[lxc-users] Fwd: ciab errors in update/upgrade of nested container - these are the packages

Stéphane Graber stgraber at ubuntu.com
Fri Mar 15 15:18:57 UTC 2019 

On Fri, Mar 15, 2019 at 10:41:55AM -0400, brian mullan wrote:
> I am encountering a strange problem with Nested LXD on AWS EC2 Ubuntu 18.04
> instances...
> 
> 
> >
> >
> >
> >
> > *snap    2.37.4snapd   2.37.4series  16ubuntu  18.04kernel
> > 4.15.0-46-genericLXD 3.11*
> 
> 
> In my AWS 18.04 host I install SNAP LXD and create an Ubuntu 18.04
> container lets call *"parent"*
> 
> I enable Nesting for *"parent"*
> 
> I enter "parent" and  apt-get update, apt-get upgrade ... no problem
> 
> In "parent" I also install SNAP LXD and create an Ubuntu 18.04 container
> lets call *"child"*
> 
> I enter "child" and when I try to "*apt-get update, apt-get upgrade*" ... I
> see the very *same* packages to be upgraded
> as I did when I upgrade "*parent*" ... however in *"child"* I get errors
> related to apport, udev ??
> 
> I also see failure messages related to systemd-networkd.service access
> denied etc (see below)
> 
> Note:  I tried this on a local KVM Ubuntu 18.04 VM
> 
> *These are some of the packages that would be updated/upgraded in BOTH the
> "parent" and "child" Ubuntu 18.04 container on an AWS EC2 Ubuntu Bionic
> instance:*
> 
> The following package was automatically installed and is no longer required:
>   libfreetype6
> Use 'apt autoremove' to remove it.
> The following packages will be upgraded:
>   *apport* libnss-systemd libpam-modules libpam-modules-bin libpam-runtime
> libpam-systemd libpam0g libseccomp2 libsystemd0 libudev1
>   libxcb1 python3-apport python3-problem-report snapd systemd systemd-sysv*
> udev*
> 17 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
> Need to get 19.9 MB of archives.
> After this operation, 49.2 kB of additional disk space will be used.
> Do you want to continue? [Y/n]
> 
> *Here are some of the errors that result...*
> 
> (Reading database ... 28595 files and directories currently installed.)
> Preparing to unpack .../libpam-runtime_1.1.8-3.6ubuntu2.18.04.1_all.deb ...
> Unpacking libpam-runtime (1.1.8-3.6ubuntu2.18.04.1) over (1.1.8-3.6ubuntu2)
> ...
> Setting up libpam-runtime (1.1.8-3.6ubuntu2.18.04.1) ...
> Setting up systemd (237-3ubuntu10.15) ...
> *Failed to try-restart systemd-networkd.service: Access denied*
> See system logs and 'systemctl status systemd-networkd.service' for details.
> *Failed to try-restart systemd-resolved.service: Access denied*
> See system logs and 'systemctl status systemd-resolved.service' for details.
> *Failed to try-restart systemd-timesyncd.service: Access denied*
> See system logs and 'systemctl status systemd-timesyncd.service' for
> details.
> *Failed to try-restart systemd-journald.service: Access denied*
> See system logs and 'systemctl status systemd-journald.service' for details.
> (Reading database ... 28595 files and directories currently installed.)
> Preparing to unpack .../systemd-sysv_237-3ubuntu10.15_amd64.deb ...
> Unpacking systemd-sysv (237-3ubuntu10.15) over (237-3ubuntu10.13) ...
> Preparing to unpack .../libseccomp2_2.3.1-2.1ubuntu4.1_amd64.deb ...
> Unpacking libseccomp2:amd64 (2.3.1-2.1ubuntu4.1) over (2.3.1-2.1ubuntu4) ...
> Setting up libseccomp2:amd64 (2.3.1-2.1ubuntu4.1) ...
> (Reading database ... 28595 files and directories currently installed.)
> Preparing to unpack .../libxcb1_1.13-2~ubuntu18.04_amd64.deb ...
> Unpacking libxcb1:amd64 (1.13-2~ubuntu18.04) over (1.13-1) ...
> Preparing to unpack .../python3-problem-report_2.20.9-0ubuntu7.6_all.deb ...
> Unpacking python3-problem-report (2.20.9-0ubuntu7.6) over
> (2.20.9-0ubuntu7.5) ...
> Preparing to unpack .../python3-apport_2.20.9-0ubuntu7.6_all.deb ...
> Unpacking python3-apport (2.20.9-0ubuntu7.6) over (2.20.9-0ubuntu7.5) ...
> Preparing to unpack .../apport_2.20.9-0ubuntu7.6_all.deb ...
> *Failed to retrieve unit state: Access denied*
> *invoke-rc.d: could not determine current runlevel*
> *Failed to reload daemon: Access denied*
> 
> *So I interrupted the script that was doing the above attempt at   apt
> update && apt upgrade -y *
> *and opened a terminal and t**hen..  and tried this:*
> 
> lxc exec test bash
> apt update && apt upgrade
> 
> But of course because i'd interrupted the above apt upgrade I had to do  *dpkg
> --configure -a*
> 
> *dpkg --configure -a*
> Setting up libnss-systemd:amd64 (237-3ubuntu10.15) ...
> Processing triggers for ureadahead (0.100.0-20) ...
> Setting up systemd-sysv (237-3ubuntu10.15) ...
> Setting up python3-problem-report (2.20.9-0ubuntu7.6) ...
> Processing triggers for libc-bin (2.27-3ubuntu1) ...
> Setting up udev (237-3ubuntu10.15) ...
> *Failed to reload daemon: Access denied*
> dpkg: error processing package udev (--configure):
>  installed udev package post-installation script subprocess was interrupted
> Processing triggers for man-db (2.8.3-2ubuntu0.1) ...
> Processing triggers for dbus (1.12.2-1ubuntu1) ...
> *Failed to open connection to "system" message bus: Failed to query
> AppArmor policy: Permission denied*
> Setting up libxcb1:amd64 (1.13-2~ubuntu18.04) ...
> Setting up libpam-systemd:amd64 (237-3ubuntu10.15) ...
> Setting up python3-apport (2.20.9-0ubuntu7.6) ...
> dpkg: error processing package apport (--configure):
>  package is in a very bad inconsistent state; you should
>  reinstall it before attempting configuration
> Processing triggers for libc-bin (2.27-3ubuntu1) ...
> *Errors were encountered while processing:*
> * udev*
> * apport*
> 
> *I went back and tried to reinstall apport...*
> 
> # apt install --reinstall apport
> Reading package lists... Done
> Building dependency tree
> Reading state information... Done
> The following package was automatically installed and is no longer required:
>   libfreetype6
> Use 'apt autoremove' to remove it.
> Suggested packages:
>   apport-gtk | apport-kde
> The following packages will be upgraded:
>   apport
> 1 upgraded, 0 newly installed, 0 to remove and 1 not upgraded.
> 2 not fully installed or removed.
> Need to get 0 B/124 kB of archives.
> After this operation, 0 B of additional disk space will be used.
> (Reading database ... 28595 files and directories currently installed.)
> Preparing to unpack .../apport_2.20.9-0ubuntu7.6_all.deb ...
> *Failed to retrieve unit state: Access denied*
> *invoke-rc.d: could not determine current runlevel*
> *Failed to reload daemon: Access denied*
> 
> ======================================
> 
> Does anyone have any idea what might be causing this?
> Again this is happening on AWS and on a local KVM Ubuntu VM.

Sounds like AppArmor messing with things in this case.
Does enabling nesting for your nested container help somehow (the
generated rules will change a bit as a result of that)?

I'm pretty sure that if you look at `dmesg` you'll see some denials
related to those package updates. I suspect the main difference between
the two containers, other than the nested flag is that the parent
container has its own apparmor namespace whereas the child has to run
under a single apparmor profile as apparmor namespaces do not currently
nest.

> 
> Thanks for any ideas or suggestions.
> 
> Brian

> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users


-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20190315/9aaf9e00/attachment.sig>

More information about the lxc-users mailing list