Failed to restart apparmor.service: Unit apparmor.service not found

I installed LXD v. 5.0.2, on Ubuntu 22.04 after reinstalling all the nodes (long story). There is a Ubuntu 22.04 container running bind9. It requires an AppArmor setting to update the DSN from Terraform. That worked on the previous LXD cluster. I have a TAR export of the old working container, but I wasn’t able to import that into the new LXD cluster because it was missing manifest data.

I would like to know how make AppArmor accessible from the container since I was able to get to it before, and/or guidance on how to restore from an export from the old container on the previous cluster.

When I try this block of code.

chown bind:bind -R /etc/bind
setcap 'cap_net_bind_service=+ep' /usr/sbin/named
systemctl restart apparmor
systemctl restart bind9.service

I’m getting “Failed to restart apparmor.service: Unit apparmor.service not found” when trying to restart AppArmor. This fails too as you would expect:

systemctl status apparmor.service
Unit apparmor.service could not be found.

I added this to the lxc config:

  raw.lxc: lxc.apparmor.profile = unconfined
  security.privileged: "true"

Here is the full configuration:

architecture: x86_64
config:
  image.architecture: amd64
  image.description: Ubuntu jammy amd64 (20240107_07:42)
  image.os: Ubuntu
  image.release: jammy
  image.serial: "20240107_07:42"
  image.type: squashfs
  image.variant: default
  raw.lxc: lxc.apparmor.profile = unconfined
  security.privileged: "true"
  volatile.base_image: 1db9928f24183af66f45734f29d12f36062e2ddd7f3c00dbf25acccea76cc4e8
  volatile.cloud-init.instance-id: df59566e-76e7-43fd-adff-d709cc9f4f74
  volatile.eth0.host_name: veth8e4e65d5
  volatile.eth0.hwaddr: xx:xx:xx:xx
  volatile.idmap.base: "0"
  volatile.idmap.current: '[]'
  volatile.idmap.next: '[]'
  volatile.last_state.idmap: '[]'
  volatile.last_state.power: RUNNING
  volatile.uuid: 743fbc0b-d3fa-4eaa-9bb9-738e5a8be432
devices: {}
ephemeral: false
profiles:
- default
stateful: false
description: ""
created_at: 2024-01-07T17:44:05.021852951Z
name: ns1
status: Running
status_code: 103
last_used_at: 2024-01-07T17:59:17.695467108Z
location: athena
type: container
project: default

Any ideas?

I’m sorry but given the recent actions from Canonical regarding LXD:

• Linux Containers - LXD - Has been moved to Canonical
• LXD now re-licensed and under a CLA | Stéphane Graber's website
• LXD has been re-licensed and is now under a CLA

We really can’t be providing support to LXD users on this forum anymore.

You may want to consider switching to Incus instead, or if you’d like to stay on LXD, you should reach out on the Canonical forum instead.

Sorry about that!

@stgraber - I replace LXD with Incus and my six node cluster is up and running. I still can’t access AppArmor from a container, but I know it used to work. Can you see if you can reproduce this problem? Here are the steps to reproduce.

$ incus launch images:ubuntu/22.04 ns1
Creating ns1
Starting ns1
$ incus stop ns1
$ incus config set ns1 security.privileged "true"
printf 'lxc.apparmor.profile=unconfined\nlxc.mount.auto=proc:rw sys:rw cgroup:rw\nlxc.cap.drop=' | incus config set ns1 raw.lxc -
$ incus start ns1
$ incus exec ns1 -- bash
# systemctl restart apparmor
Failed to restart apparmor.service: Unit apparmor.service not found.

That error sounds like the apparmor package isn’t installed in the container.

Note that to get apparmor working properly in Incus, a modification is needed to /lib/apparmor/rc.apparmor.functions inside the container.

That file contains two patterns, one for LXD and one for LXC, but not one for Incus (yet), so you’ll want to edit the file and change:

[ "${ns_name#lxd-*}" = "$ns_name" ] &&

to:

[ "${ns_name#incus-*}" = "$ns_name" ] &&

Alternatively, a simple search/replace on the whole file should work too:

sed -i "s/lxd/incus/g" /lib/apparmor/rc.apparmor.functions

Then restart the container and apparmor should start loading the profiles as normal.

(I submitted a fix to AppArmor upstream but it will take some months before it makes it to all the distros…)

@stgraber - The Incus Linux container is missing /lib/apparmor/rc.apparmor.functions. Did you mean on the Incus node, or should I scp /lib/apparmor/rc.apparmor.functions from the node to the Linux container and edit it there?

No, the container. The file comes with the apparmor package which you’ll need to install first.

@stgraber - Thank you, Stéphane.That did the trick for AppArmor. I don’t have a full understanding of Linux Containers. I thought AppArmor lived in the kernel of the host as was somehow exposed to the container.

I have a different issue to look into now. That DNS server has a static IP, and I’m not able to hit it on port 53 or ping it. That may be another post if I don’t figure it out.

I marked this as solved. Thanks, again.