[lxc-users] apparmor dhclient denied, no network, something wrong with 2.12?

Stéphane Graber stgraber at ubuntu.com
Mon Mar 27 02:13:22 UTC 2017 

Did some more debugging on IRC and it turned out to be a physical switch
configuration problem rather than anything at the host level :)

On Mon, Mar 27, 2017 at 01:45:57AM +0000, Spike wrote:
> dnsmasq is not on the host, it's a lan local dhcp server (dnsmasq still),
> and that's serving correctly another dozen containers on the other boxes I
> have. You still want that info? I'm on irc btw if that's easier for back
> and forth
> 
> On Sun, Mar 26, 2017 at 6:39 PM Stéphane Graber <stgraber at ubuntu.com> wrote:
> 
> > Interesting, so yeah, that's not the issue.
> >
> > Can you paste "ps fauxww | grep dnsmasq" on the host, to see what's
> > going on with the DHCP server?
> >
> > On Mon, Mar 27, 2017 at 12:12:29AM +0000, Spike wrote:
> > > also fwiw I run ansible against the container and customize it so my
> > > /etc/network/interfaces looks like this:
> > >
> > > administrator at lxc:~$ lxc exec test cat /etc/network/interfaces
> > > # This file describes the network interfaces available on your system
> > > # and how to activate them. For more information, see interfaces(5).
> > >
> > > # The loopback network interface
> > > auto lo
> > > iface lo inet loopback
> > >
> > > auto eth0
> > > iface eth0 inet dhcp
> > >
> > >
> > > On Sun, Mar 26, 2017 at 5:09 PM Spike <spike at drba.org> wrote:
> > >
> > > > Stephane,
> > > >
> > > > this is my default profile, don't think I have that key at all. I don't
> > > > really use profiles, all my interfaces are setup with ansible and I
> > specify
> > > > devices there.
> > > >
> > > > config: {}
> > > > description: Default LXD profile
> > > > devices:
> > > >   root:
> > > >     path: /
> > > >     pool: default
> > > >     type: disk
> > > > name: default
> > > > used_by:
> > > > - /1.0/containers/log
> > > >
> > > > also this is the same config I have on all my other working nodes.
> > > >
> > > > thanks,
> > > >
> > > > Spike
> > > >
> > > >
> > > > On Sun, Mar 26, 2017 at 4:56 PM Stéphane Graber <stgraber at ubuntu.com>
> > > > wrote:
> > > >
> > > > lxc profile show default
> > > >
> > > > Chances are you have the config key which instructs LXD to disable DHCP
> > > > in the containers and causes /etc/network/interfaces in the containers
> > > > to say "iface eth0 inet manual" as a result.
> > > >
> > > > On Sun, Mar 26, 2017 at 10:18:31PM +0000, Spike wrote:
> > > > > so more info. I actually tried to wipe everything and install from
> > the
> > > > lts
> > > > > ppa, but got the same behavior, so it's not 2.12 (the lts ppa has
> > 2.0.9).
> > > > > The other thing worth nothing is that static assignment works, so
> > this
> > > > > doesn't seem a problem with the bridge (fwiw there are 4 eth bonded
> > and
> > > > the
> > > > > bridge is on the bond):
> > > > >
> > > > > +--------+----------+---------+---------+
> > > > > |  NAME  |   TYPE   | MANAGED | USED BY |
> > > > > +--------+----------+---------+---------+
> > > > > | bond0  | bond     | NO      | 0       |
> > > > > +--------+----------+---------+---------+
> > > > > | eth0   | physical | NO      | 0       |
> > > > > +--------+----------+---------+---------+
> > > > > | eth1   | physical | NO      | 0       |
> > > > > +--------+----------+---------+---------+
> > > > > | eth2   | physical | NO      | 0       |
> > > > > +--------+----------+---------+---------+
> > > > > | eth3   | physical | NO      | 0       |
> > > > > +--------+----------+---------+---------+
> > > > > | lxdbr0 | bridge   | NO     | 1       |
> > > > > +--------+----------+---------+---------+
> > > > >
> > > > > ## the container:
> > > > > architecture: x86_64
> > > > > config:
> > > > >   volatile.base_image:
> > > > > 2cab90c0c342346ea154bc2e8cacdae752a70747a755ce1f2970c9a9ebb5fe8c
> > > > >   volatile.eth0.hwaddr: 00:16:3e:bb:05:c5
> > > > >   volatile.idmap.base: "0"
> > > > >   volatile.idmap.next:
> > > > >
> > > >
> > '[{"Isuid":true,"Isgid":false,"Hostid":100000,"Nsid":0,"Maprange":65536},{"Isuid":false,"Isgid":true,"Hostid":100000,"Nsid":0,"Maprange":65536}]'
> > > > >   volatile.last_state.idmap:
> > > > >
> > > >
> > '[{"Isuid":true,"Isgid":false,"Hostid":100000,"Nsid":0,"Maprange":65536},{"Isuid":false,"Isgid":true,"Hostid":100000,"Nsid":0,"Maprange":65536}]'
> > > > >   volatile.last_state.power: RUNNING
> > > > > devices:
> > > > >   root:
> > > > >     path: /
> > > > >     pool: default
> > > > >     type: disk
> > > > > ephemeral: false
> > > > > profiles:
> > > > > - default
> > > > >
> > > > > the image is a fresh download of xenial from the ubuntu mirror.
> > > > >
> > > > > again static assignments works, the problem is exclusively with dhcp.
> > > > >
> > > > > thank you for any input,
> > > > >
> > > > > Spike
> > > > >
> > > > > On Sun, Mar 26, 2017 at 1:54 PM Spike <spike at drba.org> wrote:
> > > > >
> > > > > Hi,
> > > > >
> > > > > can't seem to get dhcp to work anymore on containers and I don't get
> > > > why. I
> > > > > have 3 servers, all 3 set up the same way (from ansible). on the
> > third
> > > > > which I just rebuilt lxc gets no network. Instead on the host's logs
> > I
> > > > get
> > > > > this:
> > > > >
> > > > > audit: type=1400 audit(1490560798.485:349): apparmor="DENIED"
> > > > > operation="file_perm" namespace="root//lxd-log_<var-lib-lxd>"
> > > > > profile="/sbin/dhclient" name="/apparmor/.null" pid=8928
> > comm="dhclient"
> > > > > requested_mask="w" denied_mask="w" fsuid=100000 ouid=0
> > > > >
> > > > > lxc config set my-container raw.lxc lxc.aa_profile=unconfined did not
> > > > help.
> > > > > It seems related to this bug, but not sure:
> > > > >
> > > > > https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/1654624
> > > > >
> > > > > the only difference I can see between the host that doesn't work and
> > the
> > > > > one that does is the version of LXD, 2.12 on the host that doesn't
> > work
> > > > and
> > > > > 2.11 on the others (installed from ppa on ubuntu xenial).
> > > > >
> > > > > any thoughts?
> > > > >
> > > > > thanks,
> > > > >
> > > > > Spike
> > > >
> > > > > _______________________________________________
> > > > > lxc-users mailing list
> > > > > lxc-users at lists.linuxcontainers.org
> > > > > http://lists.linuxcontainers.org/listinfo/lxc-users
> > > >
> > > >
> > > > --
> > > > Stéphane Graber
> > > > Ubuntu developer
> > > > http://www.ubuntu.com
> > > > _______________________________________________
> > > > lxc-users mailing list
> > > > lxc-users at lists.linuxcontainers.org
> > > > http://lists.linuxcontainers.org/listinfo/lxc-users
> > > >
> > > >
> >
> > > _______________________________________________
> > > lxc-users mailing list
> > > lxc-users at lists.linuxcontainers.org
> > > http://lists.linuxcontainers.org/listinfo/lxc-users
> >
> >
> > --
> > Stéphane Graber
> > Ubuntu developer
> > http://www.ubuntu.com
> > _______________________________________________
> > lxc-users mailing list
> > lxc-users at lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-users

> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users


-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20170326/893d9512/attachment.sig>

More information about the lxc-users mailing list