Network does not come up on Opensuse Tumbleweed with snap LXD

zbenjamin · March 19, 2018, 2:21pm

Hey all, trying to get LXD up and running on Opensuse, tried to build it myself and tried the snap version, but I always hit the same problem:

type=AVC msg=audit(1521468901.331:175): apparmor="DENIED" operation="create" namespace="root//lxd-crazy_<var-snap-lxd-common-lxd>" profile="unconfined" pid=4129 comm="systemd-resolve" family="inet6" sock_type="dgram" protocol=0
type=AVC msg=audit(1521468901.355:176): apparmor="DENIED" operation="create" namespace="root//lxd-crazy_<var-snap-lxd-common-lxd>" profile="unconfined" pid=4132 comm="systemd-resolve" family="inet6" sock_type="dgram" protocol=0
type=AVC msg=audit(1521468901.355:177): apparmor="DENIED" operation="create" namespace="root//lxd-crazy_<var-snap-lxd-common-lxd>" profile="unconfined" pid=4132 comm="systemd-resolve" family="inet" sock_type="dgram" protocol=0
type=AVC msg=audit(1521468901.355:178): apparmor="DENIED" operation="create" namespace="root//lxd-crazy_<var-snap-lxd-common-lxd>" profile="unconfined" pid=4132 comm="systemd-resolve" family="inet6" sock_type="dgram" protocol=0
type=AVC msg=audit(1521468901.383:179): apparmor="DENIED" operation="create" namespace="root//lxd-crazy_<var-snap-lxd-common-lxd>" profile="unconfined" pid=4135 comm="sshd" family="inet6" sock_type="dgram" protocol=0
type=AVC msg=audit(1521468901.383:180): apparmor="DENIED" operation="create" namespace="root//lxd-crazy_<var-snap-lxd-common-lxd>" profile="unconfined" pid=4135 comm="sshd" family="inet" sock_type="dgram" protocol=0
type=AVC msg=audit(1521468901.383:181): apparmor="DENIED" operation="create" namespace="root//lxd-crazy_<var-snap-lxd-common-lxd>" profile="unconfined" pid=4135 comm="sshd" family="inet6" sock_type="stream" protocol=6
type=AVC msg=audit(1521468901.383:182): apparmor="DENIED" operation="create" namespace="root//lxd-crazy_<var-snap-lxd-common-lxd>" profile="unconfined" pid=4135 comm="sshd" family="inet" sock_type="stream" protocol=6
type=AVC msg=audit(1521468901.387:183): apparmor="DENIED" operation="create" namespace="root//lxd-crazy_<var-snap-lxd-common-lxd>" profile="unconfined" pid=4139 comm="iscsi-iname" family="inet" sock_type="dgram" protocol=0

Running containers unconfined seems to make it work. Anyone knows how to fix that?

stgraber · March 19, 2018, 8:20pm

Been chatting about this over on Github, current suspect is the OpenSUSE kernel as the generated apparmor profile matches that we have on all other distros and none of those distros run into that problem, despite an otherwise matching kernel version.