Profile for Content Interface Bind Mounts

jamesbeedy · February 7, 2020, 4:53am

Hello,

I am trying to connect the socket-directory content interface between two snaps inside of a lxd container and having some issues with the snapped process not starting following the connecting of the the content interface. I have a feeling I need to set some lxd profile config, but not exactly sure what. I found this, but lxc no longer accepts this config. Can someone help me understand what I need to do to my profile in order to get the bind mount content interface socket-directory to work correctly inside of a lxd/lxc container?

Thank you!

simos · February 7, 2020, 12:37pm

Hi!

Can you provide an example with some sample snaps on what you are trying to achieve?

jamesbeedy · February 7, 2020, 2:00pm

@simos I am trying to connect this content interface socket-directory plug to this content interface socket-directory slot.

Connecting these snap interfaces allows the slurmdbd snap to access the socket of the munged process in the munge snap.

Content interface: docs

jamesbeedy · February 12, 2020, 4:22pm

Bump

stgraber · February 12, 2020, 5:28pm

Are you getting an error from snapd, if so, what?
Also, can you look at dmesg for any mount denials coming from apparmor?

jamesbeedy · February 22, 2020, 4:15pm

Not sure how I missed this - @stgraber thanks for the quick response!

I’m not getting any error from snapd as far as I can tell.

I am seeing these lines in syslog:

Feb 22 16:08:08 juju-ac70f6-15 systemd[1]: snap.munge.munged.service: Failed to reset devices.list: Operation not permitted
Feb 22 16:08:30 juju-ac70f6-15 systemd[1]: snap.slurmdbd.slurmdbd.service: Failed to reset devices.list: Operation not permitted

dmesg shows:


[4118726.770268] kauditd_printk_skb: 5 callbacks suppressed
[4118726.770269] audit: type=1400 audit(1582387903.743:2056): apparmor="STATUS" operation="profile_replace" label="lxd-juju-ac70f6-15_</var/snap/lxd/common/lxd>//&:lxd-juju-ac70f6-15_<var-snap-lxd-common-lxd>:unconfined" name="snap.munge.munged" pid=3244 comm="apparmor_parser"
[4118726.773995] audit: type=1400 audit(1582387903.747:2057): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" label="lxd-juju-ac70f6-15_</var/snap/lxd/common/lxd>//&:lxd-juju-ac70f6-15_<var-snap-lxd-common-lxd>:unconfined" name="snap-update-ns.munge" pid=3246 comm="apparmor_parser"
[4118726.774740] audit: type=1400 audit(1582387903.747:2058): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" label="lxd-juju-ac70f6-15_</var/snap/lxd/common/lxd>//&:lxd-juju-ac70f6-15_<var-snap-lxd-common-lxd>:unconfined" name="snap.munge.hook.install" pid=3248 comm="apparmor_parser"
[4118726.774866] audit: type=1400 audit(1582387903.747:2059): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" label="lxd-juju-ac70f6-15_</var/snap/lxd/common/lxd>//&:lxd-juju-ac70f6-15_<var-snap-lxd-common-lxd>:unconfined" name="snap.munge.remunged" pid=3250 comm="apparmor_parser"
[4118726.774977] audit: type=1400 audit(1582387903.747:2060): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" label="lxd-juju-ac70f6-15_</var/snap/lxd/common/lxd>//&:lxd-juju-ac70f6-15_<var-snap-lxd-common-lxd>:unconfined" name="snap.munge.munge" pid=3249 comm="apparmor_parser"
[4118726.775168] audit: type=1400 audit(1582387903.747:2061): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" label="lxd-juju-ac70f6-15_</var/snap/lxd/common/lxd>//&:lxd-juju-ac70f6-15_<var-snap-lxd-common-lxd>:unconfined" name="snap.munge.hook.configure" pid=3247 comm="apparmor_parser"
[4118726.775393] audit: type=1400 audit(1582387903.747:2062): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" label="lxd-juju-ac70f6-15_</var/snap/lxd/common/lxd>//&:lxd-juju-ac70f6-15_<var-snap-lxd-common-lxd>:unconfined" name="snap.munge.unmunge" pid=3251 comm="apparmor_parser"
[4118726.821466] audit: type=1400 audit(1582387903.795:2063): apparmor="STATUS" operation="profile_replace" label="lxd-juju-ac70f6-15_</var/snap/lxd/common/lxd>//&:lxd-juju-ac70f6-15_<var-snap-lxd-common-lxd>:unconfined" name="snap-update-ns.slurmdbd" pid=3259 comm="apparmor_parser"
[4118726.899174] audit: type=1400 audit(1582387903.871:2064): apparmor="STATUS" operation="profile_replace" label="lxd-juju-ac70f6-15_</var/snap/lxd/common/lxd>//&:lxd-juju-ac70f6-15_<var-snap-lxd-common-lxd>:unconfined" name="snap.slurmdbd.slurmdbd" pid=3266 comm="apparmor_parser"
[4118726.900054] audit: type=1400 audit(1582387903.871:2065): apparmor="STATUS" operation="profile_replace" label="lxd-juju-ac70f6-15_</var/snap/lxd/common/lxd>//&:lxd-juju-ac70f6-15_<var-snap-lxd-common-lxd>:unconfined" name="snap.slurmdbd.mysqldump" pid=3264 comm="apparmor_parser"

stgraber · February 23, 2020, 4:52am

The devices.list are safe to ignore, they’re just systemd warnings.
The apparmor messages only show profiles being reloaded, again, that seems fine.

You could try to set security.nesting=true on the LXD container. This allows a bunch more type of mounts that normal, so that may help here.

If that still doesn’t work, it may be worth approaching the snapd team. They do some tests for snapd inside LXD, though I’m not sure how much testing is in place for the content interface.