: Failed container creation:

Steps to reproduce

Profile information. Have tried backing out each raw.lxc value. Same issue.

config:
raw.lxc: |-
lxc.aa_profile=unconfined
lxc.cgroup.devices.allow=a
lxc.mount.auto=proc:rw sys:ro cgroup:ro
lxc.kmsg=0
lxc.autodev=1
security.nesting: "true"
security.privileged: "true"

@trevorgfrancis

This comment has been minimized.

trevorgfrancis commented Apr 3, 2018

root@f8-c1-n12:/var/log# lxc info
config:
core.https_address: '[::]:8443'
core.trust_password: true
api_extensions:

  • storage_zfs_remove_snapshots
  • container_host_shutdown_timeout
  • container_stop_priority
  • container_syscall_filtering
  • auth_pki
  • container_last_used_at
  • etag
  • patch
  • usb_devices
  • https_allowed_credentials
  • image_compression_algorithm
  • directory_manipulation
  • container_cpu_time
  • storage_zfs_use_refquota
  • storage_lvm_mount_options
  • network
  • profile_usedby
  • container_push
  • container_exec_recording
  • certificate_update
  • container_exec_signal_handling
  • gpu_devices
  • container_image_properties
  • migration_progress
  • id_map
  • network_firewall_filtering
  • network_routes
  • storage
  • file_delete
  • file_append
  • network_dhcp_expiry
  • storage_lvm_vg_rename
  • storage_lvm_thinpool_rename
  • network_vlan
  • image_create_aliases
  • container_stateless_copy
  • container_only_migration
  • storage_zfs_clone_copy
  • unix_device_rename
  • storage_lvm_use_thinpool
  • storage_rsync_bwlimit
  • network_vxlan_interface
  • storage_btrfs_mount_options
  • entity_description
  • image_force_refresh
  • storage_lvm_lv_resizing
  • id_map_base
  • file_symlinks
  • container_push_target
  • network_vlan_physical
  • storage_images_delete
  • container_edit_metadata
  • container_snapshot_stateful_migration
  • storage_driver_ceph
  • storage_ceph_user_name
  • resource_limits
  • storage_volatile_initial_source
  • storage_ceph_force_osd_reuse
  • storage_block_filesystem_btrfs
  • resources
  • kernel_limits
  • storage_api_volume_rename
  • macaroon_authentication
  • network_sriov
  • console
  • restrict_devlxd
  • migration_pre_copy
  • infiniband
  • maas_network
  • devlxd_events
  • proxy
  • network_dhcp_gateway
  • file_get_symlink
  • network_leases
  • unix_device_hotplug
  • storage_api_local_volume_handling
  • operation_description
  • clustering
  • event_lifecycle
  • storage_api_remote_volume_handling
  • nvidia_runtime
    api_status: stable
    api_version: "1.0"
    auth: trusted
    public: false
    auth_methods:
  • tls
    environment:
    addresses:
    • 172.16.3.212:8443
      architectures:
    • x86_64
    • i686
      certificate: |
      -----BEGIN CERTIFICATE-----
      MIIFSjCCAzKgAwIBAgIRAIqOdUk6nPBBEzRb4DWnxO0wDQYJKoZIhvcNAQELBQAw
      NzEcMBoGA1UEChMTbGludXhjb250YWluZXJzLm9yZzEXMBUGA1UEAwwOcm9vdEBm
      OC1jMS1uMTIwHhcNMTgwNDAzMDYxODE4WhcNMjgwMzMxMDYxODE4WjA3MRwwGgYD
      VQQKExNsaW51eGNvbnRhaW5lcnMub3JnMRcwFQYDVQQDDA5yb290QGY4LWMxLW4x
      MjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKYcNtKVGyY0O0OM4rMg
      BgWrEeFS9mUwQN5Hh4EKTG4w2DSdvRtHM8F28xrIlBUe4wvOUL4oKV5XcxKhUou8
      +1lpwiNSjKFhVVQCRWAvf5Kka8iodNyQ1xtpM8AFJqc+g0d6P3+fhcFRI1spdl/x
      OBM0x3HbGHZ0SeWjXu4mCKkwmq7kQCXjES2v9YnYg4s3HzTTTrWATc6JcIwI4PCW
      QtJ1q9y2TS1fB9ZKIRpDGlAUJiPjTHqWeESqQVLakcSn+MJmV5J1o7B627whj9vI
      xwGbHDw5bz9Bp9NAty4Ow6oIrpsrq0JtoM/SlPiuH8DRRsH3QtgY6cldDp68c5/a
      Z7SR1q89bPpwoI95yS9LHu67/xD+u0gCDE+Vm9XcAINn9KvSIIg0s7yRXh016n1+
      ecu2Y2wttP4WNys/aKi17raMNK6Cv3I7Q89/TbzZDNR21Mciq6QagJVJNkrZ8uTt
      o69TuqNjdpzMu5h5H4D0RPWD02dtXvxpgqOBV5s7zcXV8iVLbMAK6HMdDHaWiqAT
      FE0iFB1bCmjYq+ZsIE3VMpvT5X7jZllI/kzFTDPX2hzrLGbDJpsjdl88vYUjB4TY
      JI/D/kSIIYp36m19WvX3jnbZ3VuoOJwsrusPAyjl49gzDn4B5bG+DOPvI58n5L3h
      pnvOmGEl5Wqt1zy27kSR2/BnAgMBAAGjUTBPMA4GA1UdDwEB/wQEAwIFoDATBgNV
      HSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMBoGA1UdEQQTMBGCCWY4LWMx
      LW4xMocErBAD1DANBgkqhkiG9w0BAQsFAAOCAgEAYCEPqJp1rEzSkfsQt3mdfaAO
      1eHAY9xavHAHfXRmNeG++e1IdapTE5MfUYUEeXeDAamFItsbBEqR8abR0eGmUjh8
      //asdVZUlWfVu9bVqnHuXvJEhNc6A++I7wNdkdaC00OTLiUAKfPp4gwsYfdX1Onr
      I367dkiQ2pVrDe8PvfoJdiVHyWyss7xC3gcGOnLjxlvJgP6zNHqOgWU4Tc2gxWbg
      YXI9LfgTMKJXOhwSbaSv6OBpoAW1n8mUO7eOlu3biQxlz/151JcnP9XLlYdfr6OJ
      EfAJQ7qUQztQsUgdOm6AwsaGtKnoqq8lHhtmV9BflFJpXPUGnJjqt1HoceQgAJWy
      2rPHGsEviQDsQzfSxkKsJ/jrkoM6EFL0hm00gi1WbMsIwzBBjv5V6ChufQ9QC8Sv
      Gf3+dr3lqeg6EYpyauIoE99OgMJ7CKTjZwi504ZradLBmDk2l+054TbnqciFx4cK
      nfvvm7YKVZiWvhJgcIiEADgV0Zw45wlVpG0nMc7HyG+HRG/zwPLH5h4JVWWlKOUh
      uCO5Nq7vFyh+mmo5czU0WUNHVE5Az/PkTSx5CaplbcKG6W+IWOwKIfC8CW8umsfq
      mNCI8R9QE04SFmTSmP31LowE681rNBWApY9CC/rWObkMFWhkaeL++fZLsH6a3xTL
      RMCwrnlxkneon27rnEU=
      -----END CERTIFICATE-----
      certificate_fingerprint: 35ad1a56f8c8cfd45d34a71601b975cccd0439219cdc1f26942c59218852dd9f
      driver: lxc
      driver_version: 3.0.0
      kernel: Linux
      kernel_architecture: x86_64
      kernel_version: 4.13.0-37-generic
      server: lxd
      server_pid: 7589
      server_version: 3.0.0
      storage: dir
      storage_version: "1"
      server_clustered: false
      server_name: f8-c1-n12
@trevorgfrancis

This comment has been minimized.

trevorgfrancis commented Apr 3, 2018

root@f8-c1-n12:/var/snap/lxd/common/lxd/logs/lb-dbb63d78-1# cat lxc.log
lxc 20180403065946.328 ERROR lxc_confile - confile.c:parse_line:2340 - Unknown configuration key "lxc.aa_profile"
lxc 20180403065946.328 ERROR lxc_parse - parse.c:lxc_file_for_each_line_mmap:102 - Failed to parse config: lxc.aa_profile=unconfined
lxc 20180403065946.332 ERROR lxc_confile - confile.c:parse_line:2340 - Unknown configuration key "lxc.aa_profile"
lxc 20180403065946.332 ERROR lxc_parse - parse.c:lxc_file_for_each_line_mmap:102 - Failed to parse config: lxc.aa_profile=unconfined

@trevorgfrancis

This comment has been minimized.

trevorgfrancis commented Apr 3, 2018

Turns out ANY raw.lxc argument fails. Seems raw.lxc profile values are broken in latest version.

@trevorgfrancis trevorgfrancis changed the title from Regression in LXC Profiles for LXD 3.0 to Regression in LXC Profiles for LXC/LXD 3.0 Apr 3, 2018

@trevorgfrancis

This comment has been minimized.

trevorgfrancis commented Apr 3, 2018

As a test, I removed all values and specified a single raw.lxc command. Still fails.

raw.lxc: lxc.aa_profile=unconfined

@brauner

This comment has been minimized.

Member

brauner commented Apr 3, 2018

@trevorgfrancis, starting with the release of LXC 2.1 we have renamed a bunch of configuration keys and marked their old versions as deprecated. LXC 3.0 has removed support for the legacy configuration keys that's why your config is failing. The list of new and old counterparts is:

    Legacy Key                           | New Key                       | Comments
    -------------------------------------|-------------------------------|---------
    lxc.aa_profile                       | lxc.apparmor.profile          |
    lxc.aa_allow_incomplete              | lxc.apparmor.allow_incomplete |
    lxc.console                          | lxc.console.path              |
    lxc.devttydir                        | lxc.tty.dir                   |
    lxc.haltsignal                       | lxc.signal.halt               |
    lxc.id_map                           | lxc.idmap                     |
    lxc.init_cmd                         | lxc.init.cmd                  |
    lxc.init_gid                         | lxc.init.gid                  |
    lxc.init_uid                         | lxc.init.uid                  |
    lxc.kmsg                             | -                             | removed
    lxc.limit                            | lxc.prlimit                   |
    lxc.logfile                          | lxc.log.file                  |
    lxc.loglevel                         | lxc.log.level                 |
    lxc.mount                            | lxc.mount.fstab               |
    lxc.network                          | lxc.net                       |
    lxc.network.                         | lxc.net.[i].                  |
    lxc.network.flags                    | lxc.net.[i].flags             |
    lxc.network.hwaddr                   | lxc.net.[i].hwaddr            |
    lxc.network.ipv4                     | lxc.net.[i].ipv4.address      |
    lxc.network.ipv4.gateway             | lxc.net.[i].ipv4.gateway      |
    lxc.network.ipv6                     | lxc.net.[i].ipv6.address      |
    lxc.network.ipv6.gateway             | lxc.net.[i].ipv6.gateway      |
    lxc.network.link                     | lxc.net.[i].link              |
    lxc.network.macvlan.mode             | lxc.net.[i].macvlan.mode      |
    lxc.network.mtu                      | lxc.net.[i].mtu               |
    lxc.network.name                     | lxc.net.[i].name              |
    lxc.network.script.down              | lxc.net.[i].script.down       |
    lxc.network.script.up                | lxc.net.[i].script.up         |
    lxc.network.type                     | lxc.net.[i].type              |
    lxc.network.veth.pair                | lxc.net.[i].veth.pair         |
    lxc.network.vlan.id                  | lxc.net.[i].vlan.id           |
    lxc.pivotdir                         | -                             | removed
    lxc.pts                              | lxc.pty.max                   |
    lxc.rebootsignal                     | lxc.signal.reboot             |
    lxc.rootfs                           | lxc.rootfs.path               |
    lxc.se_context                       | lxc.selinux.context           |
    lxc.seccomp                          | lxc.seccomp.profile           |
    lxc.stopsignal                       | lxc.signal.stop               |
    lxc.syslog                           | lxc.log.syslog                |
    lxc.tty                              | lxc.tty.max                   |
    lxc.utsname                          | lxc.uts.name                  |
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment