<div dir="ltr">Stephane<div><br></div><div>Thanks... I've tried everything else I could think of so I'll give that a shot and see what happens.</div><div><br></div><div>A few months ago I think this all worked but my memory is so good anymore :-)</div><div><br></div><div>I'll let you know what happens.</div><div><br></div><div>Brian</div><div><br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Mar 15, 2019 at 11:19 AM Stéphane Graber <<a href="mailto:stgraber@ubuntu.com">stgraber@ubuntu.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Fri, Mar 15, 2019 at 10:41:55AM -0400, brian mullan wrote:<br>
> I am encountering a strange problem with Nested LXD on AWS EC2 Ubuntu 18.04<br>
> instances...<br>
> <br>
> <br>
> ><br>
> ><br>
> ><br>
> ><br>
> > *snap 2.37.4snapd 2.37.4series 16ubuntu 18.04kernel<br>
> > 4.15.0-46-genericLXD 3.11*<br>
> <br>
> <br>
> In my AWS 18.04 host I install SNAP LXD and create an Ubuntu 18.04<br>
> container lets call *"parent"*<br>
> <br>
> I enable Nesting for *"parent"*<br>
> <br>
> I enter "parent" and apt-get update, apt-get upgrade ... no problem<br>
> <br>
> In "parent" I also install SNAP LXD and create an Ubuntu 18.04 container<br>
> lets call *"child"*<br>
> <br>
> I enter "child" and when I try to "*apt-get update, apt-get upgrade*" ... I<br>
> see the very *same* packages to be upgraded<br>
> as I did when I upgrade "*parent*" ... however in *"child"* I get errors<br>
> related to apport, udev ??<br>
> <br>
> I also see failure messages related to systemd-networkd.service access<br>
> denied etc (see below)<br>
> <br>
> Note: I tried this on a local KVM Ubuntu 18.04 VM<br>
> <br>
> *These are some of the packages that would be updated/upgraded in BOTH the<br>
> "parent" and "child" Ubuntu 18.04 container on an AWS EC2 Ubuntu Bionic<br>
> instance:*<br>
> <br>
> The following package was automatically installed and is no longer required:<br>
> libfreetype6<br>
> Use 'apt autoremove' to remove it.<br>
> The following packages will be upgraded:<br>
> *apport* libnss-systemd libpam-modules libpam-modules-bin libpam-runtime<br>
> libpam-systemd libpam0g libseccomp2 libsystemd0 libudev1<br>
> libxcb1 python3-apport python3-problem-report snapd systemd systemd-sysv*<br>
> udev*<br>
> 17 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.<br>
> Need to get 19.9 MB of archives.<br>
> After this operation, 49.2 kB of additional disk space will be used.<br>
> Do you want to continue? [Y/n]<br>
> <br>
> *Here are some of the errors that result...*<br>
> <br>
> (Reading database ... 28595 files and directories currently installed.)<br>
> Preparing to unpack .../libpam-runtime_1.1.8-3.6ubuntu2.18.04.1_all.deb ...<br>
> Unpacking libpam-runtime (1.1.8-3.6ubuntu2.18.04.1) over (1.1.8-3.6ubuntu2)<br>
> ...<br>
> Setting up libpam-runtime (1.1.8-3.6ubuntu2.18.04.1) ...<br>
> Setting up systemd (237-3ubuntu10.15) ...<br>
> *Failed to try-restart systemd-networkd.service: Access denied*<br>
> See system logs and 'systemctl status systemd-networkd.service' for details.<br>
> *Failed to try-restart systemd-resolved.service: Access denied*<br>
> See system logs and 'systemctl status systemd-resolved.service' for details.<br>
> *Failed to try-restart systemd-timesyncd.service: Access denied*<br>
> See system logs and 'systemctl status systemd-timesyncd.service' for<br>
> details.<br>
> *Failed to try-restart systemd-journald.service: Access denied*<br>
> See system logs and 'systemctl status systemd-journald.service' for details.<br>
> (Reading database ... 28595 files and directories currently installed.)<br>
> Preparing to unpack .../systemd-sysv_237-3ubuntu10.15_amd64.deb ...<br>
> Unpacking systemd-sysv (237-3ubuntu10.15) over (237-3ubuntu10.13) ...<br>
> Preparing to unpack .../libseccomp2_2.3.1-2.1ubuntu4.1_amd64.deb ...<br>
> Unpacking libseccomp2:amd64 (2.3.1-2.1ubuntu4.1) over (2.3.1-2.1ubuntu4) ...<br>
> Setting up libseccomp2:amd64 (2.3.1-2.1ubuntu4.1) ...<br>
> (Reading database ... 28595 files and directories currently installed.)<br>
> Preparing to unpack .../libxcb1_1.13-2~ubuntu18.04_amd64.deb ...<br>
> Unpacking libxcb1:amd64 (1.13-2~ubuntu18.04) over (1.13-1) ...<br>
> Preparing to unpack .../python3-problem-report_2.20.9-0ubuntu7.6_all.deb ...<br>
> Unpacking python3-problem-report (2.20.9-0ubuntu7.6) over<br>
> (2.20.9-0ubuntu7.5) ...<br>
> Preparing to unpack .../python3-apport_2.20.9-0ubuntu7.6_all.deb ...<br>
> Unpacking python3-apport (2.20.9-0ubuntu7.6) over (2.20.9-0ubuntu7.5) ...<br>
> Preparing to unpack .../apport_2.20.9-0ubuntu7.6_all.deb ...<br>
> *Failed to retrieve unit state: Access denied*<br>
> *invoke-rc.d: could not determine current runlevel*<br>
> *Failed to reload daemon: Access denied*<br>
> <br>
> *So I interrupted the script that was doing the above attempt at apt<br>
> update && apt upgrade -y *<br>
> *and opened a terminal and t**hen.. and tried this:*<br>
> <br>
> lxc exec test bash<br>
> apt update && apt upgrade<br>
> <br>
> But of course because i'd interrupted the above apt upgrade I had to do *dpkg<br>
> --configure -a*<br>
> <br>
> *dpkg --configure -a*<br>
> Setting up libnss-systemd:amd64 (237-3ubuntu10.15) ...<br>
> Processing triggers for ureadahead (0.100.0-20) ...<br>
> Setting up systemd-sysv (237-3ubuntu10.15) ...<br>
> Setting up python3-problem-report (2.20.9-0ubuntu7.6) ...<br>
> Processing triggers for libc-bin (2.27-3ubuntu1) ...<br>
> Setting up udev (237-3ubuntu10.15) ...<br>
> *Failed to reload daemon: Access denied*<br>
> dpkg: error processing package udev (--configure):<br>
> installed udev package post-installation script subprocess was interrupted<br>
> Processing triggers for man-db (2.8.3-2ubuntu0.1) ...<br>
> Processing triggers for dbus (1.12.2-1ubuntu1) ...<br>
> *Failed to open connection to "system" message bus: Failed to query<br>
> AppArmor policy: Permission denied*<br>
> Setting up libxcb1:amd64 (1.13-2~ubuntu18.04) ...<br>
> Setting up libpam-systemd:amd64 (237-3ubuntu10.15) ...<br>
> Setting up python3-apport (2.20.9-0ubuntu7.6) ...<br>
> dpkg: error processing package apport (--configure):<br>
> package is in a very bad inconsistent state; you should<br>
> reinstall it before attempting configuration<br>
> Processing triggers for libc-bin (2.27-3ubuntu1) ...<br>
> *Errors were encountered while processing:*<br>
> * udev*<br>
> * apport*<br>
> <br>
> *I went back and tried to reinstall apport...*<br>
> <br>
> # apt install --reinstall apport<br>
> Reading package lists... Done<br>
> Building dependency tree<br>
> Reading state information... Done<br>
> The following package was automatically installed and is no longer required:<br>
> libfreetype6<br>
> Use 'apt autoremove' to remove it.<br>
> Suggested packages:<br>
> apport-gtk | apport-kde<br>
> The following packages will be upgraded:<br>
> apport<br>
> 1 upgraded, 0 newly installed, 0 to remove and 1 not upgraded.<br>
> 2 not fully installed or removed.<br>
> Need to get 0 B/124 kB of archives.<br>
> After this operation, 0 B of additional disk space will be used.<br>
> (Reading database ... 28595 files and directories currently installed.)<br>
> Preparing to unpack .../apport_2.20.9-0ubuntu7.6_all.deb ...<br>
> *Failed to retrieve unit state: Access denied*<br>
> *invoke-rc.d: could not determine current runlevel*<br>
> *Failed to reload daemon: Access denied*<br>
> <br>
> ======================================<br>
> <br>
> Does anyone have any idea what might be causing this?<br>
> Again this is happening on AWS and on a local KVM Ubuntu VM.<br>
<br>
Sounds like AppArmor messing with things in this case.<br>
Does enabling nesting for your nested container help somehow (the<br>
generated rules will change a bit as a result of that)?<br>
<br>
I'm pretty sure that if you look at `dmesg` you'll see some denials<br>
related to those package updates. I suspect the main difference between<br>
the two containers, other than the nested flag is that the parent<br>
container has its own apparmor namespace whereas the child has to run<br>
under a single apparmor profile as apparmor namespaces do not currently<br>
nest.<br>
<br>
> <br>
> Thanks for any ideas or suggestions.<br>
> <br>
> Brian<br>
<br>
> _______________________________________________<br>
> lxc-users mailing list<br>
> <a href="mailto:lxc-users@lists.linuxcontainers.org" target="_blank">lxc-users@lists.linuxcontainers.org</a><br>
> <a href="http://lists.linuxcontainers.org/listinfo/lxc-users" rel="noreferrer" target="_blank">http://lists.linuxcontainers.org/listinfo/lxc-users</a><br>
<br>
<br>
-- <br>
Stéphane Graber<br>
Ubuntu developer<br>
<a href="http://www.ubuntu.com" rel="noreferrer" target="_blank">http://www.ubuntu.com</a><br>
-----BEGIN PGP SIGNATURE-----<br>
<br>
iQIzBAABCgAdFiEEYC9WdmPlk7y9FPM4xjiXTWR5LWcFAlyLwloACgkQxjiXTWR5<br>
LWeU9RAArKFs4T4v3sUzbAC3hgKE8BuhACFOHzoKcrxFaKLSiydBNL4zDRdwPSlG<br>
6o3kLRjVTrxaVXcaCwV/HQ5W7bRsott96+KoDla8JDMfNYhUk0PxTq8SXMJADESv<br>
VSxXau92hqXTskiME9sIhg46yYa9bftTv/YWMHt5qymlP+uCqEkpkFlBILXs1WNn<br>
vkhnQ6YgEw5tvcXZEONC4FPRt8u9zoQSiBTMu83VHKrcqo6+aBP1i08SFiM8zcv1<br>
/kzPRIdj+6AuemoKW42C3unKyhCl5hR38sIyhtJXhzmencKQmRsCJG260PME7Ubz<br>
LEUX7eyAH1+csiqBTSVpQQA2/YVeMQWCZ3jQxQ3GQtz9fKojsrBgKoqrLKF7lbew<br>
tLznOKWw26uXVwuvUrXSOjwgzSeqciaD4SbyB5HGWXhn7OWygVF/563HO6y0N3fM<br>
1Odi1QiGFvJ7aUCNkXTiuymfmnDAwKNKJle8QCSn45/Lp88A7x3OG9e4KIMSFKCS<br>
O7vDC0/mfaO9OcWCROyrd5GjzPMTgwsA7mgq7pzVsVlnHwld8ht+5S+7c7uKy1q0<br>
nHsh24wgQYToEBFaak7xVwGWyF/snsJPCpOw+FkvxmHHaqNKSSUc1zqYJydaaCL2<br>
0i3OU7RJGM7YworVM7ILjvC3DdY9i9rh0UqclO1aoblAtPOnTXs=<br>
=21Zu<br>
-----END PGP SIGNATURE-----<br>
</blockquote></div>