I have an Ubuntu Bionic container on LXD that runs strongSwan (the host is Bionic too). Symptoms:
I can start the ipsec service with systemctl
I can also use the ‘ipsec start|restart|stop’ commands
The VPN tunnel to a remote host is created.
However when I issue ‘ipsec status|statusall|listxxx|etc’ commands, I get a segfault:
root@vpn1:~# ipsec statusall
Segmentation fault
I tried the following:
I made sure that all kernel modules required by strongSwan are loaded and added to the container’s config (linux.kernel_modules = …)
Disabled AppArmor everywhere
Set the container to privileged
Launched a KVM VM using the same image (Ubuntu 18.04 LTS (Bionic Beaver) Daily Build [20180630]). It worked flawlessly.
Since it’s the same OS and strongSwan versions and the network config was similar, my only guess is it has something with LXD. I ran the ‘ipsec statusall’ with strace, here are the outputs:
It was AppArmor! Even though I stopped the daemon, the modules were still loaded and in enforce mode:
root@vpn1:~# aa-status
apparmor module is loaded.
18 profiles are loaded.
18 profiles are in enforce mode.
[...]
/usr/lib/ipsec/charon
/usr/lib/ipsec/lookip
/usr/lib/ipsec/stroke
[...]
It started working after switching to complain mode: root@vpn1:~# aa-complain /etc/apparmor.d/usr.lib.ipsec.
This is the log entry I see if I switch back to enforce mode: Jul 7 04:53:32 lxd1 kernel: [ 4526.583617] audit: type=1400 audit(1530939212.389:68): apparmor="DENIED" operation="file_mmap" namespace="root//lxd-vpn1_<var-lib-lxd>" profile="/usr/lib/ipsec/stroke" name="/usr/lib/ipsec/stroke" pid=3372 comm="stroke" requested_mask="m" denied_mask="m" fsuid=100000 ouid=100000