christianbundy
commented
8 years ago Can you post the output of lxc-checkconfig please? Thanks!
Open nnutter opened 8 years ago
christianbundy
commented
8 years ago Can you post the output of lxc-checkconfig please? Thanks!
nnutter
commented
8 years ago $ lxc-checkconfig
--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: enabled
Network namespace: enabled
Multiple /dev/pts instances: enabled
--- Control groups ---
Cgroup: enabled
Cgroup clone_children flag: enabled
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: enabled
Cgroup cpuset: enabled
--- Misc ---
Veth pair device: enabled
Macvlan: enabled
Vlan: enabled
Bridges: enabled
Advanced netfilter: enabled
CONFIG_NF_NAT_IPV4: enabled
CONFIG_NF_NAT_IPV6: enabled
CONFIG_IP_NF_TARGET_MASQUERADE: enabled
CONFIG_IP6_NF_TARGET_MASQUERADE: enabled
CONFIG_NETFILTER_XT_TARGET_CHECKSUM: enabled
--- Checkpoint/Restore ---
checkpoint restore: missing
CONFIG_FHANDLE: enabled
CONFIG_EVENTFD: enabled
CONFIG_EPOLL: enabled
CONFIG_UNIX_DIAG: enabled
CONFIG_INET_DIAG: enabled
CONFIG_PACKET_DIAG: enabled
CONFIG_NETLINK_DIAG: enabled
File capabilities: enabled
Note : Before booting a new kernel, you can check its configuration
usage : CONFIG=/path/to/config /usr/bin/lxc-checkconfig
raphael
commented
8 years ago Is it possible that the verison of LXC you end up using is a bit older? I can't find anything related to AppArmor that wouldn't be enabled in the kernel and this points to a bug in LXC.
raphael
commented
8 years ago nnutter
commented
8 years ago I'm running current versions:
$ lsb_release -rc
Release: 15.10
Codename: wily
$ dpkg -l lxc | grep lxc
ii lxc 1.1.5-0ubuntu0.15.10.3 amd64 Linux Containers userspace toolsSince it doesn't seem like a kernel config issue I guess I'll close this and someone can re-open if they have information to suggest otherwise.
raphael
commented
8 years ago Let's leave the issue opened, maybe someone else will have a suggestion.
nskaggs
commented
8 years ago This is still an issue with LXD 2.0 which was just released. We should be able to workaround it by disabling the extra protection from app armor, but setting the config option doesn't seem to work. :-(
nskaggs
commented
8 years ago FYI, I got this to work by telling lxc to ignore apparmor.
lxc profile set default raw.lxc lxc.aa_allow_incomplete=1
Run that, and lxc/lxd should work again.
joshuataylor
commented
8 years ago Can confirm that the command from @nskaggs fixed my issue, which is fine for me as I am just messing around on a laptop.
iam-TJ
commented
7 years ago This is caused due to Ubuntu kernels carrying additional security/apparmor/ patches, one of which adds:
CONFIG_SECURITY_APPARMOR_UNCONFINED_INIT=y
security/apparmor/Kconfig help shows:
This option determines policy behavior during early boot by
placing the init process in the unconfined state, or the
'default' profile.
'Y' means init and its children are not confined, unless the
init process is re-execed after a policy load; loaded policy
will only apply to processes started after the load.See:
alokhom
commented
6 years ago i fixed it with this config on ubuntu vi /usr/share/lxc/config/ubuntu.common.conf uncomment lxc.aa_profile = unconfined lxc-start -n container_name
I was trying to use LXC/LXD and got the following error:
When I reboot onto the "official" Ubuntu kernel this error does not happen. I know next to nothing about AppArmor so for now at least this is just a bug report.
To reproduce: