[Lxc-users] Ubuntu 12.04 - apparmor problem (WAS: Ubuntu 12.04 linux-container package and init modifications)
Serge Hallyn
serge.hallyn at canonical.com
Tue Mar 20 13:11:59 UTC 2012
Quoting Fajar A. Nugraha (list at fajar.net):
> On Thu, Mar 8, 2012 at 1:16 AM, Stéphane Graber <stgraber at ubuntu.com> wrote:
>
> > I hope this helped explain what we're doing in 12.04.
> > I'm planning on a generic "what's new in LXC for 12.04" blog post in
> > the next few days, once we've turned apparmor back on and have
> > somewhat secure containers again (hopefully later today).
> >
> > Again, please try an up to date Ubuntu 12.04 system and report any bug
> > that you see, we're trying to closely look at LXC bugs and fix them as
> > soon as possible.
>
> Hi Stephane,
>
> I just updated lxc on 12.04 to 0.7.5-3ubuntu40, which reenables
> apparmor profile. My previously-working lxc containers now refused to
> start.
>
> $ sudo lxc-start -n precise
> lxc-start: Permission denied - failed to mount 'proc' on
> '/usr/lib/lxc/root//proc'
> lxc-start: failed to setup the mounts for 'precise'
> lxc-start: failed to setup the container
> lxc-start: invalid sequence number 1. expected 2
> lxc-start: failed to spawn 'precise'
> lxc-start: Device or resource busy - failed to remove cgroup
> '/sys/fs/cgroup/cpu//lxc/precise'
>
> Disabling the profile (symlink ../usr.bin.lxc-start on
> /etc/apparmor.d/disable, and force-reloading apparmor) made it work
> again. Any ideas?
It's possible you're not on the latest kernel. The mount restrictions
stuff is new, and a few bugs needed to be shaken out. In fact there
may still be one or two, but last night I was definately able (on an
uptodate cloud instance) to create containers with apparmor enabled.
-serge
More information about the lxc-users
mailing list