apparmor="DENIED" operation="mount" info="failed flags match" name="/run/" pid=22586 comm="mount" flags="rw, nosuid, nodev, remount"

[jdstrand]

Required information

• Distribution: Ubuntu
• Distribution version:18.04.6 LTS
• The output of "lxc info" or if that fails:

  $ lxc info
  config:
  images.auto_update_cached: "false"
  api_extensions:
  - storage_zfs_remove_snapshots
  - container_host_shutdown_timeout
  - container_stop_priority
  - container_syscall_filtering
  - auth_pki
  - container_last_used_at
  - etag
  - patch
  - usb_devices
  - https_allowed_credentials
  - image_compression_algorithm
  - directory_manipulation
  - container_cpu_time
  - storage_zfs_use_refquota
  - storage_lvm_mount_options
  - network
  - profile_usedby
  - container_push
  - container_exec_recording
  - certificate_update
  - container_exec_signal_handling
  - gpu_devices
  - container_image_properties
  - migration_progress
  - id_map
  - network_firewall_filtering
  - network_routes
  - storage
  - file_delete
  - file_append
  - network_dhcp_expiry
  - storage_lvm_vg_rename
  - storage_lvm_thinpool_rename
  - network_vlan
  - image_create_aliases
  - container_stateless_copy
  - container_only_migration
  - storage_zfs_clone_copy
  - unix_device_rename
  - storage_lvm_use_thinpool
  - storage_rsync_bwlimit
  - network_vxlan_interface
  - storage_btrfs_mount_options
  - entity_description
  - image_force_refresh
  - storage_lvm_lv_resizing
  - id_map_base
  - file_symlinks
  - container_push_target
  - network_vlan_physical
  - storage_images_delete
  - container_edit_metadata
  - container_snapshot_stateful_migration
  - storage_driver_ceph
  - storage_ceph_user_name
  - resource_limits
  - storage_volatile_initial_source
  - storage_ceph_force_osd_reuse
  - storage_block_filesystem_btrfs
  - resources
  - kernel_limits
  - storage_api_volume_rename
  - macaroon_authentication
  - network_sriov
  - console
  - restrict_devlxd
  - migration_pre_copy
  - infiniband
  - maas_network
  - devlxd_events
  - proxy
  - network_dhcp_gateway
  - file_get_symlink
  - network_leases
  - unix_device_hotplug
  - storage_api_local_volume_handling
  - operation_description
  - clustering
  - event_lifecycle
  - storage_api_remote_volume_handling
  - nvidia_runtime
  - container_mount_propagation
  - container_backup
  - devlxd_images
  - container_local_cross_pool_handling
  - proxy_unix
  - proxy_udp
  - clustering_join
  - proxy_tcp_udp_multi_port_handling
  - network_state
  - proxy_unix_dac_properties
  - container_protection_delete
  - unix_priv_drop
  - pprof_http
  - proxy_haproxy_protocol
  - network_hwaddr
  - proxy_nat
  - network_nat_order
  - container_full
  - candid_authentication
  - backup_compression
  - candid_config
  - nvidia_runtime_config
  - storage_api_volume_snapshots
  - storage_unmapped
  - projects
  - candid_config_key
  - network_vxlan_ttl
  - container_incremental_copy
  - usb_optional_vendorid
  - snapshot_scheduling
  - snapshot_schedule_aliases
  - container_copy_project
  - clustering_server_address
  - clustering_image_replication
  - container_protection_shift
  - snapshot_expiry
  - container_backup_override_pool
  - snapshot_expiry_creation
  - network_leases_location
  - resources_cpu_socket
  - resources_gpu
  - resources_numa
  - kernel_features
  - id_map_current
  - event_location
  - storage_api_remote_volume_snapshots
  - network_nat_address
  - container_nic_routes
  - rbac
  - cluster_internal_copy
  - seccomp_notify
  - lxc_features
  - container_nic_ipvlan
  - network_vlan_sriov
  - storage_cephfs
  - container_nic_ipfilter
  - resources_v2
  - container_exec_user_group_cwd
  - container_syscall_intercept
  - container_disk_shift
  - storage_shifted
  - resources_infiniband
  - daemon_storage
  - instances
  - image_types
  - resources_disk_sata
  - clustering_roles
  - images_expiry
  - resources_network_firmware
  - backup_compression_algorithm
  - ceph_data_pool_name
  - container_syscall_intercept_mount
  - compression_squashfs
  - container_raw_mount
  - container_nic_routed
  - container_syscall_intercept_mount_fuse
  - container_disk_ceph
  - virtual-machines
  - image_profiles
  - clustering_architecture
  - resources_disk_id
  - storage_lvm_stripes
  - vm_boot_priority
  - unix_hotplug_devices
  - api_filtering
  - instance_nic_network
  - clustering_sizing
  - firewall_driver
  - projects_limits
  - container_syscall_intercept_hugetlbfs
  - limits_hugepages
  - container_nic_routed_gateway
  - projects_restrictions
  - custom_volume_snapshot_expiry
  - volume_snapshot_scheduling
  - trust_ca_certificates
  - snapshot_disk_usage
  - clustering_edit_roles
  - container_nic_routed_host_address
  - container_nic_ipvlan_gateway
  - resources_usb_pci
  - resources_cpu_threads_numa
  - resources_cpu_core_die
  - api_os
  - resources_system
  - usedby_consistency
  - resources_gpu_mdev
  - console_vga_type
  - projects_limits_disk
  - storage_rsync_compression
  - gpu_mdev
  - resources_pci_iommu
  - resources_network_usb
  - resources_disk_address
  - network_state_vlan
  - gpu_sriov
  - migration_stateful
  - disk_state_quota
  - storage_ceph_features
  - gpu_mig
  - clustering_join_token
  - clustering_description
  - server_trusted_proxy
  - clustering_update_cert
  - storage_api_project
  - server_instance_driver_operational
  - server_supported_storage_drivers
  - event_lifecycle_requestor_address
  - resources_gpu_usb
  - network_counters_errors_dropped
  - image_source_project
  - database_leader
  - instance_all_projects
  - ceph_rbd_du
  - qemu_metrics
  - gpu_mig_uuid
  - event_project
  - instance_allow_inconsistent_copy
  - image_restrictions
  api_status: stable
  api_version: "1.0"
  auth: trusted
  public: false
  auth_methods:
  - tls
  environment:
  addresses: []
  architectures:
  - x86_64
  - i686
  certificate: |
  -----BEGIN CERTIFICATE-----
  ...
  -----END CERTIFICATE-----
  certificate_fingerprint: cbaaf38dc799e97a8c617ac103087e71d81d7bf78f29846c2eabc1a5610d6b7a
  driver: lxc
  driver_version: 4.0.12
  firewall: xtables
  kernel: Linux
  kernel_architecture: x86_64
  kernel_features:
  netnsid_getifaddrs: "false"
  seccomp_listener: "false"
  seccomp_listener_continue: "false"
  shiftfs: "false"
  uevent_injection: "false"
  unpriv_fscaps: "true"
  kernel_version: 4.15.0-169-generic
  lxc_features:
  cgroup2: "true"
  core_scheduling: "true"
  devpts_fd: "true"
  idmapped_mounts_v2: "true"
  mount_injection_file: "true"
  network_gateway_device_route: "true"
  network_ipvlan: "true"
  network_l2proxy: "true"
  network_phys_macvlan_mtu: "true"
  network_veth_router: "true"
  pidfd: "true"
  seccomp_allow_deny_syntax: "true"
  seccomp_notify: "true"
  seccomp_proxy_send_notify_fd: "true"
  os_name: Ubuntu
  os_version: "18.04"
  project: default
  server: lxd
  server_clustered: false
  server_name: <redacted>
  server_pid: 1716
  server_version: 4.0.9
  storage: dir
  storage_version: "1"
  storage_supported_drivers:
  - name: btrfs
  version: 5.4.1
  remote: false
  - name: cephfs
  version: 15.2.14
  remote: true
  - name: dir
  version: "1"
  remote: false
  - name: lvm
  version: 2.03.07(2) (2019-11-30) / 1.02.167 (2019-11-30) / 4.37.0
  remote: false
  - name: zfs
  version: 0.7.5-1ubuntu16.12
  remote: false
  - name: ceph
  version: 15.2.14
  remote: true

Issue description

I stopped some containers and noticed this in the logs:

audit: type=1400 audit(1646058774.323:266): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxd-foo_</var/snap/lxd/common/lxd>" name="/run/" pid=22586 comm="mount" flags="rw, nosuid, nodev, remount"

[stgraber]

@jdstrand what are you running in that container?

[jdstrand]

@jdstrand what are you running in that container?

2 different Ubuntu 20.04 focal containers:

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 20.04.4 LTS
Release:    20.04
Codename:   focal

[stgraber]

Interesting, I tried 20.04 here on a 22.04 host and didn't hit it, it likely needs some specific combination of host and container.

[jdstrand]

I tried again just now, on an up to date 18.04 host:

$ cat /proc/version_signature 
Ubuntu 4.15.0-169.177-generic 4.15.18
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 18.04.6 LTS
Release:    18.04
Codename:   bionic
$ lxc version
Client version: 4.0.9
Server version: 4.0.9

ssh into the (up to date) container and shut it down:

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 20.04.4 LTS
Release:    20.04
Codename:   focal
$ sudo shutdown -h now

Then on the host, out pops:

Mar  1 08:21:20 <host> kernel: [74640.020501] audit: type=1400 audit(1646144480.291:300): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxd-<container>_</var/snap/lxd/common/lxd>" name="/run/" pid=29676 comm="mount" flags="rw, nosuid, nodev, remount"
...
Mar  1 08:21:22 <host> kernel: [74642.307476] audit: type=1400 audit(1646144482.575:301): apparmor="STATUS" operation="profile_remove" profile="unconfined" name="lxd-<container>_</var/snap/lxd/common/lxd>" pid=29770 comm="apparmor_parser"

[stgraber]

So 20.04 container on 18.04 host with non-HWE kernel in this case seems to be causing systemd in the container to do a rw remount rather than ro remount.

What storage driver are you using?

[stgraber]

(This should be fixed in any case with the PR I sent, but just interesting to know what's triggering it)

[jdstrand]

So 20.04 container on 18.04 host with non-HWE kernel in this case seems to be causing systemd in the container to do a rw remount rather than ro remount.

What storage driver are you using?

  storage: dir
  storage_version: "1"

[jdstrand]

(This should be fixed in any case with the PR I sent, but just interesting to know what's triggering it)

Curious if this will make it back to 4.0/stable?

[stgraber]

Yeah, it will. 4.0.10 will be our last LTS point releases that includes bugfixes as it will release after 5.0 LTS so that branch will then go to security update only.