Ubuntu

apparmor confusion with copied LXC container using aufs/overlayfs

Asked by Timo Furrer

I have a problem that apparmor is denying read access to certain libraries needed by tools inside a copied/cloned snapshot LXC container which is using either aufs or overlayfs as a backing storage.

Note: I only encounter this problem when the container is snapshot - when I run these tools inside the container I cloned from it works absolutely fine.

For example I use aufs as a backingstorage for the LXC snapshot using lxc-copy and want to run tcpdump. tcpdump outputs the following error:

tcpdump: error while loading shared libraries: libcrypto.so.1.0.0: cannot stat shared object: Permission denied

On the host I get the following logs:

[18191.949879] audit: type=1400 audit(1495626284.254:82): apparmor="DENIED" operation="getattr" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/tcpdump" name="var/lib/lxc/rico-task-87d8885a-a749-4c8e-a88e-77e016e4bcd1/delta0/etc/ld.so.cache" pid=4699 comm="tcpdump" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

I've already posted this issue in the LXC bugtracker: https://github.com/lxc/lxc/issues/1582

What exactly is going on here? Is this a bug in apparmor that it's confused with aufs/overlayfs? Can I workaround it?

Question information

Language:
English Edit question
Status:
Expired
For:
Ubuntu Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Launchpad Janitor (janitor) said : 		#1

This question was expired because it remained in the 'Open' state without activity for the last 15 days.