Cannot use generated profile: apparmor_parser not available


#1

Hi,
I’ve created my first unprivileged container on debian buster, but fail to start it. Only root has the right to launch apparmor_parser by default, I’ve tried changing that but that gives me another permission error for namespaces. Any ideas how to resolve this? Thanks

lxc-start camel 20190401000334.451 ERROR    apparmor - lsm/apparmor.c:apparmor_prepare:974 - Cannot use generated profile: apparmor_parser not available
lxc-start camel 20190401000334.451 ERROR    start - start.c:lxc_init:899 - Failed to initialize LSM
lxc-start camel 20190401000334.452 DEBUG    conf - conf.c:idmaptool_on_path_and_privileged:2860 - The binary "/usr/bin/newuidmap" does have the setuid bit set
lxc-start camel 20190401000334.452 DEBUG    conf - conf.c:idmaptool_on_path_and_privileged:2860 - The binary "/usr/bin/newgidmap" does have the setuid bit set
lxc-start camel 20190401000334.452 DEBUG    conf - conf.c:lxc_map_ids:2952 - Functional newuidmap and newgidmap binary found
lxc-start camel 20190401000334.467 ERROR    start - start.c:__lxc_start:1917 - Failed to initialize container "camel"
lxc-start camel 20190401000334.468 DEBUG    lxccontainer - lxccontainer.c:wait_on_daemonized_start:830 - First child 3512 exited
lxc-start camel 20190401000334.468 ERROR    lxccontainer - lxccontainer.c:wait_on_daemonized_start:833 - No such file or directory - Failed to receive the container state
lxc-start camel 20190401000334.468 ERROR    lxc_start - tools/lxc_start.c:main:330 - The container failed to start
lxc-start camel 20190401000334.468 ERROR    lxc_start - tools/lxc_start.c:main:333 - To get more details, run the container in foreground mode
lxc-start camel 20190401000334.468 ERROR    lxc_start - tools/lxc_start.c:main:336 - Additional information can be obtained by setting the --logfile and --logpriority options
lxc-start camel 20190401000502.302 ERROR    lxc_start - tools/lxc_start.c:main:290 - No container config specified


// sudo chmod o+rw /sbin/apparmor_parser
// export $PATH+=:/sbin

lxc-start camel 20190401071918.595 DEBUG    conf - conf.c:chown_mapped_root:3190 - trying to chown "/dev/pts/2" to 1000
lxc-start camel 20190401071918.687 ERROR    apparmor - lsm/apparmor.c:make_apparmor_namespace:761 - Permission denied - Error creating AppArmor namespace: /sys/kernel/security/apparmor/policy/namespaces/lxc-camel_<-home-cesar-.local-share-lxc>
lxc-start camel 20190401071918.687 ERROR    apparmor - lsm/apparmor.c:apparmor_prepare:980 - Failed to load generated AppArmor profile
lxc-start camel 20190401071918.687 ERROR    start - start.c:lxc_init:899 - Failed to initialize LSM
lxc-start camel 20190401071918.688 DEBUG    conf - conf.c:idmaptool_on_path_and_privileged:2860 - The binary "/usr/bin/newuidmap" does have the setuid bit set
lxc-start camel 20190401071918.688 DEBUG    conf - conf.c:idmaptool_on_path_and_privileged:2860 - The binary "/usr/bin/newgidmap" does have the setuid bit set
lxc-start camel 20190401071918.688 DEBUG    conf - conf.c:lxc_map_ids:2952 - Functional newuidmap and newgidmap binary found
lxc-start camel 20190401071918.702 ERROR    start - start.c:__lxc_start:1917 - Failed to initialize container "camel"
lxc-start camel 20190401071918.703 DEBUG    lxccontainer - lxccontainer.c:wait_on_daemonized_start:830 - First child 3671 exited
lxc-start camel 20190401071918.703 ERROR    lxccontainer - lxccontainer.c:wait_on_daemonized_start:833 - No such file or directory - Failed to receive the container state
lxc-start camel 20190401071918.703 ERROR    lxc_start - tools/lxc_start.c:main:330 - The container failed to start
lxc-start camel 20190401071918.703 ERROR    lxc_start - tools/lxc_start.c:main:333 - To get more details, run the container in foreground mode
lxc-start camel 20190401071918.703 ERROR    lxc_start - tools/lxc_start.c:main:336 - Additional information can be obtained by setting the --logfile and --logpriority options

(Stéphane Graber) #2

Odd, what’s in your container’s config?

It looks like you have apparmor namespacing enabled here which isn’t going to work since as you noticed unprivileged users aren’t allowed to create those.