
<div dir="ltr">when i realized that theres missing apparmor profile, i went straight to github to checkout what loads those and also google search indicated a similar issue[1] which mentioned this. from github i got the systemd apparmor load script [2]  which i then manually executed, to get my lxc setup going. I am pasting `dpkg -L ` output below for exact contents of the package:<br>----<br>/.<br>/usr<br>/usr/share<br>/usr/share/apport<br>/usr/share/apport/package-hooks<br>/usr/share/apport/package-hooks/source_lxc.py<br>/usr/share/lintian<br>/usr/share/lintian/overrides<br>/usr/share/lintian/overrides/lxc<br>/usr/share/lxc<br>/usr/share/lxc/hooks<br>/usr/share/lxc/hooks/clonehostname<br>/usr/share/lxc/hooks/ubuntu-cloud-prep<br>/usr/share/lxc/hooks/mountecryptfsroot<br>/usr/share/lxc/hooks/squid-deb-proxy-client<br>/usr/share/lxc/config<br>/usr/share/lxc/config/fedora.userns.conf<br>/usr/share/lxc/config/ubuntu-cloud.lucid.conf<br>/usr/share/lxc/config/ubuntu.common.conf<br>/usr/share/lxc/config/debian.common.conf<br>/usr/share/lxc/config/ubuntu.userns.conf<br>/usr/share/lxc/config/centos.userns.conf<br>/usr/share/lxc/config/fedora.common.conf<br>/usr/share/lxc/config/debian.userns.conf<br>/usr/share/lxc/config/common.seccomp<br>/usr/share/lxc/config/ubuntu.lucid.conf<br>/usr/share/lxc/config/gentoo.moresecure.conf<br>/usr/share/lxc/config/gentoo.userns.conf<br>/usr/share/lxc/config/centos.common.conf<br>/usr/share/lxc/config/plamo.common.conf<br>/usr/share/lxc/config/oracle.userns.conf<br>/usr/share/lxc/config/plamo.userns.conf<br>/usr/share/lxc/config/ubuntu-cloud.userns.conf<br>/usr/share/lxc/config/oracle.common.conf<br>/usr/share/lxc/config/ubuntu-cloud.common.conf<br>/usr/share/lxc/config/gentoo.common.conf<br>/usr/share/lxc/lxc.functions<br>/usr/share/lxc/selinux<br>/usr/share/lxc/selinux/lxc.te<br>/usr/share/lxc/selinux/lxc.if<br>/usr/share/doc<br>/usr/share/doc/lxc<br>/usr/share/doc/lxc/README.Debian<br>/usr/share/doc/lxc/examples<br>/usr/share/doc/lxc/examples/lxc-macvlan.conf<br>/usr/share/doc/lxc/examples/lxc-empty-netns.conf<br>/usr/share/doc/lxc/examples/seccomp-v2.conf<br>/usr/share/doc/lxc/examples/lxc-vlan.conf<br>/usr/share/doc/lxc/examples/lxc-complex.conf<br>/usr/share/doc/lxc/examples/seccomp-v1.conf<br>/usr/share/doc/lxc/examples/seccomp-v2-blacklist.conf<br>/usr/share/doc/lxc/examples/lxc-phys.conf<br>/usr/share/doc/lxc/examples/lxc-no-netns.conf<br>/usr/share/doc/lxc/examples/lxc-veth.conf<br>/usr/share/doc/lxc/copyright<br>/usr/share/doc/lxc/changelog.Debian.gz<br>/usr/share/man<br>/usr/share/man/man5<br>/usr/share/man/man5/lxc.container.conf.5.gz<br>/usr/share/man/man5/lxc-usernet.5.gz<br>/usr/share/man/man5/lxc.system.conf.5.gz<br>/usr/share/man/man5/lxc.conf.5.gz<br>/usr/share/man/man1<br>/usr/share/man/man1/lxc-unfreeze.1.gz<br>/usr/share/man/man1/lxc-user-nic.1.gz<br>/usr/share/man/man1/lxc-usernsexec.1.gz<br>/usr/share/man/man1/lxc-monitor.1.gz<br>/usr/share/man/man1/lxc-clone.1.gz<br>/usr/share/man/man1/lxc-autostart.1.gz<br>/usr/share/man/man1/lxc-top.1.gz<br>/usr/share/man/man1/lxc-config.1.gz<br>/usr/share/man/man1/lxc-ls.1.gz<br>/usr/share/man/man1/lxc-execute.1.gz<br>/usr/share/man/man1/lxc-wait.1.gz<br>/usr/share/man/man1/lxc-snapshot.1.gz<br>/usr/share/man/man1/lxc-destroy.1.gz<br>/usr/share/man/man1/lxc-device.1.gz<br>/usr/share/man/man1/lxc-console.1.gz<br>/usr/share/man/man1/lxc-start-ephemeral.1.gz<br>/usr/share/man/man1/lxc-attach.1.gz<br>/usr/share/man/man1/lxc-start.1.gz<br>/usr/share/man/man1/lxc-unshare.1.gz<br>/usr/share/man/man1/lxc-cgroup.1.gz<br>/usr/share/man/man1/lxc-freeze.1.gz<br>/usr/share/man/man1/lxc-info.1.gz<br>/usr/share/man/man1/lxc-stop.1.gz<br>/usr/share/man/man1/lxc-checkconfig.1.gz<br>/usr/share/man/man1/lxc-create.1.gz<br>/usr/share/man/ja<br>/usr/share/man/ja/man5<br>/usr/share/man/ja/man5/lxc.container.conf.5.gz<br>/usr/share/man/ja/man5/lxc-usernet.5.gz<br>/usr/share/man/ja/man5/lxc.system.conf.5.gz<br>/usr/share/man/ja/man5/lxc.conf.5.gz<br>/usr/share/man/ja/man1<br>/usr/share/man/ja/man1/lxc-unfreeze.1.gz<br>/usr/share/man/ja/man1/lxc-user-nic.1.gz<br>/usr/share/man/ja/man1/lxc-usernsexec.1.gz<br>/usr/share/man/ja/man1/lxc-monitor.1.gz<br>/usr/share/man/ja/man1/lxc-clone.1.gz<br>/usr/share/man/ja/man1/lxc-autostart.1.gz<br>/usr/share/man/ja/man1/lxc-top.1.gz<br>/usr/share/man/ja/man1/lxc-config.1.gz<br>/usr/share/man/ja/man1/lxc-ls.1.gz<br>/usr/share/man/ja/man1/lxc-execute.1.gz<br>/usr/share/man/ja/man1/lxc-wait.1.gz<br>/usr/share/man/ja/man1/lxc-snapshot.1.gz<br>/usr/share/man/ja/man1/lxc-destroy.1.gz<br>/usr/share/man/ja/man1/lxc-device.1.gz<br>/usr/share/man/ja/man1/lxc-console.1.gz<br>/usr/share/man/ja/man1/lxc-start-ephemeral.1.gz<br>/usr/share/man/ja/man1/lxc-attach.1.gz<br>/usr/share/man/ja/man1/lxc-start.1.gz<br>/usr/share/man/ja/man1/lxc-unshare.1.gz<br>/usr/share/man/ja/man1/lxc-cgroup.1.gz<br>/usr/share/man/ja/man1/lxc-freeze.1.gz<br>/usr/share/man/ja/man1/lxc-info.1.gz<br>/usr/share/man/ja/man1/lxc-stop.1.gz<br>/usr/share/man/ja/man1/lxc-checkconfig.1.gz<br>/usr/share/man/ja/man1/lxc-create.1.gz<br>/usr/share/man/ja/man7<br>/usr/share/man/ja/man7/lxc.7.gz<br>/usr/share/man/man7<br>/usr/share/man/man7/lxc.7.gz<br>/usr/bin<br>/usr/bin/lxc-cgroup<br>/usr/bin/lxc-clone<br>/usr/bin/lxc-stop<br>/usr/bin/lxc-usernsexec<br>/usr/bin/lxc-start-ephemeral<br>/usr/bin/lxc-snapshot<br>/usr/bin/lxc-attach<br>/usr/bin/lxc-destroy<br>/usr/bin/lxc-unshare<br>/usr/bin/lxc-create<br>/usr/bin/lxc-execute<br>/usr/bin/lxc-info<br>/usr/bin/lxc-ls<br>/usr/bin/lxc-config<br>/usr/bin/lxc-wait<br>/usr/bin/lxc-unfreeze<br>/usr/bin/lxc-autostart<br>/usr/bin/lxc-checkconfig<br>/usr/bin/lxc-device<br>/usr/bin/lxc-monitor<br>/usr/bin/lxc-start<br>/usr/bin/lxc-freeze<br>/usr/bin/lxc-console<br>/usr/lib<br>/usr/lib/x86_64-linux-gnu<br>/usr/lib/x86_64-linux-gnu/lxc<br>/usr/lib/x86_64-linux-gnu/lxc/lxc-monitord<br>/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic<br>/usr/sbin<br>/usr/sbin/init.lxc<br>/etc<br>/etc/lxc<br>/etc/lxc/default.conf<br>/etc/bash_completion.d<br>/etc/bash_completion.d/lxc<br>/etc/dnsmasq.d-available<br>/etc/dnsmasq.d-available/lxc<br>/etc/apparmor.d<br>/etc/apparmor.d/abstractions<br>/etc/apparmor.d/abstractions/lxc<br>/etc/apparmor.d/abstractions/lxc/container-base<br>/etc/apparmor.d/abstractions/lxc/start-container<br>/etc/apparmor.d/lxc-containers<br>/etc/apparmor.d/lxc<br>/etc/apparmor.d/lxc/lxc-default-with-nesting<br>/etc/apparmor.d/lxc/lxc-default-with-mounting<br>/etc/apparmor.d/lxc/lxc-default<br>/etc/apparmor.d/usr.bin.lxc-start<br>/etc/default<br>/etc/default/lxc<br>/etc/init<br>/etc/init/lxc.conf<br>/etc/init/lxc-instance.conf<br>/etc/init/lxc-net.conf<br>/var<br>/var/lib<br>/var/lib/lxc<br>/var/log<br>/var/log/lxc<br>/var/cache<br>/var/cache/lxc<br>----<br><br><br>[1]<a href="https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1432683">https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1432683</a><br>[2]<a href="https://github.com/lxc/lxc/blob/2d8632d5b75ce1e4b24f5714b9ec817a845881cf/config/init/systemd/lxc-apparmor-load">https://github.com/lxc/lxc/blob/2d8632d5b75ce1e4b24f5714b9ec817a845881cf/config/init/systemd/lxc-apparmor-load</a><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Sep 15, 2015 at 3:24 PM, Serge Hallyn <span dir="ltr"><<a href="mailto:serge.hallyn@ubuntu.com" target="_blank">serge.hallyn@ubuntu.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Ok I've got a vm running 1.0.7+stable~20150828-2252-0ubuntu1~trusty<br>

<br>

It doesn't have /usr/lib/x86_64-linux-gnu/lxc/lxc-apparmor-load.  But<br>

/etc/init/lxc.conf calls /lib/apparmor/profile-load.  Which... also<br>

doesn't exist.<br>

<br>

Oddly, profiles are still being loaded.  I guess the /etc/apparmor.d/lxc-containers<br>

file ensures that anything under /etc/apparmor.d/lxc/ gets loaded at<br>

boot.  But 'stop lxc; start lxc' doesn't cause those to get loaded.<br>

<br>

So Stéphane there does appear to be a bug in the packaging for that ppa<br>

version.  It should be shipping lxc-apparmor-load. I dunno where the packaging<br>

for stable ppas gets stored...<br>

<br>

Ranjib, you mention the newer script /usr/lib/x86_64-linux-gnu/lxc/lxc-apparmor-load,<br>

did you mention that one becuase newer upstream ships it, or does it<br>

actually appear to be getting called somewhere in the ppa version?<br>

<br>

-serge<br>

<br>

Quoting Ranjib Dey (<a href="mailto:dey.ranjib@gmail.com">dey.ranjib@gmail.com</a>):<br>

> lxc-git-stable-1.0 ppa, i had installed it after lxc stopped working due to<br>

> sysfs mounting failure,  after you sent out the email to test before 1.07<br>

> in this list<br>

><br>

> On Tue, Sep 15, 2015 at 10:44 AM, Serge Hallyn <<a href="mailto:serge.hallyn@ubuntu.com">serge.hallyn@ubuntu.com</a>><br>

> wrote:<br>

><br>

> > Quoting Ranjib Dey (<a href="mailto:dey.ranjib@gmail.com">dey.ranjib@gmail.com</a>):<br>

> > > im seeing some failures of lxc-start due to missing apparmor profiles.<br>

> > lxc<br>

> > > package does not ship /usr/lib/x86_64-linux-gnu/lxc/lxc-apparmor-load,<br>

> > > which in turn responsible for the missing apparmor  profiles (validated<br>

> > by<br>

> > > the lxc-start log and aa-status)<br>

> > ><br>

> > > lxc-version: 1.0.7+stable~20150828-2252-0ubuntu<br>

> ><br>

> > Sorry - where did this package version come from?<br>

> ><br>

> > The helper was introduced by commit<br>

> > 2b24e2ff84c03a1e049449127958df8dc16a74fd so<br>

> > you can grab it yourself from git if you need.<br>

> ><br>

> > > distro: ubuntu - trusty<br>

> > > kernel: 3.19.0-28<br>

> > ><br>

> > > i had to upgrade the kernel to vivid lts for sysfs related bug<br>

> > ><br>

> > > regards<br>

> > > ranjib<br>

> ><br>

> > > _______________________________________________<br>

> > > lxc-users mailing list<br>

> > > <a href="mailto:lxc-users@lists.linuxcontainers.org">lxc-users@lists.linuxcontainers.org</a><br>

> > > <a href="http://lists.linuxcontainers.org/listinfo/lxc-users" rel="noreferrer" target="_blank">http://lists.linuxcontainers.org/listinfo/lxc-users</a><br>

> ><br>

> > _______________________________________________<br>

> > lxc-users mailing list<br>

> > <a href="mailto:lxc-users@lists.linuxcontainers.org">lxc-users@lists.linuxcontainers.org</a><br>

> > <a href="http://lists.linuxcontainers.org/listinfo/lxc-users" rel="noreferrer" target="_blank">http://lists.linuxcontainers.org/listinfo/lxc-users</a><br>

<br>

> _______________________________________________<br>

> lxc-users mailing list<br>

> <a href="mailto:lxc-users@lists.linuxcontainers.org">lxc-users@lists.linuxcontainers.org</a><br>

> <a href="http://lists.linuxcontainers.org/listinfo/lxc-users" rel="noreferrer" target="_blank">http://lists.linuxcontainers.org/listinfo/lxc-users</a><br>

<br>

_______________________________________________<br>

lxc-users mailing list<br>

<a href="mailto:lxc-users@lists.linuxcontainers.org">lxc-users@lists.linuxcontainers.org</a><br>

<a href="http://lists.linuxcontainers.org/listinfo/lxc-users" rel="noreferrer" target="_blank">http://lists.linuxcontainers.org/listinfo/lxc-users</a></blockquote></div><br></div>