Unknown configuration key "lxc.aa_profile"

[sajoupa]

Required information

• Distribution: Ubuntu
• Distribution version: 17.10
• The output of "lxc info":

  ubuntu@conjure-up-full:~$ lxc info
  config:
  core.https_address: '[::]'
  api_extensions:
  - storage_zfs_remove_snapshots
  - container_host_shutdown_timeout
  - container_stop_priority
  - container_syscall_filtering
  - auth_pki
  - container_last_used_at
  - etag
  - patch
  - usb_devices
  - https_allowed_credentials
  - image_compression_algorithm
  - directory_manipulation
  - container_cpu_time
  - storage_zfs_use_refquota
  - storage_lvm_mount_options
  - network
  - profile_usedby
  - container_push
  - container_exec_recording
  - certificate_update
  - container_exec_signal_handling
  - gpu_devices
  - container_image_properties
  - migration_progress
  - id_map
  - network_firewall_filtering
  - network_routes
  - storage
  - file_delete
  - file_append
  - network_dhcp_expiry
  - storage_lvm_vg_rename
  - storage_lvm_thinpool_rename
  - network_vlan
  - image_create_aliases
  - container_stateless_copy
  - container_only_migration
  - storage_zfs_clone_copy
  - unix_device_rename
  - storage_lvm_use_thinpool
  - storage_rsync_bwlimit
  - network_vxlan_interface
  - storage_btrfs_mount_options
  - entity_description
  - image_force_refresh
  - storage_lvm_lv_resizing
  - id_map_base
  - file_symlinks
  - container_push_target
  - network_vlan_physical
  - storage_images_delete
  - container_edit_metadata
  - container_snapshot_stateful_migration
  - storage_driver_ceph
  - storage_ceph_user_name
  - resource_limits
  - storage_volatile_initial_source
  - storage_ceph_force_osd_reuse
  - storage_block_filesystem_btrfs
  - resources
  - kernel_limits
  - storage_api_volume_rename
  - macaroon_authentication
  - network_sriov
  - console
  - restrict_devlxd
  - migration_pre_copy
  - infiniband
  - maas_network
  - devlxd_events
  - proxy
  - network_dhcp_gateway
  - file_get_symlink
  - network_leases
  - unix_device_hotplug
  - storage_api_local_volume_handling
  - operation_description
  - clustering
  - event_lifecycle
  - storage_api_remote_volume_handling
  - nvidia_runtime
  api_status: stable
  api_version: "1.0"
  auth: trusted
  public: false
  auth_methods:
  - tls
  environment:
  addresses:
  - 10.138.148.1:8443
  - 10.101.0.1:8443
  - 10.100.123.113:8443
  architectures:
  - x86_64
  - i686
  certificate: |
  -----BEGIN CERTIFICATE-----
  MIIFWzCCA0OgAwIBAgIQPRv0PZz7lgiTt+ZeuXYLBjANBgkqhkiG9w0BAQsFADA9
  MRwwGgYDVQQKExNsaW51eGNvbnRhaW5lcnMub3JnMR0wGwYDVQQDDBRyb290QGNv
  bmp1cmUtdXAtZnVsbDAeFw0xODAzMjcxOTA5MDRaFw0yODAzMjQxOTA5MDRaMD0x
  HDAaBgNVBAoTE2xpbnV4Y29udGFpbmVycy5vcmcxHTAbBgNVBAMMFHJvb3RAY29u
  anVyZS11cC1mdWxsMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAmcmM
  NIyC0iNb4nvkoD7nFOZ07Qi5IFbCduHS0PDsu8QIop00aRFPrfsZ69f3nmMeQn8r
  M50bzStzuMye0Y4ss3x5EYHhCjVAO4XM+Siijec4ZtFx+sPGgCYYYIrEi3oIt8SE
  X2RyZZFXJlqYGI+FCm6IVFNQjipFJkkM6rSxks5MqXdczpc72qeJHAiVAz3B3VCQ
  R4+rOeUa+I9o7ECvSmh3pKXfEhaS/PV8Q12GghTXyyMy1WZuBmyRHX2AzFHDG6yQ
  dO0khxaAqxskTpLUiPL6jhnxD4MIY+9nTKMul+VUn1OfOoLiLEXRVfyPWBygsgGL
  cffZUmul4M3WqTxHtCwa+9idsQPGptfeo0moChpNwYmVNR7FxI6J06WJpTLDXkFc
  GxW3i82v9b/NhIw4BRpKaHYGvLv4h97GChgqCiBlANZeLf06TlkjQb+fv2I3mZ4M
  HZVK+P8f0rQJ8JG7R7pauIrlaYXT5706MtbvFo6oHBTrjZwVUgpviJSYqYx5DICe
  x6bbzy/VYELA7cATKF6RrcJSja3ftI/LemT0f7Xz/IB/xrkkliYYSJ1MvjvGcf9i
  2/96URcL0uHlpE6Heiq9QCFjPTvSFU4Be83h/qZliBHoBAQiUtJ3XZRwpHmm6Ku0
  p1kCs1IdQJLXub7LP5P3d34f8WaH3ODWW1dwF1kCAwEAAaNXMFUwDgYDVR0PAQH/
  BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwIAYDVR0R
  BBkwF4IPY29uanVyZS11cC1mdWxshwQKZHtxMA0GCSqGSIb3DQEBCwUAA4ICAQCT
  +zB6B0rvn50uBwuMGN5usYnZqXgM4pt1+1m82WjEzDrnaGpFeL69ZynXs+YPuuJ+
  9sDmLYwhZ9oTh4fc5H36oT1HS8uZ/q9QC1mzUp/BF/V1l65PoJUm8uxpK2DJYwdn
  eImQ0DmKVja2jW6c6g5VHERymZV+ak5UNrk4jUu3kJxxcEfml4f+zUx/qY2p+MoU
  IwaW/XywlL2Wl/7R4Ipv6/IVwR3pm0SKQsxtUVHAy3USC4vKc379+abS4EwF/5Uw
  o0pPVgiv9ceRKvI9ChtAWnfZUb28w6zf2TyPC2+KCVJcXzYwmMF3y6275m8gbnKd
  Ft5AOSKzw4/wHVrAdegf+3EcS+QLeMIJcd7ny1Ta7iUyShfuZrYqxml8ln7QZBkj
  yxQILo0hp1qQktjCFDOPXGSibgDDzRnB8PkBqoejaZYEedfLArHlBXlZ5v8M4oJh
  kbFLt+GN6Bv6Dv4k3EUnpK7rW3mpEpDZPmAOdxLrLfehPBovERN5iUeReRz5fj6l
  d4TKdZQnKaBEyVK/A50Rz5QeVs+QLXhHMkrByIVnjBi9tMy7mNDKqCpP5mQ/aJyu
  5kuigh+R37ePV4t34CteQdc6lcml/swf4SI9/wp1icOZTM69mVd7syS5cor5Ra4Y
  HoB7GwkNhxDn8eipvc9JI+tHGvNRkfcBYsJhX/ymIQ==
  -----END CERTIFICATE-----
  certificate_fingerprint: 37ad2f7fb0776cbbd8f6acbaa264fa21bc5e0311f69bb35e7801768c674217bb
  driver: lxc
  driver_version: 3.0.0
  kernel: Linux
  kernel_architecture: x86_64
  kernel_version: 4.13.0-37-generic
  server: lxd
  server_pid: 5082
  server_version: 3.0.0
  storage: dir
  storage_version: "1"
  server_clustered: false
  server_name: conjure-up-full
  ubuntu@conjure-up-full:~$

Issue description

I'm using nested containers. Physical machine: ubuntu 17.10, running lxd 3.0.0 (stable snap). Within a nested container (security.nesting=true), I run several lxds created with conjure-up. They've been running fine until today:

ubuntu@conjure-up-full:~$ lxc start juju-61f4fa-0
Error: Failed to load raw.lxc
Try `lxc info --show-log juju-61f4fa-0` for more info
ubuntu@conjure-up-full:~$ lxc info --show-log juju-61f4fa-0
Name: juju-61f4fa-0
Remote: unix://
Architecture: x86_64
Created: 2018/03/27 19:14 UTC
Status: Stopped
Type: persistent
Profiles: default, juju-conjure-openstack-novalx-91b

Log:

            lxc 20180403092910.637 WARN     lxc_monitor - monitor.c:lxc_monitor_fifo_send:111 - Failed to open fifo to send message: No such file or directory.
            lxc 20180403092910.637 WARN     lxc_monitor - monitor.c:lxc_monitor_fifo_send:111 - Failed to open fifo to send message: No such file or directory.
            lxc 20180403092911.492 WARN     lxc_monitor - monitor.c:lxc_monitor_fifo_send:111 - Failed to open fifo to send message: No such file or directory.
            lxc 20180403092911.492 WARN     lxc_monitor - monitor.c:lxc_monitor_fifo_send:111 - Failed to open fifo to send message: No such file or directory.
lxc 20180403100455.470 ERROR    lxc_confile - confile.c:parse_line:2340 - Unknown configuration key "lxc.aa_profile"
lxc 20180403100455.471 ERROR    lxc_parse - parse.c:lxc_file_for_each_line_mmap:102 - Failed to parse config: lxc.aa_profile=unconfined
lxc 20180403100626.398 ERROR    lxc_confile - confile.c:parse_line:2340 - Unknown configuration key "lxc.aa_profile"
lxc 20180403100626.398 ERROR    lxc_parse - parse.c:lxc_file_for_each_line_mmap:102 - Failed to parse config: lxc.aa_profile=unconfined
lxc 20180403100626.439 ERROR    lxc_confile - confile.c:parse_line:2340 - Unknown configuration key "lxc.aa_profile"
lxc 20180403100626.440 ERROR    lxc_parse - parse.c:lxc_file_for_each_line_mmap:102 - Failed to parse config: lxc.aa_profile=unconfined
lxc 20180403100724.336 ERROR    lxc_confile - confile.c:parse_line:2340 - Unknown configuration key "lxc.aa_profile"
lxc 20180403100724.337 ERROR    lxc_parse - parse.c:lxc_file_for_each_line_mmap:102 - Failed to parse config: lxc.aa_profile=unconfined
lxc 20180403100957.259 ERROR    lxc_confile - confile.c:parse_line:2340 - Unknown configuration key "lxc.aa_profile"
lxc 20180403100957.264 ERROR    lxc_parse - parse.c:lxc_file_for_each_line_mmap:102 - Failed to parse config: lxc.aa_profile=unconfined
lxc 20180403150512.856 ERROR    lxc_confile - confile.c:parse_line:2340 - Unknown configuration key "lxc.aa_profile"
lxc 20180403150512.856 ERROR    lxc_parse - parse.c:lxc_file_for_each_line_mmap:102 - Failed to parse config: lxc.aa_profile=unconfined
lxc 20180403151725.548 ERROR    lxc_confile - confile.c:parse_line:2340 - Unknown configuration key "lxc.aa_profile"
lxc 20180403151725.548 ERROR    lxc_parse - parse.c:lxc_file_for_each_line_mmap:102 - Failed to parse config: lxc.aa_profile=unconfined
lxc 20180403155828.171 ERROR    lxc_confile - confile.c:parse_line:2340 - Unknown configuration key "lxc.aa_profile"
lxc 20180403155828.171 ERROR    lxc_parse - parse.c:lxc_file_for_each_line_mmap:102 - Failed to parse config: lxc.aa_profile=unconfined
lxc 20180403160106.716 ERROR    lxc_confile - confile.c:parse_line:2354 - Unknown configuration key "lxc.aa_profile"
lxc 20180403160106.717 ERROR    lxc_parse - parse.c:lxc_file_for_each_line_mmap:102 - Failed to parse config: lxc.aa_profile=unconfined
lxc 20180403160114.695 ERROR    lxc_confile - confile.c:parse_line:2354 - Unknown configuration key "lxc.aa_profile"
lxc 20180403160114.695 ERROR    lxc_parse - parse.c:lxc_file_for_each_line_mmap:102 - Failed to parse config: lxc.aa_profile=unconfined

Here is the profile used by this containers:

ubuntu@conjure-up-full:~$ lxc profile show juju-conjure-openstack-novalx-91b
config:
  boot.autostart: "true"
  linux.kernel_modules: openvswitch,nbd,ip_tables,ip6_tables,netlink_diag
  raw.lxc: |
    lxc.aa_profile=unconfined
    lxc.mount.auto=sys:rw
  security.nesting: "true"
  security.privileged: "true"
description: ""
devices:
  eth0:
    nictype: bridged
    parent: lxdbr0
    type: nic
  eth1:
    nictype: bridged
    parent: conjureup0
    type: nic
  root:
    path: /
    pool: default
    type: disk
name: juju-conjure-openstack-novalx-91b
used_by:
- /1.0/containers/juju-61f4fa-0
- /1.0/containers/juju-61f4fa-1
- /1.0/containers/juju-61f4fa-10
- /1.0/containers/juju-61f4fa-11
- /1.0/containers/juju-61f4fa-12
- /1.0/containers/juju-61f4fa-13
- /1.0/containers/juju-61f4fa-14
- /1.0/containers/juju-61f4fa-15
- /1.0/containers/juju-61f4fa-2
- /1.0/containers/juju-61f4fa-3
- /1.0/containers/juju-61f4fa-4
- /1.0/containers/juju-61f4fa-5
- /1.0/containers/juju-61f4fa-6
- /1.0/containers/juju-61f4fa-7
- /1.0/containers/juju-61f4fa-8
- /1.0/containers/juju-61f4fa-9
ubuntu@conjure-up-full:~$

I tested with the --edge lxd snap, and got the same result.

Steps to reproduce

$ lxc profile create test
$ lxc profile set test raw.lxc lxc.aa_profile=unconfined
$ lxc launch -p test ubuntu:xenial test
Creating test
Error: Failed container creation:
 - https://cloud-images.ubuntu.com/releases: Failed to load raw.lxc

According to http://manpages.ubuntu.com/manpages/xenial/en/man5/lxc.container.conf.5.html, the above setting should work ?

Information to attach

• [ ] Any relevant kernel output (dmesg)
• [X] Container log (lxc info NAME --show-log)
• [ ] Container configuration (lxc config show NAME --expanded)
• [ ] Main daemon log (at /var/log/lxd/lxd.log or /var/snap/lxd/common/lxd/logs/lxd.log)
• [ ] Output of the client with --debug
• [ ] Output of the daemon with --debug (alternatively output of lxc monitor while reproducing the issue)

[brauner]

Starting with the release of LXC 2.1 we have renamed a bunch of configuration keys and marked their old versions as deprecated. LXC 3.0 has removed support for the legacy configuration keys that's why your config is failing. The list of new and old counterparts is:

    Legacy Key                           | New Key                       | Comments
    -------------------------------------|-------------------------------|---------
    lxc.aa_profile                       | lxc.apparmor.profile          |
    lxc.aa_allow_incomplete              | lxc.apparmor.allow_incomplete |
    lxc.console                          | lxc.console.path              |
    lxc.devttydir                        | lxc.tty.dir                   |
    lxc.haltsignal                       | lxc.signal.halt               |
    lxc.id_map                           | lxc.idmap                     |
    lxc.init_cmd                         | lxc.init.cmd                  |
    lxc.init_gid                         | lxc.init.gid                  |
    lxc.init_uid                         | lxc.init.uid                  |
    lxc.kmsg                             | -                             | removed
    lxc.limit                            | lxc.prlimit                   |
    lxc.logfile                          | lxc.log.file                  |
    lxc.loglevel                         | lxc.log.level                 |
    lxc.mount                            | lxc.mount.fstab               |
    lxc.network                          | lxc.net                       |
    lxc.network.                         | lxc.net.[i].                  |
    lxc.network.flags                    | lxc.net.[i].flags             |
    lxc.network.hwaddr                   | lxc.net.[i].hwaddr            |
    lxc.network.ipv4                     | lxc.net.[i].ipv4.address      |
    lxc.network.ipv4.gateway             | lxc.net.[i].ipv4.gateway      |
    lxc.network.ipv6                     | lxc.net.[i].ipv6.address      |
    lxc.network.ipv6.gateway             | lxc.net.[i].ipv6.gateway      |
    lxc.network.link                     | lxc.net.[i].link              |
    lxc.network.macvlan.mode             | lxc.net.[i].macvlan.mode      |
    lxc.network.mtu                      | lxc.net.[i].mtu               |
    lxc.network.name                     | lxc.net.[i].name              |
    lxc.network.script.down              | lxc.net.[i].script.down       |
    lxc.network.script.up                | lxc.net.[i].script.up         |
    lxc.network.type                     | lxc.net.[i].type              |
    lxc.network.veth.pair                | lxc.net.[i].veth.pair         |
    lxc.network.vlan.id                  | lxc.net.[i].vlan.id           |
    lxc.pivotdir                         | -                             | removed
    lxc.pts                              | lxc.pty.max                   |
    lxc.rebootsignal                     | lxc.signal.reboot             |
    lxc.rootfs                           | lxc.rootfs.path               |
    lxc.se_context                       | lxc.selinux.context           |
    lxc.seccomp                          | lxc.seccomp.profile           |
    lxc.stopsignal                       | lxc.signal.stop               |
    lxc.syslog                           | lxc.log.syslog                |
    lxc.tty                              | lxc.tty.max                   |
    lxc.utsname                          | lxc.uts.name                  |

[adamxchen]

Hi there, may I ask how to fix this "issue"? It seems I have the same problem. Of course, your post explained this issue clearly "config is failing" but I cannot figure it out how to fix this? My config is set by default. Since current LXC is 3.0, do I have to manually re-config manually? If so, how to do that? I'm sorry to ask such these naive questions. I'm a college student who just starts learning OpenStack. If you can point it out with any hints(like where I should go), it will be appreciated a lot! Thank you!

--update-- I searched old news for LXC 2.1, and found that I might use "lxc-update-config", but it said "lxc-update-config: command not found"

-----More background info ------ OS: Ubuntu 16.04LTS. How/Where I start: basically, follow the link here: https://www.ubuntu.com/download/cloud/try-openstack. Past progress: Install OpenStack without configuring anything a half month ago.

[sajoupa]

@zetelight You can change the config of a container with: lxc config set $container_name raw.lxc "lxc.apparmor.profile=unconfined'" or for a profile: lxc profile set $profile_name raw.lxc lxc.apparmor.profile=unconfined

I don't have a conjure-up novalxd deployment to test right now, but ISTR that I updated the profile, not each container individually.

[adamxchen]

@sajoupa Thank you so much! It works for me now. Since I am not sure that I have set up any "profile", I update them for each container individually, Again, thanks for your help!