[lxc-devel] Problem with apt-get upgrade with Ubuntu container on Fedora host.

Michael H. Warfield mhw at WittsEnd.com
Thu Jun 19 18:48:11 UTC 2014 

On Thu, 2014-06-19 at 10:58 -0400, Michael H. Warfield wrote:
> On Thu, 2014-06-19 at 10:48 -0400, Stéphane Graber wrote:
> > On Thu, Jun 19, 2014 at 10:35:50AM -0400, Michael H. Warfield wrote:
> > > On Thu, 2014-06-19 at 10:19 -0400, Michael H. Warfield wrote:
> > > > On Thu, 2014-06-19 at 10:15 -0400, Michael H. Warfield wrote:
> > > > > This feels like it's an app armour issue...  Posting to the -devel since
> > > > > I don't think it's a user level problem.
> > > > 
> > > > > I run an Ubuntu container on a Fedora 20 host and it's "running" fine.
> > > > > The container was build on an Ubuntu "host" (really a container creating
> > > > > a sub-container) with "lxc-create ... -t ubuntu -- -r sid".
> > > > 
> > > > Oh, correction...  That was mislabeled as sid.  I double checked the
> > > > os-release and I had build "trusty" and this particular one had been
> > > > built using the download template, not using a subcontainer after all.
> > > > I've got too many development and test containers and I'm starting to
> > > > get them mixed up.  My apologies.
> > 
> > Oh, I should have read the whole thread before replying to the first e-mail :)
> > 
> > > More points on the curve.  When I shut the container down (over an ssh
> > > connection) in order to rename it, I saw this error:
> > > 
> > > root at Ubuntu-sid:~# init 0
> > > SELinux:  Could not open policy file <= /etc/selinux/targeted/policy/policy.29:  No such file or directory
> > > root at Ubuntu-sid:~# Connection to 2001:4830:3000:8200:207d:8eff:fe6f:3f79 closed by remote host.
> > > Connection to 2001:4830:3000:8200:207d:8eff:fe6f:3f79 closed.
> > > 
> > > My host is in selinux "permissive" mode
> > > and /etc/selinux/targeted/policy/policy.29 does exist in the host.
> > > Ubuntu container trying to do something with selinux?
> > > 
> > > After the rename of the container I noticed this when I logged back
> > > in...
> > > 
> > > [mhw at canyon ~]$ ssh ubuntu at 2001:4830:3000:8200:7c32:63ff:fec2:24b
> > > The authenticity of host '2001:4830:3000:8200:7c32:63ff:fec2:24b (2001:4830:3000:8200:7c32:63ff:fec2:24b)' can't be established.
> > > ECDSA key fingerprint is c4:ee:a0:56:8d:f7:19:cb:10:b9:14:49:cf:da:46:6b.
> > > Are you sure you want to continue connecting (yes/no)? yes
> > > Warning: Permanently added '2001:4830:3000:8200:7c32:63ff:fec2:24b' (ECDSA) to the list of known hosts.
> > > ubuntu at 2001:4830:3000:8200:7c32:63ff:fec2:24b's password: 
> > > X11 forwarding request failed on channel 0
> > > Welcome to Ubuntu 14.04 LTS (GNU/Linux 3.14.5-200.fc20.x86_64 x86_64)
> > > 
> > >  * Documentation:  https://help.ubuntu.com/
> > > Unable to get valid context for ubuntu
> > > Last login: Thu Jun 19 14:25:07 2014 from canyon.ip6.wittsend.com
> > > ubuntu at Ubuntu-trusty:~$ 
> > > 
> > > In addition to the fact that the download template didn't create the
> > > container with persistent mac addresses (the reason for the ssh
> > > authenticity warnings) I got an "Unable to get valid context for ubuntu"
> > > error when logging in.
> > > 
> > > I'll probably try putting the host into selinux disabled mode and try
> > > again.

> > Yeah, that'd be interesting as a test.

> > Ubuntu doesn't use SELinux, though a lot of stuff we ship has some kind
> > of support for it, so you may well be getting into odd corner cases,
> > running Ubuntu on a SELinux enabled machine.

> That does appear to be the case.  By putting the host into selinux
> disabled mode, the login error disappears and the "apt-get install -f"
> proceeded properly.

> That's a nasty corner case.  Permissive mode has a policy loaded into
> the kernel but is not enforcing anything.  Definitely a skew between
> what the host has set up and what the apps in the container think they
> should be doing.  Guess that makes it an selinux problem.

And what you DO NOT WANT TO DO is go the other way!  Trying to run a
double check, I put the host back in selinux permissive mode.  That
resulted in a 1 hour selinux filesystem relabel (Ok, it's a 5 TB file
system all totaled) but that relabel did something to that container and
it's no longer functional.  WTH?  It only comes up far enough to log in
from the lxc-start console (no sshd and no lxc-console).

I was going to try setting /etc/selinux/configure in the container to
disabled to see if that helps (we disable it in Fedora containers) but
never got that far.

Burned it down and build a new one and the host is back in selinux
disabled mode.  Everything looking good.  That was nasty.

Regards,
Mike

> > > Regards,
> > > Mike
> > > 
> > > > > When I go to run "apt-get update ; apt-get upgrade" I get an error like
> > > > > this:
> > > > > 
> > > > > root at Ubuntu-sid:~# apt-get upgrade
> > > > > Reading package lists... Done
> > > > > Building dependency tree       
> > > > > Reading state information... Done
> > > > > You might want to run 'apt-get -f install' to correct these.
> > > > > The following packages have unmet dependencies:
> > > > >  libasn1-8-heimdal : Depends: libroken18-heimdal (>= 1.4.0+git20110226) but it is not installed
> > > > >  libgssapi3-heimdal : Depends: libroken18-heimdal (>= 1.4.0+git20110226) but it is not installed
> > > > >  libhcrypto4-heimdal : Depends: libroken18-heimdal (>= 1.4.0+git20110226) but it is not installed
> > > > >  libheimntlm0-heimdal : Depends: libroken18-heimdal (>= 1.4.0+git20110226) but it is not installed
> > > > >  libhx509-5-heimdal : Depends: libroken18-heimdal (>= 1.4.0+git20110226) but it is not installed
> > > > >  libkrb5-26-heimdal : Depends: libroken18-heimdal (>= 1.6~git20131117) but it is not installed
> > > > >  libwind0-heimdal : Depends: libroken18-heimdal (>= 1.4.0+git20110226) but it is not installed
> > > > > E: Unmet dependencies. Try using -f.
> > > > > 
> > > > > Ok...  So, I try that...
> > > > > 
> > > > > root at Ubuntu-sid:~# apt-get -f install
> > > > > Reading package lists... Done
> > > > > Building dependency tree       
> > > > > Reading state information... Done
> > > > > Correcting dependencies... Done
> > > > > The following extra packages will be installed:
> > > > >   libroken18-heimdal
> > > > > The following NEW packages will be installed:
> > > > >   libroken18-heimdal
> > > > > 0 upgraded, 1 newly installed, 0 to remove and 22 not upgraded.
> > > > > 88 not fully installed or removed.
> > > > > Need to get 0 B/40.0 kB of archives.
> > > > > After this operation, 162 kB of additional disk space will be used.
> > > > > Do you want to continue? [Y/n] y
> > > > > dpkg: error processing archive /var/cache/apt/archives/libroken18-heimdal_1.6~git20131207+dfsg-1ubuntu1_amd64.deb (--unpack):
> > > > >  cannot get security labeling handle: No such file or directory
> > > > > Errors were encountered while processing:
> > > > >  /var/cache/apt/archives/libroken18-heimdal_1.6~git20131207+dfsg-1ubuntu1_amd64.deb
> > > > > E: Sub-process /usr/bin/dpkg returned an error code (1)
> > > > > 
> > > > > Ok...  Here's where I think it's an app armour thing.  That error
> > > > > "cannot get security labeling handle: No such file or directory" can not
> > > > > be good.
> > > > > 
> > > > > Any ideas what we have broken in here or what should be done about it to
> > > > > make it work?
> > > > > 
> > > > > Regards,
> > > > > Mike
> > > > 
> > > 
> > > -- 
> > > Michael H. Warfield (AI4NB) | (770) 978-7061 |  mhw at WittsEnd.com
> > >    /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
> > >    NIC whois: MHW9          | An optimist believes we live in the best of all
> > >  PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
> > > 
> > 
> > 
> > 
> > > _______________________________________________
> > > lxc-devel mailing list
> > > lxc-devel at lists.linuxcontainers.org
> > > http://lists.linuxcontainers.org/listinfo/lxc-devel
> > 
> > 
> > _______________________________________________
> > lxc-devel mailing list
> > lxc-devel at lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-devel
> 

-- 
Michael H. Warfield (AI4NB) | (770) 978-7061 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20140619/336cad8f/attachment.sig>

More information about the lxc-devel mailing list