search

subutai-io / cdn

Gorjun is a golang replacement for Kurjun project.
Apache License 2.0
19 stars 13 forks source link

Apt commands on new ubuntu16 template container creates apt-key errors #130

Closed rschulman closed 6 years ago

rschulman commented 6 years ago

When trying to do an initial apt-get update on a fresh ubuntu16 container, the command fails, claiming that there was an error in running apt-key and asking if gnupg is installed. Full error trace below:

root@Container-1-vbR:~# apt-get update
Get:1 http://security.ubuntu.com/ubuntu xenial-security InRelease [102 kB]
Ign:1 http://security.ubuntu.com/ubuntu xenial-security InRelease              
Get:2 http://archive.ubuntu.com/ubuntu xenial InRelease [247 kB]
Ign:2 http://archive.ubuntu.com/ubuntu xenial InRelease
Get:3 http://archive.ubuntu.com/ubuntu xenial-updates InRelease [102 kB]
Ign:3 http://archive.ubuntu.com/ubuntu xenial-updates InRelease
Fetched 451 kB in 1s (271 kB/s)
Reading package lists... Done
W: GPG error: http://security.ubuntu.com/ubuntu xenial-security InRelease: Could not execute 'apt-key' to verify signature (is gnupg installed?)
W: The repository 'http://security.ubuntu.com/ubuntu xenial-security InRelease' is not signed.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: GPG error: http://archive.ubuntu.com/ubuntu xenial InRelease: Could not execute 'apt-key' to verify signature (is gnupg installed?)
W: The repository 'http://archive.ubuntu.com/ubuntu xenial InRelease' is not signed.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: GPG error: http://archive.ubuntu.com/ubuntu xenial-updates InRelease: Could not execute 'apt-key' to verify signature (is gnupg installed?)
W: The repository 'http://archive.ubuntu.com/ubuntu xenial-updates InRelease' is not signed.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.

Versions of the various components are as follows:

SS version | 6.1.3 RH version | 6.1.4 P2P version | 6.1.9. Packet version: 5 Plugin version | 3.0.0

akarasulu commented 6 years ago

I just setup a new peer. My old peer was just filled with templates and broken đź—ˇ . Here's what I got after running apt-get update:

apt-get update Get:1 http://archive.ubuntu.com/ubuntu xenial InRelease [247 kB] Get:2 http://security.ubuntu.com/ubuntu xenial-security InRelease [102 kB] Get:3 http://archive.ubuntu.com/ubuntu xenial-updates InRelease [102 kB] Get:4 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages [1201 kB] Get:5 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages [381 kB] Get:6 http://archive.ubuntu.com/ubuntu xenial/main Translation-en [568 kB] Get:7 http://archive.ubuntu.com/ubuntu xenial/restricted amd64 Packages [8344 B] Get:8 http://archive.ubuntu.com/ubuntu xenial/restricted Translation-en [2908 B] Get:9 http://archive.ubuntu.com/ubuntu xenial/universe amd64 Packages [7532 kB] Get:10 http://archive.ubuntu.com/ubuntu xenial/universe Translation-en [4354 kB] Get:11 http://archive.ubuntu.com/ubuntu xenial/multiverse amd64 Packages [144 kB] Get:12 http://archive.ubuntu.com/ubuntu xenial/multiverse Translation-en [106 kB] Get:13 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages [652 kB] Get:14 http://archive.ubuntu.com/ubuntu xenial-updates/main Translation-en [273 kB] Get:15 http://archive.ubuntu.com/ubuntu xenial-updates/restricted amd64 Packages [8088 B] Get:16 http://archive.ubuntu.com/ubuntu xenial-updates/restricted Translation-en [2672 B] Get:17 http://archive.ubuntu.com/ubuntu xenial-updates/universe amd64 Packages [543 kB] Get:18 http://archive.ubuntu.com/ubuntu xenial-updates/universe Translation-en [221 kB] Get:19 http://archive.ubuntu.com/ubuntu xenial-updates/multiverse amd64 Packages [16.2 kB] Get:20 http://archive.ubuntu.com/ubuntu xenial-updates/multiverse Translation-en [7996 B] Get:21 http://security.ubuntu.com/ubuntu xenial-security/main Translation-en [168 kB] Get:22 http://security.ubuntu.com/ubuntu xenial-security/restricted amd64 Packages [7472 B] Get:23 http://security.ubuntu.com/ubuntu xenial-security/restricted Translation-en [2412 B] Get:24 http://security.ubuntu.com/ubuntu xenial-security/universe amd64 Packages [178 kB] Get:25 http://security.ubuntu.com/ubuntu xenial-security/universe Translation-en [94.3 kB] Get:26 http://security.ubuntu.com/ubuntu xenial-security/multiverse amd64 Packages [3208 B] Get:27 http://security.ubuntu.com/ubuntu xenial-security/multiverse Translation-en [1336 B] Fetched 16.9 MB in 8s (2111 kB/s) Reading package lists...

Here's what my version information looks like on my peer:

screen shot 2017-11-09 at 12 22 47 am

akarasulu commented 6 years ago

NOTE: My plugin version is old because I never updated the plugin in my browser since I use chrome (most stable). Most changes were made to Safari plugin for 3.0.0. The key things to note is the SS version, the RH version, and the P2P version.

As I said on Slack, I have a feeling your peer's gorjun cache is broken. We need to look at the logs to see why Gorjun is not handling apt-get pulls of repository Package files.

akarasulu commented 6 years ago

OK I have confirmed that this is not working on your peer. I created an environment that I own across your peer and mine: two containers one each on our peers. Here's the output I get on the container running in your peer's container (notice it does not happen on my peer's container).

My container running in your peer:

root@Container-2-b0e:~# apt-get update Get:1 http://archive.ubuntu.com/ubuntu xenial InRelease [247 kB] Get:2 http://security.ubuntu.com/ubuntu xenial-security InRelease [102 kB] Ign:2 http://security.ubuntu.com/ubuntu xenial-security InRelease Ign:1 http://archive.ubuntu.com/ubuntu xenial InRelease
Get:3 http://archive.ubuntu.com/ubuntu xenial-updates InRelease [102 kB] Ign:3 http://archive.ubuntu.com/ubuntu xenial-updates InRelease Fetched 451 kB in 1s (445 kB/s) Reading package lists... Done W: GPG error: http://security.ubuntu.com/ubuntu xenial-security InRelease: Could not execute 'apt-key' to verify signature (is gnupg installed?) W: The repository 'http://security.ubuntu.com/ubuntu xenial-security InRelease' is not signed. N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use. N: See apt-secure(8) manpage for repository creation and user configuration details. W: GPG error: http://archive.ubuntu.com/ubuntu xenial InRelease: Could not execute 'apt-key' to verify signature (is gnupg installed?) W: The repository 'http://archive.ubuntu.com/ubuntu xenial InRelease' is not signed. N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use. N: See apt-secure(8) manpage for repository creation and user configuration details. W: GPG error: http://archive.ubuntu.com/ubuntu xenial-updates InRelease: Could not execute 'apt-key' to verify signature (is gnupg installed?) W: The repository 'http://archive.ubuntu.com/ubuntu xenial-updates InRelease' is not signed. N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use. N: See apt-secure(8) manpage for repository creation and user configuration details.

My container running in my peer (same env)

root@Container-1-MIc:/# apt-get update
Hit:1 http://security.ubuntu.com/ubuntu xenial-security InRelease Hit:2 http://archive.ubuntu.com/ubuntu xenial InRelease
Hit:3 http://archive.ubuntu.com/ubuntu xenial-updates InRelease
Reading package lists... Done
root@Container-1-MIc:/#

soffokl commented 6 years ago

We have figured out that this works fine on Debian system, but we always have problems on Ubuntu 16.04. The reason for it is disabled Apparmor on Debian system. The following issue should be investigated future to solve this problem: https://github.com/subutai-io/snap/issues/3

The problem described in this issue is not related to Gorjun since there is no Gorjun URL in the list of APT repository.

happyaron commented 6 years ago

This issue appears to be affected by the snap security architecture:

  1. Disabling snap core profiles will make the issue in running containers go away: 
apparmor_parser -R snap.core.*.usr.lib.snapd.snap-confine
  2. But this will make subutai commands fail because snapd requires apparmor policy to be properly configured when the LSM is loaded.
  3. Manually setting all profiles into complain mode does not work (actually most of the profiles are complain by default in snap).

Apt debug log:

root@test16:/# apt-get update -o Debug::Acquire::gpgv=true -oDebug::pkgAcquire::Auth=true Get:1 http://archive.ubuntu.com/ubuntu xenial InRelease [247 kB] 0% [1 InRelease 65.2 kB/247 kB 26%]201 URI Done: http://archive.ubuntu.com/ubuntu/dists/xenial/InRelease ReceivedHash:

  • SHA512:521d107e1beb65dacb57f8f692dfdfd2531535659450af5ccd5471e410fc676687b7568724826236806192acd0cbb3657b91b87a75a195a3a055911fab9f1ff0
  • SHA256:30e9ff343d9ec0b64d28d27010bf472090bb3399b4b6bc5aee077085e920e89b
  • SHA1:be0e00b180a72c57e3ea58ff342818854a05965b
  • MD5Sum:0930df8123b5a475a47ca0f217fb3bca
  • Checksum-FileSize:246846 ExpectedHash:

Get:2 http://archive.ubuntu.com/ubuntu xenial-updates InRelease [102 kB] 201 URI Done: http://archive.ubuntu.com/ubuntu/dists/xenial-updates/InRelease ReceivedHash:

  • SHA512:cced1bd8b32617dd338b2be552e422cef4e6a9f7ef245f889c0460e0f92cd297de5dc9cd0d3fba6c6604b7e9daa75ce327df32f4f2ce98e54d71bc526583a848
  • SHA256:169d00f12a64b28620b7ab29825b9805a1a0324f6a9c2fe60924e626ac2cb1dc
  • SHA1:e61eae08b92f057d112f2afd608cf6c8a3c2a521
  • MD5Sum:88248ffee3498ed666de02f2ad7bae72
  • Checksum-FileSize:102128 ExpectedHash:

0% [1 InRelease gpgv 247 kB]inside VerifyGetSigners Preparing to exec: /usr/bin/apt-key --quiet --readonly verify --status-fd 3 /tmp/apt.sig.QG5Lo2 /tmp/apt.data.dVQdbn gpgv exited with status 111 Summary: Good: Bad: Worthless: SoonWorthless: NoPubKey: Got Codename: xenial Expecting Dist: Transformed Dist: Ign:1 http://archive.ubuntu.com/ubuntu xenial InRelease 0% [Working]inside VerifyGetSigners Get:3 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages [1201 kB] 0% [2 InRelease gpgv 102 kB] [3 Packages 37.4 kB/1201 kB 3%]Preparing to exec: /usr/bin/apt-key --quiet --readonly verify --status-fd 3 /tmp/apt.sig.RJ4vC8 /tmp/apt.data.iel9zt gpgv exited with status 111 Summary: Good: Bad: Worthless: SoonWorthless: NoPubKey: Got Codename: xenial Expecting Dist: Transformed Dist: Ign:2 http://archive.ubuntu.com/ubuntu xenial-updates InRelease 45% [3 Packages 820 kB/1201 kB 68%]201 URI Done: http://archive.ubuntu.com/ubuntu/dists/xenial/main/binary-amd64/by-hash/SHA256/76858a337b1665561a256cea6f7ef32515517754e3c5e54c1895cf29e1b41884 ReceivedHash:

  • SHA256:76858a337b1665561a256cea6f7ef32515517754e3c5e54c1895cf29e1b41884
  • SHA1:5d685b68b46c31c8f257734e199aa2df9870143d
  • MD5Sum:197e479f6c60f53064648d08aed09cc1
  • Checksum-FileSize:1200680 ExpectedHash:
  • Checksum-FileSize:1200680
  • SHA256:76858a337b1665561a256cea6f7ef32515517754e3c5e54c1895cf29e1b41884
  • SHA1:5d685b68b46c31c8f257734e199aa2df9870143d
  • MD5Sum:197e479f6c60f53064648d08aed09cc1

Get:4 http://archive.ubuntu.com/ubuntu xenial/main Translation-en [568 kB] 48% [3 Packages store 0 B] [4 Translation-en 21.9 kB/568 kB 4%]201 URI Done: http://archive.ubuntu.com/ubuntu/dists/xenial/main/i18n/by-hash/SHA256/f514e12580e59b8f6ae10801a91f14708bdead04db91aa20fe9e2c0384413c67 ReceivedHash:

  • SHA256:f514e12580e59b8f6ae10801a91f14708bdead04db91aa20fe9e2c0384413c67
  • SHA1:0ffef5204a8516f9175bbfefe8cfc39680db0ea8
  • MD5Sum:4a7af89255aff3472c73b2aaf7696f61
  • Checksum-FileSize:567552 ExpectedHash:
  • Checksum-FileSize:567552
  • SHA256:f514e12580e59b8f6ae10801a91f14708bdead04db91aa20fe9e2c0384413c67
  • SHA1:0ffef5204a8516f9175bbfefe8cfc39680db0ea8
  • MD5Sum:4a7af89255aff3472c73b2aaf7696f61

Get:5 http://archive.ubuntu.com/ubuntu xenial/restricted amd64 Packages [8344 B] 201 URI Done: http://archive.ubuntu.com/ubuntu/dists/xenial/restricted/binary-amd64/by-hash/SHA256/55a464067040aa2e6237c1a7fe3dd1d06690472d211d7f0fe1697bb127404182 ReceivedHash:

  • SHA256:55a464067040aa2e6237c1a7fe3dd1d06690472d211d7f0fe1697bb127404182
  • SHA1:988f6b7c4c2060359413d65830c9d84cc51e6fd9
  • MD5Sum:7000e7158755c05c7dfa44e817406057
  • Checksum-FileSize:8344 ExpectedHash:
  • Checksum-FileSize:8344
  • SHA256:55a464067040aa2e6237c1a7fe3dd1d06690472d211d7f0fe1697bb127404182
  • SHA1:988f6b7c4c2060359413d65830c9d84cc51e6fd9
  • MD5Sum:7000e7158755c05c7dfa44e817406057

Get:6 http://archive.ubuntu.com/ubuntu xenial/restricted Translation-en [2908 B] 201 URI Done: http://archive.ubuntu.com/ubuntu/dists/xenial/restricted/i18n/by-hash/SHA256/02cbeba7eff7b00f22ee839e33219b7b9a2fd7ee2403e142cb4cdb93d116170b ReceivedHash:

  • SHA256:02cbeba7eff7b00f22ee839e33219b7b9a2fd7ee2403e142cb4cdb93d116170b
  • SHA1:62d643e85e95d52b6f55da3d3caee1d942486fcf
  • MD5Sum:fb3dfe379362ddbb87005a5b0eb2f650
  • Checksum-FileSize:2908 ExpectedHash:
  • Checksum-FileSize:2908
  • SHA256:02cbeba7eff7b00f22ee839e33219b7b9a2fd7ee2403e142cb4cdb93d116170b
  • SHA1:62d643e85e95d52b6f55da3d3caee1d942486fcf
  • MD5Sum:fb3dfe379362ddbb87005a5b0eb2f650

Get:7 http://archive.ubuntu.com/ubuntu xenial/universe amd64 Packages [7532 kB] 18% [3 Packages store 0 B] [7 Packages 131 kB/7532 kB 2%]201 URI Done: store:/var/lib/apt/lists/partial/archive.ubuntu.com_ubuntu_dists_xenial_main_binary-amd64_Packages.xz ReceivedHash:

  • SHA256:f6bd998e33ce5cc6fa43df47f191a78587e658b1b7fd29c7d065742acd4e5dd9
  • SHA1:0d0dabe28cd93faed47175fadba6b0a1ad160b91
  • MD5Sum:7ffd59203928ebd7247df31fded226e2
  • Checksum-FileSize:7228243 ExpectedHash:
  • Checksum-FileSize:7228243
  • SHA256:f6bd998e33ce5cc6fa43df47f191a78587e658b1b7fd29c7d065742acd4e5dd9
  • SHA1:0d0dabe28cd93faed47175fadba6b0a1ad160b91
  • MD5Sum:7ffd59203928ebd7247df31fded226e2

78% [4 Translation-en store 0 B] [7 Packages 7238 kB/7532 kB 96%]201 URI Done: http://archive.ubuntu.com/ubuntu/dists/xenial/universe/binary-amd64/by-hash/SHA256/c8bc8c1425fef0712430d3991cf15ea96892aa5e13130b36c126fa90887ca756 ReceivedHash:

  • SHA256:c8bc8c1425fef0712430d3991cf15ea96892aa5e13130b36c126fa90887ca756
  • SHA1:ccae3137da6135fe1b07afb45ade231911a70a9e
  • MD5Sum:283a5636c21b741ce2f6c9e0607a3b4c
  • Checksum-FileSize:7531752 ExpectedHash:
  • Checksum-FileSize:7531752
  • SHA256:c8bc8c1425fef0712430d3991cf15ea96892aa5e13130b36c126fa90887ca756
  • SHA1:ccae3137da6135fe1b07afb45ade231911a70a9e
  • MD5Sum:283a5636c21b741ce2f6c9e0607a3b4c

Get:8 http://archive.ubuntu.com/ubuntu xenial/universe Translation-en [4354 kB] 57% [4 Translation-en store 0 B] [8 Translation-en 65.5 kB/4354 kB 2%]201 URI Done: http://archive.ubuntu.com/ubuntu/dists/xenial/universe/i18n/by-hash/SHA256/18dacc7ff138747cd23eaa7a6691e259ab48c1fbc7df219cf85e5891d8c6b0f8 ReceivedHash:

  • SHA256:18dacc7ff138747cd23eaa7a6691e259ab48c1fbc7df219cf85e5891d8c6b0f8
  • SHA1:5971e1abd6078af7e0cc93b43f03fd05bcc66dcc
  • MD5Sum:9fa9fdc070c62a264a594e17bd3a53a0
  • Checksum-FileSize:4353988 ExpectedHash:
  • Checksum-FileSize:4353988
  • SHA256:18dacc7ff138747cd23eaa7a6691e259ab48c1fbc7df219cf85e5891d8c6b0f8
  • SHA1:5971e1abd6078af7e0cc93b43f03fd05bcc66dcc
  • MD5Sum:9fa9fdc070c62a264a594e17bd3a53a0

Get:9 http://archive.ubuntu.com/ubuntu xenial/multiverse amd64 Packages [144 kB] 81% [4 Translation-en store 0 B] [9 Packages 65.5 kB/144 kB 46%]201 URI Done: http://archive.ubuntu.com/ubuntu/dists/xenial/multiverse/binary-amd64/by-hash/SHA256/03b5a74941485533400b6103c2f2255be7620a7715b5eb5de77e26e892593d30 ReceivedHash:

  • SHA256:03b5a74941485533400b6103c2f2255be7620a7715b5eb5de77e26e892593d30
  • SHA1:fb0935ff64bc38fbad3a9b479d7a6220cbbb40f4
  • MD5Sum:7419b8003376681025e04b8fbcfd4408
  • Checksum-FileSize:144016 ExpectedHash:
  • Checksum-FileSize:144016
  • SHA256:03b5a74941485533400b6103c2f2255be7620a7715b5eb5de77e26e892593d30
  • SHA1:fb0935ff64bc38fbad3a9b479d7a6220cbbb40f4
  • MD5Sum:7419b8003376681025e04b8fbcfd4408

Get:10 http://archive.ubuntu.com/ubuntu xenial/multiverse Translation-en [106 kB] 81% [4 Translation-en store 0 B] [10 Translation-en 59.8 kB/106 kB 56%]201 URI Done: http://archive.ubuntu.com/ubuntu/dists/xenial/multiverse/i18n/by-hash/SHA256/323f1839768b76c9184bd91f970b77a504920ea9c755925824e9e2aee705c696 ReceivedHash:

  • SHA256:323f1839768b76c9184bd91f970b77a504920ea9c755925824e9e2aee705c696
  • SHA1:8322a7897f37104fbb13ea992842520dfef0a5d0
  • MD5Sum:d946fe304158bfdd1a75c76e7541cb7a
  • Checksum-FileSize:106232 ExpectedHash:
  • Checksum-FileSize:106232
  • SHA256:323f1839768b76c9184bd91f970b77a504920ea9c755925824e9e2aee705c696
  • SHA1:8322a7897f37104fbb13ea992842520dfef0a5d0
  • MD5Sum:d946fe304158bfdd1a75c76e7541cb7a

Get:11 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages [682 kB] 78% [4 Translation-en store 0 B] [11 Packages 65.5 kB/682 kB 10%]201 URI Done: http://archive.ubuntu.com/ubuntu/dists/xenial-updates/main/binary-amd64/by-hash/SHA256/50ba8deb5879c2e7fb342b152f9f1a6315e41d3384aac2c4b73d82d3a81a1fc2 ReceivedHash:

  • SHA256:50ba8deb5879c2e7fb342b152f9f1a6315e41d3384aac2c4b73d82d3a81a1fc2
  • SHA1:74c16f032edd24c70657a1d3293c88638721a9e0
  • MD5Sum:42883f10266af3aa64bae1ca5c7b1abd
  • Checksum-FileSize:682460 ExpectedHash:
  • Checksum-FileSize:682460
  • SHA256:50ba8deb5879c2e7fb342b152f9f1a6315e41d3384aac2c4b73d82d3a81a1fc2
  • SHA1:74c16f032edd24c70657a1d3293c88638721a9e0
  • MD5Sum:42883f10266af3aa64bae1ca5c7b1abd

Get:12 http://archive.ubuntu.com/ubuntu xenial-updates/main Translation-en [285 kB] 81% [4 Translation-en store 0 B] [12 Translation-en 253 kB/285 kB 89%]201 URI Done: http://archive.ubuntu.com/ubuntu/dists/xenial-updates/main/i18n/by-hash/SHA256/9cc6af3fe8ae1eb7bb3bfcc885de7959a2822c9396ee3f7e7a16132db607b6c1 ReceivedHash:

  • SHA256:9cc6af3fe8ae1eb7bb3bfcc885de7959a2822c9396ee3f7e7a16132db607b6c1
  • SHA1:f263d8d9232b794c2f0f33fd2fdddf948d5fb5f5
  • MD5Sum:a051072025e76ac34221ce814dcafae1
  • Checksum-FileSize:285204 ExpectedHash:
  • Checksum-FileSize:285204
  • SHA256:9cc6af3fe8ae1eb7bb3bfcc885de7959a2822c9396ee3f7e7a16132db607b6c1
  • SHA1:f263d8d9232b794c2f0f33fd2fdddf948d5fb5f5
  • MD5Sum:a051072025e76ac34221ce814dcafae1

Get:13 http://archive.ubuntu.com/ubuntu xenial-updates/restricted amd64 Packages [8072 B] 201 URI Done: http://archive.ubuntu.com/ubuntu/dists/xenial-updates/restricted/binary-amd64/by-hash/SHA256/6b4a86c412a4218e91d13242b40d90a789922db3d57f34d39b4067091ae31cfa ReceivedHash:

  • SHA256:6b4a86c412a4218e91d13242b40d90a789922db3d57f34d39b4067091ae31cfa
  • SHA1:491f1d918366e54ee25ec9631751d4822bc0aa54
  • MD5Sum:b521bc5fab213b62a6b802981f0083a0
  • Checksum-FileSize:8072 ExpectedHash:
  • Checksum-FileSize:8072
  • SHA256:6b4a86c412a4218e91d13242b40d90a789922db3d57f34d39b4067091ae31cfa
  • SHA1:491f1d918366e54ee25ec9631751d4822bc0aa54
  • MD5Sum:b521bc5fab213b62a6b802981f0083a0

Get:14 http://archive.ubuntu.com/ubuntu xenial-updates/restricted Translation-en [2672 B] 201 URI Done: http://archive.ubuntu.com/ubuntu/dists/xenial-updates/restricted/i18n/by-hash/SHA256/94269287000cacb608a1dd3f7b4bc35dbe0439218437bc6dc2f00e976847930b ReceivedHash:

  • SHA256:94269287000cacb608a1dd3f7b4bc35dbe0439218437bc6dc2f00e976847930b
  • SHA1:58ce52175b6982fe2d17a639212e616f6a827fa2
  • MD5Sum:154e6ceafb4c0f91a86e722e17a779f3
  • Checksum-FileSize:2672 ExpectedHash:
  • Checksum-FileSize:2672
  • SHA256:94269287000cacb608a1dd3f7b4bc35dbe0439218437bc6dc2f00e976847930b
  • SHA1:58ce52175b6982fe2d17a639212e616f6a827fa2
  • MD5Sum:154e6ceafb4c0f91a86e722e17a779f3

Get:15 http://archive.ubuntu.com/ubuntu xenial-updates/universe amd64 Packages [566 kB] 80% [4 Translation-en store 0 B] [15 Packages 226 kB/566 kB 40%]201 URI Done: store:/var/lib/apt/lists/partial/archive.ubuntu.com_ubuntu_dists_xenial_main_i18n_Translation-en.xz ReceivedHash:

  • SHA256:e789df1fe0123ca6ccfc76797bab0562740a8ec84a83fc89695f0fa4680e3015
  • SHA1:02d8c4502aa159803c99b6500c85b33f226099e5
  • MD5Sum:e597a95da8f7b0a89ab43b58e3257902
  • Checksum-FileSize:3600400 ExpectedHash:
  • Checksum-FileSize:3600400
  • SHA256:e789df1fe0123ca6ccfc76797bab0562740a8ec84a83fc89695f0fa4680e3015
  • SHA1:02d8c4502aa159803c99b6500c85b33f226099e5
  • MD5Sum:e597a95da8f7b0a89ab43b58e3257902

82% [5 Packages store 0 B] [15 Packages 348 kB/566 kB 62%]201 URI Done: store:/var/lib/apt/lists/partial/archive.ubuntu.com_ubuntu_dists_xenial_restricted_binary-amd64_Packages.xz ReceivedHash:

  • SHA256:f914725e1f69ce22827b83077638bc54edd856612c8309f7dda89c0242b5f185
  • SHA1:19cac87b2ea8ae82ea65b68ba6c68fd84dbe9947
  • MD5Sum:e02b3a61e6344ed1d2f1ec0e5e0765fc
  • Checksum-FileSize:127112 ExpectedHash:
  • Checksum-FileSize:127112
  • SHA256:f914725e1f69ce22827b83077638bc54edd856612c8309f7dda89c0242b5f185
  • SHA1:19cac87b2ea8ae82ea65b68ba6c68fd84dbe9947
  • MD5Sum:e02b3a61e6344ed1d2f1ec0e5e0765fc

83% [6 Translation-en store 0 B] [15 Packages 415 kB/566 kB 73%]201 URI Done: store:/var/lib/apt/lists/partial/archive.ubuntu.com_ubuntu_dists_xenial_restricted_i18n_Translation-en.xz ReceivedHash:

  • SHA256:accbdcf95759a53c48ebf1dccf561a61b7fe4cdb4e792c8670e0756a2282a294
  • SHA1:f14567651484c697bcb273dc3967cfc2bd4286c4
  • MD5Sum:66cccc40dcff07fc528d278afe022a98
  • Checksum-FileSize:20517 ExpectedHash:
  • Checksum-FileSize:20517
  • SHA256:accbdcf95759a53c48ebf1dccf561a61b7fe4cdb4e792c8670e0756a2282a294
  • SHA1:f14567651484c697bcb273dc3967cfc2bd4286c4
  • MD5Sum:66cccc40dcff07fc528d278afe022a98

85% [7 Packages store 0 B] [15 Packages 489 kB/566 kB 86%]201 URI Done: http://archive.ubuntu.com/ubuntu/dists/xenial-updates/universe/binary-amd64/by-hash/SHA256/a414fd3a7626359c64aa919fcb1448257bfe934e53ebc2618890e6e47adc71b6 ReceivedHash:

  • SHA256:a414fd3a7626359c64aa919fcb1448257bfe934e53ebc2618890e6e47adc71b6
  • SHA1:e7f999e41bc1aabc166c77ee3f5bc7db69314c1f
  • MD5Sum:b705eda6f389b2f29a10afaf77061060
  • Checksum-FileSize:565624 ExpectedHash:
  • Checksum-FileSize:565624
  • SHA256:a414fd3a7626359c64aa919fcb1448257bfe934e53ebc2618890e6e47adc71b6
  • SHA1:e7f999e41bc1aabc166c77ee3f5bc7db69314c1f
  • MD5Sum:b705eda6f389b2f29a10afaf77061060

Get:16 http://archive.ubuntu.com/ubuntu xenial-updates/universe Translation-en [229 kB] 84% [7 Packages store 0 B] [16 Translation-en 69.5 kB/229 kB 30%]201 URI Done: http://archive.ubuntu.com/ubuntu/dists/xenial-updates/universe/i18n/by-hash/SHA256/a69ef3d017a4552b93e182b3e31f09c56c0368b00837ed4a41c5aa7d0542b9db ReceivedHash:

  • SHA256:a69ef3d017a4552b93e182b3e31f09c56c0368b00837ed4a41c5aa7d0542b9db
  • SHA1:a9d57727b2356cfb965d61a44ae92b93de31d00c
  • MD5Sum:08b6e232ca1a2901d1ef66902abd93cf
  • Checksum-FileSize:229292 ExpectedHash:
  • Checksum-FileSize:229292
  • SHA256:a69ef3d017a4552b93e182b3e31f09c56c0368b00837ed4a41c5aa7d0542b9db
  • SHA1:a9d57727b2356cfb965d61a44ae92b93de31d00c
  • MD5Sum:08b6e232ca1a2901d1ef66902abd93cf

Get:17 http://archive.ubuntu.com/ubuntu xenial-updates/multiverse amd64 Packages [16.2 kB] 201 URI Done: http://archive.ubuntu.com/ubuntu/dists/xenial-updates/multiverse/binary-amd64/by-hash/SHA256/a2d8c30bb9f1c781b323df0e3f4755e384c73bc0989f64909ecf30a97cee7c6f ReceivedHash:

  • SHA256:a2d8c30bb9f1c781b323df0e3f4755e384c73bc0989f64909ecf30a97cee7c6f
  • SHA1:614f5b599c8010196816a712a5ca73c30811dcf8
  • MD5Sum:1f054ad2bd1b9b514de697be3d9f1110
  • Checksum-FileSize:16184 ExpectedHash:
  • Checksum-FileSize:16184
  • SHA256:a2d8c30bb9f1c781b323df0e3f4755e384c73bc0989f64909ecf30a97cee7c6f
  • SHA1:614f5b599c8010196816a712a5ca73c30811dcf8
  • MD5Sum:1f054ad2bd1b9b514de697be3d9f1110

Get:18 http://archive.ubuntu.com/ubuntu xenial-updates/multiverse Translation-en [8052 B] 201 URI Done: http://archive.ubuntu.com/ubuntu/dists/xenial-updates/multiverse/i18n/by-hash/SHA256/65f93894556c07c286b11dada476124fa4dcdd21554ddcc6f4c326a63ab04f1a ReceivedHash:

  • SHA256:65f93894556c07c286b11dada476124fa4dcdd21554ddcc6f4c326a63ab04f1a
  • SHA1:c0171d3f06fe7600a44d2f56c135de05e7da388f
  • MD5Sum:d149b048f46f8254b4e78e96fd3678dd
  • Checksum-FileSize:8052 ExpectedHash:
  • Checksum-FileSize:8052
  • SHA256:65f93894556c07c286b11dada476124fa4dcdd21554ddcc6f4c326a63ab04f1a
  • SHA1:c0171d3f06fe7600a44d2f56c135de05e7da388f
  • MD5Sum:d149b048f46f8254b4e78e96fd3678dd

85% [7 Packages store 0 B]201 URI Done: store:/var/lib/apt/lists/partial/archive.ubuntu.com_ubuntu_dists_xenial_universe_binary-amd64_Packages.xz ReceivedHash:

  • SHA256:ffefb065bc7ae7a3b0c15b07bbfef2009bc8062eed634c8bf304accbf045da99
  • SHA1:172f1c6b8a0cdd2b77000676a0d5e3cbd5c696ab
  • MD5Sum:b0e5318927a0fd7f32145215ca4f4b51
  • Checksum-FileSize:41813552 ExpectedHash:
  • Checksum-FileSize:41813552
  • SHA256:ffefb065bc7ae7a3b0c15b07bbfef2009bc8062eed634c8bf304accbf045da99
  • SHA1:172f1c6b8a0cdd2b77000676a0d5e3cbd5c696ab
  • MD5Sum:b0e5318927a0fd7f32145215ca4f4b51

86% [8 Translation-en store 0 B]201 URI Done: store:/var/lib/apt/lists/partial/archive.ubuntu.com_ubuntu_dists_xenial_universe_i18n_Translation-en.xz ReceivedHash:

  • SHA256:726737eae31047eb2943dd1cb834b327acdd6f58742166cba20e92a43e5dd63e
  • SHA1:ceeeefdd2f5c2b26bc469837a58d5923b49e04ef
  • MD5Sum:6cd47eafb9e7c520eb77d4d45a45fd20
  • Checksum-FileSize:23426103 ExpectedHash:
  • Checksum-FileSize:23426103
  • SHA256:726737eae31047eb2943dd1cb834b327acdd6f58742166cba20e92a43e5dd63e
  • SHA1:ceeeefdd2f5c2b26bc469837a58d5923b49e04ef
  • MD5Sum:6cd47eafb9e7c520eb77d4d45a45fd20

87% [9 Packages store 0 B]201 URI Done: store:/var/lib/apt/lists/partial/archive.ubuntu.com_ubuntu_dists_xenial_multiverse_binary-amd64_Packages.xz ReceivedHash:

  • SHA256:da1aefea1eb6eee72d9bb738889b0fd9ddc38dc3a4261d7add36eadacb26e066
  • SHA1:0d82e8a9811e2614cfb3e1150efa5558b619bd6f
  • MD5Sum:f5e5155eaddd9a1cf724f24e4612c4e5
  • Checksum-FileSize:694127 ExpectedHash:
  • Checksum-FileSize:694127
  • SHA256:da1aefea1eb6eee72d9bb738889b0fd9ddc38dc3a4261d7add36eadacb26e066
  • SHA1:0d82e8a9811e2614cfb3e1150efa5558b619bd6f
  • MD5Sum:f5e5155eaddd9a1cf724f24e4612c4e5

88% [10 Translation-en store 0 B]201 URI Done: store:/var/lib/apt/lists/partial/archive.ubuntu.com_ubuntu_dists_xenial_multiverse_i18n_Translation-en.xz ReceivedHash:

  • SHA256:fed3a8bfa8ef9aedd8fd80ec62599baa95902fd65eef45b611c5a01cebe55339
  • SHA1:ecaf5ec9e1beeba1ae3237cfd45d754f2f9a4501
  • MD5Sum:8d948ade54c182f0a1eb25a990cc9469
  • Checksum-FileSize:440098 ExpectedHash:
  • Checksum-FileSize:440098
  • SHA256:fed3a8bfa8ef9aedd8fd80ec62599baa95902fd65eef45b611c5a01cebe55339
  • SHA1:ecaf5ec9e1beeba1ae3237cfd45d754f2f9a4501
  • MD5Sum:8d948ade54c182f0a1eb25a990cc9469

89% [11 Packages store 0 B]201 URI Done: store:/var/lib/apt/lists/partial/archive.ubuntu.com_ubuntu_dists_xenial-updates_main_binary-amd64_Packages.xz ReceivedHash:

  • SHA256:53d192b51338aaf31b36a97c57d18f2359290069af22d81638acccbceb28a861
  • SHA1:23f600206626d82dce989fa176b1787e1d285a7f
  • MD5Sum:33a137360ca7bda68da614878dbda7a2
  • Checksum-FileSize:4541487 ExpectedHash:
  • Checksum-FileSize:4541487
  • SHA256:53d192b51338aaf31b36a97c57d18f2359290069af22d81638acccbceb28a861
  • SHA1:23f600206626d82dce989fa176b1787e1d285a7f
  • MD5Sum:33a137360ca7bda68da614878dbda7a2

90% [12 Translation-en store 0 B]201 URI Done: store:/var/lib/apt/lists/partial/archive.ubuntu.com_ubuntu_dists_xenial-updates_main_i18n_Translation-en.xz ReceivedHash:

  • SHA256:09fa2393f0390010ee1a65bb9a8e634aae7435c523f99f033fddc0a0cfdda437
  • SHA1:bc8c48e2aee585759e65ae4af4c5b903ed450593
  • MD5Sum:48552d7e4fe988b9f4ef0e7cba15ab0a
  • Checksum-FileSize:3546607 ExpectedHash:
  • Checksum-FileSize:3546607
  • SHA256:09fa2393f0390010ee1a65bb9a8e634aae7435c523f99f033fddc0a0cfdda437
  • SHA1:bc8c48e2aee585759e65ae4af4c5b903ed450593
  • MD5Sum:48552d7e4fe988b9f4ef0e7cba15ab0a

92% [13 Packages store 0 B]201 URI Done: store:/var/lib/apt/lists/partial/archive.ubuntu.com_ubuntu_dists_xenial-updates_restricted_binary-amd64_Packages.xz ReceivedHash:

  • SHA256:dfb31bfe5ee08b31ce5c53b608bf372a9e11391eecb0aebbc7b8c15ed7174fb0
  • SHA1:f90d7e4e1ea9948e201db4d4f8233f4ded539498
  • MD5Sum:0e7681784b895327a9e0f0817cd670cb
  • Checksum-FileSize:105883 ExpectedHash:
  • Checksum-FileSize:105883
  • SHA256:dfb31bfe5ee08b31ce5c53b608bf372a9e11391eecb0aebbc7b8c15ed7174fb0
  • SHA1:f90d7e4e1ea9948e201db4d4f8233f4ded539498
  • MD5Sum:0e7681784b895327a9e0f0817cd670cb

93% [14 Translation-en store 0 B]201 URI Done: store:/var/lib/apt/lists/partial/archive.ubuntu.com_ubuntu_dists_xenial-updates_restricted_i18n_Translation-en.xz ReceivedHash:

  • SHA256:8da718c4164562b3790396427e67fb4679493db697770e04dda986e21a5255b4
  • SHA1:3d8a77d55a80d0893102d17f3670c37b29b97632
  • MD5Sum:6a3bd2c918d40f51e6dd5e9b4cdca984
  • Checksum-FileSize:16989 ExpectedHash:
  • Checksum-FileSize:16989
  • SHA256:8da718c4164562b3790396427e67fb4679493db697770e04dda986e21a5255b4
  • SHA1:3d8a77d55a80d0893102d17f3670c37b29b97632
  • MD5Sum:6a3bd2c918d40f51e6dd5e9b4cdca984

94% [15 Packages store 0 B]201 URI Done: store:/var/lib/apt/lists/partial/archive.ubuntu.com_ubuntu_dists_xenial-updates_universe_binary-amd64_Packages.xz ReceivedHash:

  • SHA256:ee70c157924027edaac7c7b8a318bd08a48b170940c33fdb13b6563c435081f2
  • SHA1:39c717a67f2f60f02f4029dcad9fc9b839a5079f
  • MD5Sum:9bc14c98901d8d039010dd38249ed381
  • Checksum-FileSize:3731667 ExpectedHash:
  • Checksum-FileSize:3731667
  • SHA256:ee70c157924027edaac7c7b8a318bd08a48b170940c33fdb13b6563c435081f2
  • SHA1:39c717a67f2f60f02f4029dcad9fc9b839a5079f
  • MD5Sum:9bc14c98901d8d039010dd38249ed381

95% [16 Translation-en store 0 B]201 URI Done: store:/var/lib/apt/lists/partial/archive.ubuntu.com_ubuntu_dists_xenial-updates_universe_i18n_Translation-en.xz ReceivedHash:

  • SHA256:3332ca3db5183e61098d89f27b86051b3e85407d23c3c94b6866665c70707699
  • SHA1:3cf2bd782e5e89fff0f64ccac6cd52b794d42ab5
  • MD5Sum:2fc2569816dda117928f2f90c913d5a9
  • Checksum-FileSize:1780367 ExpectedHash:
  • Checksum-FileSize:1780367
  • SHA256:3332ca3db5183e61098d89f27b86051b3e85407d23c3c94b6866665c70707699
  • SHA1:3cf2bd782e5e89fff0f64ccac6cd52b794d42ab5
  • MD5Sum:2fc2569816dda117928f2f90c913d5a9

96% [17 Packages store 0 B]201 URI Done: store:/var/lib/apt/lists/partial/archive.ubuntu.com_ubuntu_dists_xenial-updates_multiverse_binary-amd64_Packages.xz ReceivedHash:

  • SHA256:60a15ed8ffc295e3e40a2f90b0f043979e7cef602c4cdce7de03c36e84df7915
  • SHA1:d6061b912553ebe9a6e696195e3131e5f2b85011
  • MD5Sum:df96ad8066196596d64190e019917280
  • Checksum-FileSize:87263 ExpectedHash:
  • Checksum-FileSize:87263
  • SHA256:60a15ed8ffc295e3e40a2f90b0f043979e7cef602c4cdce7de03c36e84df7915
  • SHA1:d6061b912553ebe9a6e696195e3131e5f2b85011
  • MD5Sum:df96ad8066196596d64190e019917280

97% [18 Translation-en store 0 B]201 URI Done: store:/var/lib/apt/lists/partial/archive.ubuntu.com_ubuntu_dists_xenial-updates_multiverse_i18n_Translation-en.xz ReceivedHash:

  • SHA256:f5f963ab4f0524495f946b83571d4a0aef142ff919351d95b0d75b2efa075aeb
  • SHA1:c1684704c36836147747c25240d3c59fbb201e9f
  • MD5Sum:978026c929176890b87496af45a428bd
  • Checksum-FileSize:36934 ExpectedHash:
  • Checksum-FileSize:36934
  • SHA256:f5f963ab4f0524495f946b83571d4a0aef142ff919351d95b0d75b2efa075aeb
  • SHA1:c1684704c36836147747c25240d3c59fbb201e9f
  • MD5Sum:978026c929176890b87496af45a428bd

Fetched 16.1 MB in 2s (7552 kB/s) Reading package lists... Done W: GPG error: http://archive.ubuntu.com/ubuntu xenial InRelease: Could not execute 'apt-key' to verify signature (is gnupg installed?) W: The repository 'http://archive.ubuntu.com/ubuntu xenial InRelease' is not signed. N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use. N: See apt-secure(8) manpage for repository creation and user configuration details. W: GPG error: http://archive.ubuntu.com/ubuntu xenial-updates InRelease: Could not execute 'apt-key' to verify signature (is gnupg installed?) W: The repository 'http://archive.ubuntu.com/ubuntu xenial-updates InRelease' is not signed. N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use. N: See apt-secure(8) manpage for repository creation and user configuration details.

Kernel apparmor log:

Dec 21 14:40:27 ubuntu kernel: [50237.970167] /snap/core/3604/usr/lib/snapd/snap-confine//null-snap.subutai.subutai//null-/snap/subutai/63/co mmand-subutai.wrapper//null-/snap/subutai/63/bin/subutai//null-/bin/bash//null-/usr/bin/apt-get Dec 21 14:40:27 ubuntu kernel: [50237.974960] /snap/core/3604/usr/lib/snapd/snap-confine//null-snap.subutai.subutai//null-/snap/subutai/63/co mmand-subutai.wrapper//null-/snap/subutai/63/bin/subutai//null-/bin/bash//null-/usr/bin/apt-get//null-/usr/bin/dpkg Dec 21 14:40:27 ubuntu kernel: [50237.984850] /snap/core/3604/usr/lib/snapd/snap-confine//null-snap.subutai.subutai//null-/snap/subutai/63/co mmand-subutai.wrapper//null-/snap/subutai/63/bin/subutai//null-/bin/bash//null-/usr/bin/apt-get//null-/usr/lib/apt/methods/http Dec 21 14:40:27 ubuntu kernel: [50237.989610] /snap/core/3604/usr/lib/snapd/snap-confine//null-snap.subutai.subutai//null-/snap/subutai/63/co mmand-subutai.wrapper//null-/snap/subutai/63/bin/subutai//null-/bin/bash//null-/usr/bin/apt-get//null-/usr/lib/apt/methods/http Dec 21 14:40:27 ubuntu kernel: [50238.010376] /snap/core/3604/usr/lib/snapd/snap-confine//null-snap.subutai.subutai//null-/snap/subutai/63/co mmand-subutai.wrapper//null-/snap/subutai/63/bin/subutai//null-/bin/bash//null-/usr/bin/apt-get//null-/usr/lib/apt/methods/gpgv Dec 21 14:40:27 ubuntu kernel: [50238.013909] /snap/core/3604/usr/lib/snapd/snap-confine//null-snap.subutai.subutai//null-/snap/subutai/63/co mmand-subutai.wrapper//null-/snap/subutai/63/bin/subutai//null-/bin/bash//null-/usr/bin/apt-get//null-/usr/lib/apt/methods/gpgv Dec 21 14:40:28 ubuntu kernel: [50238.071350] /snap/core/3604/usr/lib/snapd/snap-confine//null-snap.subutai.subutai//null-/snap/subutai/63/co mmand-subutai.wrapper//null-/snap/subutai/63/bin/subutai//null-/bin/bash//null-/usr/bin/apt-get//null-/usr/bin/dpkg Dec 21 14:40:41 ubuntu kernel: [50238.975599] /snap/core/3604/usr/lib/snapd/snap-confine//null-snap.subutai.subutai//null-/snap/subutai/63/co mmand-subutai.wrapper//null-/snap/subutai/63/bin/subutai//null-/bin/bash//null-/usr/bin/apt-get//null-/usr/bin/dpkg

lbthomsen commented 6 years ago

https://help.ubuntu.com/lts/serverguide/lxc.html#lxc-apparmor

If you find that lxc-start is failing due to a legitimate access which is being denied by its Apparmor policy, you can disable the lxc-start profile by doing:

sudo apparmor_parser -R /etc/apparmor.d/usr.bin.lxc-start sudo ln -s /etc/apparmor.d/usr.bin.lxc-start /etc/apparmor.d/disabled/ This will make lxc-start run unconfined, but continue to confine the container itself. If you also wish to disable confinement of the container, then in addition to disabling the usr.bin.lxc-start profile, you must add:

lxc.aa_profile = unconfined to the container's configuration file.

Would be interesting to try the lxc.aa_profile to see if that solves this particular issue. If so we can look into how to set the profile so it doesn't happen.

akarasulu commented 6 years ago

The lxc-start unconfined operation is ok but the totally unconfined container is not. That worries me around the security implications it could have.

lbthomsen commented 6 years ago

We should understand those because since apparmor is not enabled on Debian by default, the above should pretty much just run the RH as it would if running on Debian.

Anyway - my suggestion was not disabling apparmor permanently but merely see if that solves the issue - the figure out which part of apparmor preventing the proper apt-get update.

akarasulu commented 6 years ago

Yeah I agree, but that also means, on Debian, we're not running with confinement and that's scary. Maybe we need to add the same AA rules to the Debian RH.

akarasulu commented 6 years ago

I'm sure though that snapd is already doing at least some of that. It must. It's part of the core. I think this is one of those access control rules Canonical recently added. It just started happening a few months ago. Before it was honki dori. Maybe they added it to Ubuntu, but have yet to add it to Debian for some reason. I think we need to take a kind of inventory of the AA rules being used and compare differences. This might enlighten us.

lbthomsen commented 6 years ago

Well - afaik Debian simply hasn't got apparmor enabled by default.

happyaron commented 6 years ago

Tried to set lxc.aa_profile = unconfined on a freshly provisioned RH and the problem is still there. Import management container as our test target first

root@ubuntu:~# subutai import management
INFO[2018-02-02 11:16:22] Importing management
INFO[2018-02-02 11:16:24] Version: 6.3.4
[...]
INFO[2018-02-02 11:22:00] File integrity is verified
INFO[2018-02-02 11:22:00] Unpacking template ubuntu16
INFO[2018-02-02 11:22:01] Installing template ubuntu16
INFO[2018-02-02 11:22:06] Installing template openjre16
INFO[2018-02-02 11:22:07] Installing template management
INFO[2018-02-02 11:22:13] ********************
INFO[2018-02-02 11:22:13] Subutai Management UI will be shortly available at https://192.168.122.38:8443
INFO[2018-02-02 11:22:13] login: admin
INFO[2018-02-02 11:22:13] password: secret
INFO[2018-02-02 11:22:13] ********************

Append lxc.aa_profile = unconfined to the following files:

/var/snap/subutai/common/lxc/ubuntu16/config
/var/snap/subutai/common/lxc/openjdk16/config
/var/snap/subutai/common/lxc/management/config

Restart the container and attach to it

subutai stop management && subutai start management && subutai attach management

Run apt-get update inside the container

root@management:/# apt-get update
Get:1 http://security.ubuntu.com/ubuntu xenial-security InRelease [102 kB]                                              
Ign:3 http://cdn.subut.ai:8080/kurjun/rest/apt  InRelease                      
[...]                                              
Get:29 http://archive.ubuntu.com/ubuntu xenial/universe Translation-en [4354 kB]                                              
Get:30 http://archive.ubuntu.com/ubuntu xenial/multiverse amd64 Packages [144 kB]                                             
Get:31 http://archive.ubuntu.com/ubuntu xenial/multiverse Translation-en [106 kB]                                             
Fetched 17.2 MB in 13s (1285 kB/s)                                                                                            
Reading package lists... Done
W: The repository 'http://cdn.subut.ai:8080/kurjun/rest/apt  Release' does not have a Release file.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: GPG error: http://security.ubuntu.com/ubuntu xenial-security InRelease: Could not execute 'apt-key' to verify signature (is gnupg installed?)
W: The repository 'http://security.ubuntu.com/ubuntu xenial-security InRelease' is not signed.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: GPG error: http://archive.ubuntu.com/ubuntu xenial-updates InRelease: Could not execute 'apt-key' to verify signature (is gnupg installed?)
W: The repository 'http://archive.ubuntu.com/ubuntu xenial-updates InRelease' is not signed.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: GPG error: http://archive.ubuntu.com/ubuntu xenial InRelease: Could not execute 'apt-key' to verify signature (is gnupg installed?)
W: The repository 'http://archive.ubuntu.com/ubuntu xenial InRelease' is not signed.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.

Looking at the AppArmor status, the container is still confined in complain mode under the snap.subutai.subutai// namespace.

lbthomsen commented 6 years ago

But that does not make this any less odd really. As far as I can see - NO apparmor mode is enforced - only in complaint mode. According to apparmor doc:

AppArmor profiles can be in one of two modes: enforcement and complain. Profiles loaded in enforcement mode will result in enforcement of the policy defined in the profile as well as reporting policy violation attempts (either via syslog or auditd). Profiles in complain mode will not enforce policy but instead report policy violation attempts.

NOT ENFORCE! So - we still don't know what is happening here!

lbthomsen commented 6 years ago

Just for reference - Ubuntu bug that appears to be related - however, none of the work arounds described works: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1577926

Also - tried strace:

[pid  7425] execve("/usr/bin/apt-key", ["/usr/bin/apt-key", "--quiet", "--readonly", "verify", "--status-fd", "3", "/tmp/apt.sig.ouKkkd", "/tmp/apt.data.pZ6h8E"], [/* 14 vars */]) = -1 EPERM (Operation not permitted)
akarasulu commented 6 years ago

So it sounds to me like some things are enforced yet not documented. I think we need to sift through the set of AppArmor access control rules.

akarasulu commented 6 years ago

Read up on that thread. This shxt is cryptic.

UPDATE: tried all the workarounds without success (i.e. chmod 1777 on /tmp)

The id_map mechanism might have something to do with that though.

akarasulu commented 6 years ago

Even with apparmor completely disabled 

root@subutai:~# systemctl status apparmor
* apparmor.service - LSB: AppArmor initialization
   Loaded: loaded (/etc/init.d/apparmor; bad; vendor preset: enabled)
   Active: inactive (dead)
     Docs: man:systemd-sysv-generator(8)

And after a reboot, I'm getting the same error inside the container:

W: GPG error: http://security.ubuntu.com/ubuntu xenial-security InRelease: Could not execute 'apt-key' to verify signature (is gnupg installed?)
W: The repository 'http://security.ubuntu.com/ubuntu xenial-security InRelease' is not signed.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.

This might have nothing to do with apparmor.

lbthomsen commented 6 years ago

This workaround works:

edit /etc/defaults/grub

Set:

GRUB_CMDLINE_LINUX_DEFAULT="apparmor=0"

Run: update-grub

Reboot and that's it. I would suggest that this essentially emulates on Ubuntu how things are run on Debian. This is NOT the right way to do this obviously but at least it proves beyond doubt that this is apparmor related.

lbthomsen commented 6 years ago

Interesting observation. On a freshly booted system with containers running:

root@usmp1:~# aa-status | grep apt-
root@usmp1:~#

After a failed apt-get update:

root@deb1-2:~# apt-get update
Get:1 http://security.debian.org/debian-security stretch/updates InRelease [63.0 kB]                                                                                                                                 
Ign:1 http://security.debian.org/debian-security stretch/updates InRelease                                                                                                                                           
Get:3 http://security.debian.org/debian-security stretch/updates/main amd64 Packages [269 kB]                                                                                                                        
Get:5 http://security.debian.org/debian-security stretch/updates/main Translation-en [118 kB]                                                                                                                        
Ign:2 http://cdn-fastly.deb.debian.org/debian stretch InRelease                                                                                                                                                      
Get:4 http://cdn-fastly.deb.debian.org/debian stable-updates InRelease [91.0 kB]                                                                                                                                     
Ign:4 http://cdn-fastly.deb.debian.org/debian stable-updates InRelease                                                                                                                                               
Get:6 http://cdn-fastly.deb.debian.org/debian stretch Release [118 kB]                                                                                                                                               
Get:7 http://cdn-fastly.deb.debian.org/debian stable-updates/main amd64 Packages [7688 B]                                                                                                                            
Get:8 http://cdn-fastly.deb.debian.org/debian stable-updates/main Translation-en [5096 B]                                                                                                                            
Get:9 http://cdn-fastly.deb.debian.org/debian stretch Release.gpg [2434 B]                                                                                                                                           
Ign:9 http://cdn-fastly.deb.debian.org/debian stretch Release.gpg                                                                                                                                                    
Get:10 http://cdn-fastly.deb.debian.org/debian stretch/main amd64 Packages [7123 kB]                                                                                                                                 
Get:11 http://cdn-fastly.deb.debian.org/debian stretch/main Translation-en [5393 kB]                                                                                                                                 
Get:12 http://cdn-fastly.deb.debian.org/debian stretch/contrib amd64 Packages [50.9 kB]                                                                                                                              
Get:13 http://cdn-fastly.deb.debian.org/debian stretch/contrib Translation-en [45.9 kB]                                                                                                                              
Get:14 http://cdn-fastly.deb.debian.org/debian stretch/non-free amd64 Packages [78.0 kB]                                                                                                                             
Get:15 http://cdn-fastly.deb.debian.org/debian stretch/non-free Translation-en [79.2 kB]                                                                                                                             
Fetched 13.4 MB in 21s (636 kB/s)                                                                                                                                                                                    
Reading package lists... Done                                                                                                                                                                                        
W: GPG error: http://security.debian.org/debian-security stretch/updates InRelease: Couldn't execute /usr/bin/apt-key to check /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_stretch_updates_InRelease                                                                                                                                                                                                             
W: The repository 'http://security.debian.org/debian-security stretch/updates InRelease' is not signed.                                                                                                              
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.                                                                                                                 
N: See apt-secure(8) manpage for repository creation and user configuration details.                                                                                                                                 
W: GPG error: http://cdn-fastly.deb.debian.org/debian stable-updates InRelease: Couldn't execute /usr/bin/apt-key to check /var/lib/apt/lists/partial/httpredir.debian.org_debian_dists_stable-updates_InRelease     
W: The repository 'http://httpredir.debian.org/debian stable-updates InRelease' is not signed.                                                                                                                       
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.                                                                                                                 
N: See apt-secure(8) manpage for repository creation and user configuration details.                                                                                                                                 
W: GPG error: http://cdn-fastly.deb.debian.org/debian stretch Release: Couldn't execute /usr/bin/apt-key to check /var/lib/apt/lists/partial/httpredir.debian.org_debian_dists_stretch_Release                       
W: The repository 'http://httpredir.debian.org/debian stretch Release' is not signed.                                                                                                                                
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.                                                                                                                 
N: See apt-secure(8) manpage for repository creation and user configuration details.                                                                                                                                 
root@deb1-2:~#

Back on the host:

root@usmp1:~# aa-status | grep apt-
   snap.subutai-master.subutai-master//null-/usr/bin/apt-get
   snap.subutai-master.subutai-master//null-/usr/bin/apt-get//null-/usr/bin/dpkg
   snap.subutai-master.subutai-master//null-/usr/bin/apt-get//null-/usr/lib/apt/methods/gpgv
   snap.subutai-master.subutai-master//null-/usr/bin/apt-get//null-/usr/lib/apt/methods/gpgv//null-/usr/bin/apt-key
   snap.subutai-master.subutai-master//null-/usr/bin/apt-get//null-/usr/lib/apt/methods/http
   snap.subutai-master.subutai-master//null-/usr/bin/apt-get//null-/usr/lib/apt/methods/store

In other words - these are generated dynamically. They are however all listed as "complain".

lbthomsen commented 6 years ago

Another interesting page: https://bugs.launchpad.net/snappy/+bug/1670475

Seems to indicate a kernel bug in the kernel xenial uses by default. However, updating to:

root@usmp1:~# uname -a Linux usmp1 4.13.0-32-generic #35~16.04.1-Ubuntu SMP Thu Jan 25 10:13:43 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

Did NOT solve the issue.

AlinaPenkina commented 6 years ago

Fixed.