Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

apparmor - dnsmasq fails to start in nested incus installs #52

Closed
antifob opened this issue Jul 17, 2024 · 3 comments
Closed

apparmor - dnsmasq fails to start in nested incus installs #52

antifob opened this issue Jul 17, 2024 · 3 comments

Comments

@antifob
Copy link

antifob commented Jul 17, 2024

It is unclear to me whether this is a pure incus or zabbly-build bug. Feel free to tell me so I can file the bug upstream. :)

When installing incus in an unprivileged container, dnsmasq fails to create a unix socket due to it being blocked by the apparmor profile. This bug causes incus network create and incus admin init --auto to fail. Additionally, the bug appears to be specific to Ubuntu hosts as I couldn't reproduce it on Debian hosts.

Relevant dmesg output

Below, the dnsmasq apparmor profile is loaded by incus and the launch of dnsmasq causes a

[  421.527168] audit: type=1400 audit(1721233364.020:40): apparmor="STATUS" operation="profile_load" label="incus-c1_</var/lib/incus>//&:incus-c1_<var-lib-incus>:unconfined" name="incus_dnsmasq-incusbr0_</var/lib/incus>" pid=7046 comm="apparmor_parser"
[  421.530730] audit: type=1400 audit(1721233364.020:41): apparmor="DENIED" operation="create" info="failed type and protocol match" error=-13 namespace="root//incus-c1_<var-lib-incus>" profile="incus_dnsmasq-incusbr0_</var/lib/incus>" pid=7047 comm="dnsmasq" family="unix" sock_type="stream" protocol=0 requested_mask="create" denied_mask="create" addr=none
[  421.530848] audit: type=1400 audit(1721233364.020:42): apparmor="DENIED" operation="create" info="failed type and protocol match" error=-13 namespace="root//incus-c1_<var-lib-incus>" profile="incus_dnsmasq-incusbr0_</var/lib/incus>" pid=7047 comm="dnsmasq" family="unix" sock_type="stream" protocol=0 requested_mask="create" denied_mask="create" addr=none
[  421.531101] audit: type=1400 audit(1721233364.024:43): apparmor="DENIED" operation="create" info="failed type and protocol match" error=-13 namespace="root//incus-c1_<var-lib-incus>" profile="incus_dnsmasq-incusbr0_</var/lib/incus>" pid=7047 comm="dnsmasq" family="unix" sock_type="stream" protocol=0 requested_mask="create" denied_mask="create" addr=none
[  421.531139] audit: type=1400 audit(1721233364.024:44): apparmor="DENIED" operation="create" info="failed type and protocol match" error=-13 namespace="root//incus-c1_<var-lib-incus>" profile="incus_dnsmasq-incusbr0_</var/lib/incus>" pid=7047 comm="dnsmasq" family="unix" sock_type="stream" protocol=0 requested_mask="create" denied_mask="create" addr=none
[  421.531188] audit: type=1400 audit(1721233364.024:45): apparmor="DENIED" operation="create" info="failed type and protocol match" error=-13 namespace="root//incus-c1_<var-lib-incus>" profile="incus_dnsmasq-incusbr0_</var/lib/incus>" pid=7047 comm="dnsmasq" family="unix" sock_type="dgram" protocol=0 requested_mask="create" denied_mask="create" addr=none
[  421.531260] audit: type=1400 audit(1721233364.024:46): apparmor="DENIED" operation="create" info="failed type and protocol match" error=-13 namespace="root//incus-c1_<var-lib-incus>" profile="incus_dnsmasq-incusbr0_</var/lib/incus>" pid=7047 comm="dnsmasq" family="unix" sock_type="dgram" protocol=0 requested_mask="create" denied_mask="create" addr=none
[  421.531290] audit: type=1400 audit(1721233364.024:47): apparmor="DENIED" operation="create" info="failed type and protocol match" error=-13 namespace="root//incus-c1_<var-lib-incus>" profile="incus_dnsmasq-incusbr0_</var/lib/incus>" pid=7047 comm="dnsmasq" family="unix" sock_type="dgram" protocol=0 requested_mask="create" denied_mask="create" addr=none
[  421.619265] audit: type=1400 audit(1721233364.112:48): apparmor="STATUS" operation="profile_remove" label="incus-c1_</var/lib/incus>//&:incus-c1_<var-lib-incus>:unconfined" name="incus_dnsmasq-incusbr0_</var/lib/incus>" pid=7052 comm="apparmor_parser"

Replicating the bug

Note that using a bookworm VM instead of a jammy VM works.

incus launch --vm images:ubuntu/jammy ubnt
incus exec ubnt bash

# in the ubnt vm
apt-get -y --no-install-recommends install ca-certificates curl
curl -fsSL https://pkgs.zabbly.com/get/incus-stable | sh
incus admin init --auto
incus launch images:debian/bookworm c1
incus exec c1 bash

# in the c1 ctn
apt-get -y --no-install-recommends install ca-certificates curl
curl -fsSL https://pkgs.zabbly.com/get/incus-stable | sh
incus admin init --auto
Error: Failed to create local member network "incusbr0" in project "default": The DNS and DHCP service exited prematurely: exit status 3 ("dnsmasq: cannot open log : Permission denied")

# triggering the bug manually
incus network create brname0
@stgraber
Copy link
Member

Quite possibly some kind of apparmor kernel bug, we keep seeing apparmor enforce its profiles differently inside of containers than it does on the system directly...

@stgraber
Copy link
Member

lxc/incus#1011

@stgraber
Copy link
Member

Closing this one here since there's now a PR on the incus side.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@stgraber @antifob