New Container not starting: Failed to run: apparmor_parser

rootchaos · November 9, 2021, 12:45pm

Hi,

I provisioned a new container today :-
#lxc launch ubuntu:20.04 GITLAB-ZA-1-H3-PRO-TER-ISA-ZA

After the launch, I got the following error:-

Nov 9 14:17:52 vm-host-03 lxd[3367]: t=2021-11-09T14:17:52+0200 lvl=eror msg=“Running apparmor” action=r err="Failed to run: apparmor_parser -rWL /var/lib/lxd/security/apparmor/cache /var/lib/lxd/security/apparmor/profiles/lxd-GITLAB-ZA-1-H3-PRO-TER-ISA-ZA: " output=

Nov 9 14:17:52 vm-host-03 lxd[3367]: t=2021-11-09T14:17:52+0200 lvl=eror msg=“The start hook failed” container=GITLAB-ZA-1-H3-PRO-TER-ISA-ZA err="Failed to run: apparmor_parser -rWL /var/lib/lxd/security/apparmor/cache /var/lib/lxd/security/apparmor/profiles/lxd-GITLAB-ZA-1-H3-PRO-TER-ISA-ZA: "

Nov 9 14:17:52 vm-host-03 lxd[3367]: t=2021-11-09T14:17:52+0200 lvl=eror msg=“Failed starting container” action=start created=2021-11-09T14:17:45+0200 ephemeral=false name=GITLAB-ZA-1-H3-PRO-TER-ISA-ZA stateful=false used=1970-01-01T02:00:00+0200

Some more information…

#lxc info --show-log local:GITLAB-ZA-1-H3-PRO-TER-ISA-ZA
Name: GITLAB-ZA-1-H3-PRO-TER-ISA-ZA
Remote: unix://
Architecture: x86_64
Created: 2021/11/09 12:17 UTC
Status: Stopped
Type: persistent
Profiles: default

Log:

lxc GITLAB-ZA-1-H3-PRO-TER-ISA-ZA 20211109121752.879 ERROR conf - conf.c:run_buffer:335 - Script exited with status 1

lxc GITLAB-ZA-1-H3-PRO-TER-ISA-ZA 20211109121752.879 ERROR start - start.c:lxc_init:859 - Failed to run lxc.hook.pre-start for container “GITLAB-ZA-1-H3-PRO-TER-ISA-ZA”

lxc GITLAB-ZA-1-H3-PRO-TER-ISA-ZA 20211109121752.879 ERROR start - start.c:__lxc_start:1905 - Failed to initialize container “GITLAB-ZA-1-H3-PRO-TER-ISA-ZA”

lxc GITLAB-ZA-1-H3-PRO-TER-ISA-ZA 20211109121752.880 ERROR lxccontainer - lxccontainer.c:wait_on_daemonized_start:833 - No such file or directory - Failed to receive the container state

At this stage the container refuses to start. Any idea what the cause could be?

Thanks, Gabriel

rootchaos · November 22, 2021, 7:19am

Some more investigation reveals the issue to be AppArmor related :

EROR[11-22|09:12:19] Running apparmor err="Failed to run: apparmor_parser -rWL /var/lib/lxd/security/apparmor/cache /var/lib/lxd/security/apparmor/profiles/lxd-GITLAB-ZA-1-H3-PRO-TER-ISA-ZA: " output= action=r
EROR[11-22|09:12:19] The start hook failed container=GITLAB-ZA-1-H3-PRO-TER-ISA-ZA err="Failed to run: apparmor_parser -rWL /var/lib/lxd/security/apparmor/cache /var/lib/lxd/security/apparmor/profiles/lxd-GITLAB-ZA-1-H3-PRO-TER-ISA-ZA: "

I’m hoping someone would be able to advise how to fix this issue.

tomp · November 22, 2021, 9:08am

What is your host OS and version?
How did you install LXD? From the snap?

rootchaos · November 22, 2021, 2:11pm

uname -a

Linux vm-host-03 4.15.0-101-generic #102-Ubuntu SMP Mon May 11 10:07:26 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

cat /etc/issue

Ubuntu 18.04.6 LTS \n \l

The server has multiple containers running in production - it’s been running fine since we installed the server probably 2 years ago. The last “major” change was updating the packages with “apt upgrade” - we don’t get to add new containers on a daily basis so I only noticed this a few weeks ago and the last recorded change was running “apt upgrade”

tomp · November 22, 2021, 2:23pm

What LXD version are you running, it looks like pre-snap package?

rootchaos · November 23, 2021, 7:23am

root@vm-host-03 [09:22:19] :~

lxd --version

3.0.3

tomp · November 23, 2021, 12:31pm

It suggests that apparmor_parser is missing, do you see it on your system

whereis apparmor_parser

rootchaos · November 24, 2021, 11:37am

Seems to be missing somehow…
#whereis apparmor_parser
apparmor_parser:

rootchaos · November 25, 2021, 9:45am

seems like apparmor_status is also not present…
#apparmor_status
-bash: apparmor_status: command not found

I do have profiles in /etc/apparmor.d/

#ls -al /etc/apparmor.d/
total 88
drwxr-xr-x 9 root root 4096 Oct 17 05:03 .
drwxr-xr-x 106 root root 4096 Nov 2 08:44 …
drwxr-xr-x 5 root root 4096 Feb 14 2019 abstractions
drwxr-xr-x 2 root root 4096 Jul 17 2020 cache
drwxr-xr-x 2 root root 4096 Feb 14 2019 disable
drwxr-xr-x 2 root root 4096 Apr 24 2018 force-complain
drwxr-xr-x 2 root root 4096 Feb 14 2019 local
drwxr-xr-x 2 root root 4096 Feb 14 2019 lxc
-rw-r–r-- 1 root root 198 Nov 23 2018 lxc-containers
-rw-r–r-- 1 root root 3194 Mar 26 2018 sbin.dhclient
drwxr-xr-x 5 root root 4096 Feb 14 2019 tunables
-rw-r–r-- 1 root root 125 Nov 23 2018 usr.bin.lxc-start
-rw-r–r-- 1 root root 2857 Apr 7 2018 usr.bin.man
-rw-r–r-- 1 root root 26245 Jul 10 2020 usr.lib.snapd.snap-confine.real
-rw-r–r-- 1 root root 1550 Apr 24 2018 usr.sbin.rsyslogd
-rw-r–r-- 1 root root 1353 Mar 31 2018 usr.sbin.tcpdump

Do I re-install apparmor? Will it pick up the profiles in order to function normally?
Since this is a production server, I’m hesitant to just try different things to get it back to a functional state…

Many thanks!

tomp · November 25, 2021, 10:55am

Try installing apparmor

rootchaos · November 25, 2021, 10:58am

It works perfectly now. Many thanks for the help!