This one is a bit odd, but I thought I’d ask here first as I’m not sure if this is directly due to incus or not.
Symptom: when /etc/hosts
on the physical host is a symlink pointing to a world-readable file, incus’s dnsmasq can’t read it, because of some apparmor policy.
Steps to reproduce
This is on an Ubuntu 22.04 physical server, with 0.7-202403271502-ubuntu22.04.
Make /etc/hosts
be a symlink to a file in the same directory, with world-readable perms.
$ ls -l /etc/hosts
lrwxrwxrwx 1 root root 14 Mar 28 14:59 /etc/hosts -> hosts-cndo-nmm
$ ls -l /etc/hosts-cndo-nmm
-rw-r--r-- 1 root root 36072 Feb 17 11:28 /etc/hosts-cndo-nmm
Then start a container. I get the following logged (journalctl -eu incus
):
Mar 28 11:09:19 brian-kit dnsmasq[123571]: failed to load names from /etc/hosts: Permission denied
Mar 28 11:09:19 brian-kit dnsmasq[123571]: failed to load names from /etc/hosts: Permission denied
Mar 28 11:09:19 brian-kit dnsmasq-dhcp[123571]: read /var/lib/incus/networks/buildbr0/dnsmasq.hosts/nsrc-builder_nmm-base.eth0
and dmesg shows:
Mar 28 11:09:19 brian-kit kernel: [17230.319968] audit: type=1400 audit(1711624159.680:63): apparmor="DENIED" operation="open" profile="incus_dnsmasq-buildbr0_</var/lib/incus>" name="/etc/hosts-cndo-nmm" pid=123571 comm="dnsmasq" requested_mask="r" denied_mask="r" fsuid=993 ouid=0
But if I remove the symlink and replace it with a copy of the file:
rm /etc/hosts
cp -p /etc/hosts-cndo-nmm /etc/hosts
then it’s fine:
Mar 28 11:15:40 brian-kit dnsmasq[123571]: read /etc/hosts - 907 names
Mar 28 11:15:40 brian-kit dnsmasq[123571]: read /etc/hosts - 907 names
Mar 28 11:15:40 brian-kit dnsmasq-dhcp[123571]: read /var/lib/incus/networks/buildbr0/dnsmasq.hosts/nsrc-builder_nmm-base.eth0
Other info
I cannot see any incus-specific policy under /etc/apparmor.d/
. But I do find:
$ egrep -R '\bhosts\b' /etc/apparmor.d/
...
/etc/apparmor.d/abstractions/nameservice: @{etc_ro}/hosts r,
...
I’m wondering if that’s the cause, and if so, how that abstraction is getting applied for incus’ dnsmasq processes.