[lxc-users] Fwd: ciab errors in update/upgrade of nested container - these are the packages

brian mullan bmullan.mail at gmail.com
Fri Mar 15 15:36:07 UTC 2019 

Stephane

Thanks... I've tried everything else I could think of so I'll give that a
shot and see what happens.

A few months ago I think this all worked but my memory is so good anymore
:-)

I'll let you know what happens.

Brian



On Fri, Mar 15, 2019 at 11:19 AM Stéphane Graber <stgraber at ubuntu.com>
wrote:

> On Fri, Mar 15, 2019 at 10:41:55AM -0400, brian mullan wrote:
> > I am encountering a strange problem with Nested LXD on AWS EC2 Ubuntu
> 18.04
> > instances...
> >
> >
> > >
> > >
> > >
> > >
> > > *snap    2.37.4snapd   2.37.4series  16ubuntu  18.04kernel
> > > 4.15.0-46-genericLXD 3.11*
> >
> >
> > In my AWS 18.04 host I install SNAP LXD and create an Ubuntu 18.04
> > container lets call *"parent"*
> >
> > I enable Nesting for *"parent"*
> >
> > I enter "parent" and  apt-get update, apt-get upgrade ... no problem
> >
> > In "parent" I also install SNAP LXD and create an Ubuntu 18.04 container
> > lets call *"child"*
> >
> > I enter "child" and when I try to "*apt-get update, apt-get upgrade*"
> ... I
> > see the very *same* packages to be upgraded
> > as I did when I upgrade "*parent*" ... however in *"child"* I get errors
> > related to apport, udev ??
> >
> > I also see failure messages related to systemd-networkd.service access
> > denied etc (see below)
> >
> > Note:  I tried this on a local KVM Ubuntu 18.04 VM
> >
> > *These are some of the packages that would be updated/upgraded in BOTH
> the
> > "parent" and "child" Ubuntu 18.04 container on an AWS EC2 Ubuntu Bionic
> > instance:*
> >
> > The following package was automatically installed and is no longer
> required:
> >   libfreetype6
> > Use 'apt autoremove' to remove it.
> > The following packages will be upgraded:
> >   *apport* libnss-systemd libpam-modules libpam-modules-bin
> libpam-runtime
> > libpam-systemd libpam0g libseccomp2 libsystemd0 libudev1
> >   libxcb1 python3-apport python3-problem-report snapd systemd
> systemd-sysv*
> > udev*
> > 17 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
> > Need to get 19.9 MB of archives.
> > After this operation, 49.2 kB of additional disk space will be used.
> > Do you want to continue? [Y/n]
> >
> > *Here are some of the errors that result...*
> >
> > (Reading database ... 28595 files and directories currently installed.)
> > Preparing to unpack .../libpam-runtime_1.1.8-3.6ubuntu2.18.04.1_all.deb
> ...
> > Unpacking libpam-runtime (1.1.8-3.6ubuntu2.18.04.1) over
> (1.1.8-3.6ubuntu2)
> > ...
> > Setting up libpam-runtime (1.1.8-3.6ubuntu2.18.04.1) ...
> > Setting up systemd (237-3ubuntu10.15) ...
> > *Failed to try-restart systemd-networkd.service: Access denied*
> > See system logs and 'systemctl status systemd-networkd.service' for
> details.
> > *Failed to try-restart systemd-resolved.service: Access denied*
> > See system logs and 'systemctl status systemd-resolved.service' for
> details.
> > *Failed to try-restart systemd-timesyncd.service: Access denied*
> > See system logs and 'systemctl status systemd-timesyncd.service' for
> > details.
> > *Failed to try-restart systemd-journald.service: Access denied*
> > See system logs and 'systemctl status systemd-journald.service' for
> details.
> > (Reading database ... 28595 files and directories currently installed.)
> > Preparing to unpack .../systemd-sysv_237-3ubuntu10.15_amd64.deb ...
> > Unpacking systemd-sysv (237-3ubuntu10.15) over (237-3ubuntu10.13) ...
> > Preparing to unpack .../libseccomp2_2.3.1-2.1ubuntu4.1_amd64.deb ...
> > Unpacking libseccomp2:amd64 (2.3.1-2.1ubuntu4.1) over (2.3.1-2.1ubuntu4)
> ...
> > Setting up libseccomp2:amd64 (2.3.1-2.1ubuntu4.1) ...
> > (Reading database ... 28595 files and directories currently installed.)
> > Preparing to unpack .../libxcb1_1.13-2~ubuntu18.04_amd64.deb ...
> > Unpacking libxcb1:amd64 (1.13-2~ubuntu18.04) over (1.13-1) ...
> > Preparing to unpack .../python3-problem-report_2.20.9-0ubuntu7.6_all.deb
> ...
> > Unpacking python3-problem-report (2.20.9-0ubuntu7.6) over
> > (2.20.9-0ubuntu7.5) ...
> > Preparing to unpack .../python3-apport_2.20.9-0ubuntu7.6_all.deb ...
> > Unpacking python3-apport (2.20.9-0ubuntu7.6) over (2.20.9-0ubuntu7.5) ...
> > Preparing to unpack .../apport_2.20.9-0ubuntu7.6_all.deb ...
> > *Failed to retrieve unit state: Access denied*
> > *invoke-rc.d: could not determine current runlevel*
> > *Failed to reload daemon: Access denied*
> >
> > *So I interrupted the script that was doing the above attempt at   apt
> > update && apt upgrade -y *
> > *and opened a terminal and t**hen..  and tried this:*
> >
> > lxc exec test bash
> > apt update && apt upgrade
> >
> > But of course because i'd interrupted the above apt upgrade I had to do
> *dpkg
> > --configure -a*
> >
> > *dpkg --configure -a*
> > Setting up libnss-systemd:amd64 (237-3ubuntu10.15) ...
> > Processing triggers for ureadahead (0.100.0-20) ...
> > Setting up systemd-sysv (237-3ubuntu10.15) ...
> > Setting up python3-problem-report (2.20.9-0ubuntu7.6) ...
> > Processing triggers for libc-bin (2.27-3ubuntu1) ...
> > Setting up udev (237-3ubuntu10.15) ...
> > *Failed to reload daemon: Access denied*
> > dpkg: error processing package udev (--configure):
> >  installed udev package post-installation script subprocess was
> interrupted
> > Processing triggers for man-db (2.8.3-2ubuntu0.1) ...
> > Processing triggers for dbus (1.12.2-1ubuntu1) ...
> > *Failed to open connection to "system" message bus: Failed to query
> > AppArmor policy: Permission denied*
> > Setting up libxcb1:amd64 (1.13-2~ubuntu18.04) ...
> > Setting up libpam-systemd:amd64 (237-3ubuntu10.15) ...
> > Setting up python3-apport (2.20.9-0ubuntu7.6) ...
> > dpkg: error processing package apport (--configure):
> >  package is in a very bad inconsistent state; you should
> >  reinstall it before attempting configuration
> > Processing triggers for libc-bin (2.27-3ubuntu1) ...
> > *Errors were encountered while processing:*
> > * udev*
> > * apport*
> >
> > *I went back and tried to reinstall apport...*
> >
> > # apt install --reinstall apport
> > Reading package lists... Done
> > Building dependency tree
> > Reading state information... Done
> > The following package was automatically installed and is no longer
> required:
> >   libfreetype6
> > Use 'apt autoremove' to remove it.
> > Suggested packages:
> >   apport-gtk | apport-kde
> > The following packages will be upgraded:
> >   apport
> > 1 upgraded, 0 newly installed, 0 to remove and 1 not upgraded.
> > 2 not fully installed or removed.
> > Need to get 0 B/124 kB of archives.
> > After this operation, 0 B of additional disk space will be used.
> > (Reading database ... 28595 files and directories currently installed.)
> > Preparing to unpack .../apport_2.20.9-0ubuntu7.6_all.deb ...
> > *Failed to retrieve unit state: Access denied*
> > *invoke-rc.d: could not determine current runlevel*
> > *Failed to reload daemon: Access denied*
> >
> > ======================================
> >
> > Does anyone have any idea what might be causing this?
> > Again this is happening on AWS and on a local KVM Ubuntu VM.
>
> Sounds like AppArmor messing with things in this case.
> Does enabling nesting for your nested container help somehow (the
> generated rules will change a bit as a result of that)?
>
> I'm pretty sure that if you look at `dmesg` you'll see some denials
> related to those package updates. I suspect the main difference between
> the two containers, other than the nested flag is that the parent
> container has its own apparmor namespace whereas the child has to run
> under a single apparmor profile as apparmor namespaces do not currently
> nest.
>
> >
> > Thanks for any ideas or suggestions.
> >
> > Brian
>
> > _______________________________________________
> > lxc-users mailing list
> > lxc-users at lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-users
>
>
> --
> Stéphane Graber
> Ubuntu developer
> http://www.ubuntu.com
> -----BEGIN PGP SIGNATURE-----
>
> iQIzBAABCgAdFiEEYC9WdmPlk7y9FPM4xjiXTWR5LWcFAlyLwloACgkQxjiXTWR5
> LWeU9RAArKFs4T4v3sUzbAC3hgKE8BuhACFOHzoKcrxFaKLSiydBNL4zDRdwPSlG
> 6o3kLRjVTrxaVXcaCwV/HQ5W7bRsott96+KoDla8JDMfNYhUk0PxTq8SXMJADESv
> VSxXau92hqXTskiME9sIhg46yYa9bftTv/YWMHt5qymlP+uCqEkpkFlBILXs1WNn
> vkhnQ6YgEw5tvcXZEONC4FPRt8u9zoQSiBTMu83VHKrcqo6+aBP1i08SFiM8zcv1
> /kzPRIdj+6AuemoKW42C3unKyhCl5hR38sIyhtJXhzmencKQmRsCJG260PME7Ubz
> LEUX7eyAH1+csiqBTSVpQQA2/YVeMQWCZ3jQxQ3GQtz9fKojsrBgKoqrLKF7lbew
> tLznOKWw26uXVwuvUrXSOjwgzSeqciaD4SbyB5HGWXhn7OWygVF/563HO6y0N3fM
> 1Odi1QiGFvJ7aUCNkXTiuymfmnDAwKNKJle8QCSn45/Lp88A7x3OG9e4KIMSFKCS
> O7vDC0/mfaO9OcWCROyrd5GjzPMTgwsA7mgq7pzVsVlnHwld8ht+5S+7c7uKy1q0
> nHsh24wgQYToEBFaak7xVwGWyF/snsJPCpOw+FkvxmHHaqNKSSUc1zqYJydaaCL2
> 0i3OU7RJGM7YworVM7ILjvC3DdY9i9rh0UqclO1aoblAtPOnTXs=
> =21Zu
> -----END PGP SIGNATURE-----
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20190315/7cf6cab8/attachment-0001.html>

More information about the lxc-users mailing list