Bad case: $ ./repro.sh bad + '[' bad == bad ']' + echo 'Bad case: Using apparmor from proposed' Bad case: Using apparmor from proposed + BADCASE=1 + lxc stop --force testguest-apparmor-bad + lxc delete --force testguest-apparmor-bad + lxc launch ubuntu-daily:groovy/amd64 testguest-apparmor-bad --profile default --profile kvm Creating testguest-apparmor-bad Starting testguest-apparmor-bad + sleep 30s + lxc exec testguest-apparmor-bad runlevel N 5 + lxc exec testguest-apparmor-bad -- bash -c 'H=`cat /etc/hostname`; if [ -f /var/lib/cloud/instance/boot-finished ]; then echo "LXD container $H ready"; else echo "LXD container $H not ready yet"; exit 2; fi' LXD container testguest-apparmor-bad ready + lxc exec testguest-apparmor-bad --env DEBIAN_FRONTEND=noninteractive -- bash -c 'apt-get --allow-unauthenticated --assume-yes -o Dpkg::Options::='\''--force-confdef'\'' -o Dpkg::Options::='\''--force-confold'\'' install apparmor-utils' Reading package lists... Done Building dependency tree Reading state information... Done The following package was automatically installed and is no longer required: libfreetype6 Use 'apt autoremove' to remove it. The following additional packages will be installed: python3-apparmor python3-libapparmor Suggested packages: vim-addon-manager The following NEW packages will be installed: apparmor-utils python3-apparmor python3-libapparmor 0 upgraded, 3 newly installed, 0 to remove and 0 not upgraded. Need to get 157 kB of archives. After this operation, 966 kB of additional disk space will be used. Get:1 http://archive.ubuntu.com/ubuntu groovy/main amd64 python3-libapparmor amd64 2.13.3-7ubuntu6 [26.7 kB] Get:2 http://archive.ubuntu.com/ubuntu groovy/main amd64 python3-apparmor amd64 2.13.3-7ubuntu6 [78.6 kB] Get:3 http://archive.ubuntu.com/ubuntu groovy/main amd64 apparmor-utils amd64 2.13.3-7ubuntu6 [51.4 kB] Fetched 157 kB in 0s (385 kB/s) Selecting previously unselected package python3-libapparmor. (Reading database ... 31714 files and directories currently installed.) Preparing to unpack .../python3-libapparmor_2.13.3-7ubuntu6_amd64.deb ... Unpacking python3-libapparmor (2.13.3-7ubuntu6) ... Selecting previously unselected package python3-apparmor. Preparing to unpack .../python3-apparmor_2.13.3-7ubuntu6_amd64.deb ... Unpacking python3-apparmor (2.13.3-7ubuntu6) ... Selecting previously unselected package apparmor-utils. Preparing to unpack .../apparmor-utils_2.13.3-7ubuntu6_amd64.deb ... Unpacking apparmor-utils (2.13.3-7ubuntu6) ... Setting up python3-libapparmor (2.13.3-7ubuntu6) ... Setting up python3-apparmor (2.13.3-7ubuntu6) ... Setting up apparmor-utils (2.13.3-7ubuntu6) ... Processing triggers for man-db (2.9.3-2) ... + lxc exec testguest-apparmor-bad -- aa-status apparmor module is loaded. 28 profiles are loaded. 28 profiles are in enforce mode. /snap/snapd/9279/usr/lib/snapd/snap-confine /snap/snapd/9279/usr/lib/snapd/snap-confine//mount-namespace-capture-helper /usr/bin/man /usr/lib/NetworkManager/nm-dhcp-client.action /usr/lib/NetworkManager/nm-dhcp-helper /usr/lib/connman/scripts/dhclient-script /usr/lib/snapd/snap-confine /usr/lib/snapd/snap-confine//mount-namespace-capture-helper /{,usr/}sbin/dhclient lsb_release man_filter man_groff nvidia_modprobe nvidia_modprobe//kmod snap-update-ns.lxd snap.lxd.activate snap.lxd.benchmark snap.lxd.buginfo snap.lxd.check-kernel snap.lxd.daemon snap.lxd.hook.configure snap.lxd.hook.install snap.lxd.hook.remove snap.lxd.lxc snap.lxd.lxc-to-lxd snap.lxd.lxd snap.lxd.migrate tcpdump 0 profiles are in complain mode. 0 processes have profiles defined. 0 processes are in enforce mode. 0 processes are in complain mode. 0 processes are unconfined but have a profile defined. + '[' 1 -eq 1 ']' + lxc exec testguest-apparmor-bad -- bash -c 'echo '\''deb http://archive.ubuntu.com/ubuntu/ groovy-proposed restricted main multiverse universe'\'' >> /etc/apt/sources.list' + lxc exec testguest-apparmor-bad --env DEBIAN_FRONTEND=noninteractive -- bash -c 'apt-get --allow-unauthenticated --assume-yes -o Dpkg::Options::='\''--force-confdef'\'' -o Dpkg::Options::='\''--force-confold'\'' update' Hit:1 http://security.ubuntu.com/ubuntu groovy-security InRelease Get:2 http://archive.ubuntu.com/ubuntu groovy InRelease [267 kB] Get:3 http://security.ubuntu.com/ubuntu groovy-security/universe amd64 c-n-f Metadata [116 B] Get:4 http://security.ubuntu.com/ubuntu groovy-security/multiverse amd64 c-n-f Metadata [116 B] Hit:5 http://archive.ubuntu.com/ubuntu groovy-updates InRelease Get:6 http://archive.ubuntu.com/ubuntu groovy-backports InRelease [89.2 kB] Get:7 http://archive.ubuntu.com/ubuntu groovy-proposed InRelease [118 kB] Get:8 http://archive.ubuntu.com/ubuntu groovy/main amd64 Packages [969 kB] Get:9 http://archive.ubuntu.com/ubuntu groovy/main Translation-en [507 kB] Get:10 http://archive.ubuntu.com/ubuntu groovy/main amd64 c-n-f Metadata [29.4 kB] Get:11 http://archive.ubuntu.com/ubuntu groovy/universe amd64 Packages [8842 kB] Get:12 http://archive.ubuntu.com/ubuntu groovy/universe Translation-en [5263 kB] Get:13 http://archive.ubuntu.com/ubuntu groovy/universe amd64 c-n-f Metadata [271 kB] Get:14 http://archive.ubuntu.com/ubuntu groovy/multiverse amd64 Packages [147 kB] Get:15 http://archive.ubuntu.com/ubuntu groovy/multiverse Translation-en [106 kB] Get:16 http://archive.ubuntu.com/ubuntu groovy/multiverse amd64 c-n-f Metadata [9284 B] Get:17 http://archive.ubuntu.com/ubuntu groovy-updates/universe amd64 c-n-f Metadata [112 B] Get:18 http://archive.ubuntu.com/ubuntu groovy-updates/multiverse amd64 c-n-f Metadata [116 B] Get:19 http://archive.ubuntu.com/ubuntu groovy-backports/main amd64 c-n-f Metadata [112 B] Get:20 http://archive.ubuntu.com/ubuntu groovy-backports/restricted amd64 c-n-f Metadata [116 B] Get:21 http://archive.ubuntu.com/ubuntu groovy-backports/universe amd64 c-n-f Metadata [116 B] Get:22 http://archive.ubuntu.com/ubuntu groovy-backports/multiverse amd64 c-n-f Metadata [116 B] Get:23 http://archive.ubuntu.com/ubuntu groovy-proposed/restricted amd64 Packages [12.5 kB] Get:24 http://archive.ubuntu.com/ubuntu groovy-proposed/restricted Translation-en [3332 B] Get:25 http://archive.ubuntu.com/ubuntu groovy-proposed/restricted amd64 c-n-f Metadata [116 B] Get:26 http://archive.ubuntu.com/ubuntu groovy-proposed/main amd64 Packages [57.9 kB] Get:27 http://archive.ubuntu.com/ubuntu groovy-proposed/main Translation-en [23.7 kB] Get:28 http://archive.ubuntu.com/ubuntu groovy-proposed/main amd64 c-n-f Metadata [2612 B] Get:29 http://archive.ubuntu.com/ubuntu groovy-proposed/multiverse amd64 Packages [2752 B] Get:30 http://archive.ubuntu.com/ubuntu groovy-proposed/multiverse Translation-en [5316 B] Get:31 http://archive.ubuntu.com/ubuntu groovy-proposed/multiverse amd64 c-n-f Metadata [412 B] Get:32 http://archive.ubuntu.com/ubuntu groovy-proposed/universe amd64 Packages [148 kB] Get:33 http://archive.ubuntu.com/ubuntu groovy-proposed/universe Translation-en [130 kB] Get:34 http://archive.ubuntu.com/ubuntu groovy-proposed/universe amd64 c-n-f Metadata [7308 B] Fetched 17.0 MB in 4s (3789 kB/s) Reading package lists... Done + lxc exec testguest-apparmor-bad --env DEBIAN_FRONTEND=noninteractive -- bash -c 'apt-get --allow-unauthenticated --assume-yes -o Dpkg::Options::='\''--force-confdef'\'' -o Dpkg::Options::='\''--force-confold'\'' install apparmor' Reading package lists... Done Building dependency tree Reading state information... Done The following package was automatically installed and is no longer required: libfreetype6 Use 'apt autoremove' to remove it. Suggested packages: apparmor-profiles-extra The following packages will be upgraded: apparmor 1 upgraded, 0 newly installed, 0 to remove and 37 not upgraded. Need to get 528 kB of archives. After this operation, 111 kB of additional disk space will be used. Get:1 http://archive.ubuntu.com/ubuntu groovy-proposed/main amd64 apparmor amd64 3.0.0~beta1-0ubuntu5 [528 kB] Fetched 528 kB in 1s (563 kB/s) Preconfiguring packages ... (Reading database ... 31792 files and directories currently installed.) Preparing to unpack .../apparmor_3.0.0~beta1-0ubuntu5_amd64.deb ... Unpacking apparmor (3.0.0~beta1-0ubuntu5) over (2.13.3-7ubuntu6) ... Setting up apparmor (3.0.0~beta1-0ubuntu5) ... Installing new version of config file /etc/apparmor.d/abstractions/X ... Installing new version of config file /etc/apparmor.d/abstractions/apache2-common ... Installing new version of config file /etc/apparmor.d/abstractions/apparmor_api/change_profile ... Installing new version of config file /etc/apparmor.d/abstractions/apparmor_api/examine ... Installing new version of config file /etc/apparmor.d/abstractions/apparmor_api/find_mountpoint ... Installing new version of config file /etc/apparmor.d/abstractions/apparmor_api/introspect ... Installing new version of config file /etc/apparmor.d/abstractions/apparmor_api/is_enabled ... Installing new version of config file /etc/apparmor.d/abstractions/aspell ... Installing new version of config file /etc/apparmor.d/abstractions/audio ... Installing new version of config file /etc/apparmor.d/abstractions/authentication ... Installing new version of config file /etc/apparmor.d/abstractions/base ... Installing new version of config file /etc/apparmor.d/abstractions/bash ... Installing new version of config file /etc/apparmor.d/abstractions/consoles ... Installing new version of config file /etc/apparmor.d/abstractions/cups-client ... Installing new version of config file /etc/apparmor.d/abstractions/dbus ... Installing new version of config file /etc/apparmor.d/abstractions/dbus-accessibility ... Installing new version of config file /etc/apparmor.d/abstractions/dbus-accessibility-strict ... Installing new version of config file /etc/apparmor.d/abstractions/dbus-session ... Installing new version of config file /etc/apparmor.d/abstractions/dbus-session-strict ... Installing new version of config file /etc/apparmor.d/abstractions/dbus-strict ... Installing new version of config file /etc/apparmor.d/abstractions/dconf ... Installing new version of config file /etc/apparmor.d/abstractions/dovecot-common ... Installing new version of config file /etc/apparmor.d/abstractions/dri-common ... Installing new version of config file /etc/apparmor.d/abstractions/dri-enumerate ... Installing new version of config file /etc/apparmor.d/abstractions/enchant ... Installing new version of config file /etc/apparmor.d/abstractions/fcitx ... Installing new version of config file /etc/apparmor.d/abstractions/fcitx-strict ... Installing new version of config file /etc/apparmor.d/abstractions/fonts ... Installing new version of config file /etc/apparmor.d/abstractions/freedesktop.org ... Installing new version of config file /etc/apparmor.d/abstractions/gnome ... Installing new version of config file /etc/apparmor.d/abstractions/gnupg ... Installing new version of config file /etc/apparmor.d/abstractions/ibus ... Installing new version of config file /etc/apparmor.d/abstractions/kde ... Installing new version of config file /etc/apparmor.d/abstractions/kde-globals-write ... Installing new version of config file /etc/apparmor.d/abstractions/kde-icon-cache-write ... Installing new version of config file /etc/apparmor.d/abstractions/kde-language-write ... Installing new version of config file /etc/apparmor.d/abstractions/kerberosclient ... Installing new version of config file /etc/apparmor.d/abstractions/ldapclient ... Installing new version of config file /etc/apparmor.d/abstractions/libpam-systemd ... Installing new version of config file /etc/apparmor.d/abstractions/likewise ... Installing new version of config file /etc/apparmor.d/abstractions/mdns ... Installing new version of config file /etc/apparmor.d/abstractions/mesa ... Installing new version of config file /etc/apparmor.d/abstractions/mir ... Installing new version of config file /etc/apparmor.d/abstractions/mozc ... Installing new version of config file /etc/apparmor.d/abstractions/mysql ... Installing new version of config file /etc/apparmor.d/abstractions/nameservice ... Installing new version of config file /etc/apparmor.d/abstractions/nis ... Installing new version of config file /etc/apparmor.d/abstractions/nvidia ... Installing new version of config file /etc/apparmor.d/abstractions/opencl ... Installing new version of config file /etc/apparmor.d/abstractions/opencl-common ... Installing new version of config file /etc/apparmor.d/abstractions/opencl-intel ... Installing new version of config file /etc/apparmor.d/abstractions/opencl-mesa ... Installing new version of config file /etc/apparmor.d/abstractions/opencl-nvidia ... Installing new version of config file /etc/apparmor.d/abstractions/opencl-pocl ... Installing new version of config file /etc/apparmor.d/abstractions/openssl ... Installing new version of config file /etc/apparmor.d/abstractions/orbit2 ... Installing new version of config file /etc/apparmor.d/abstractions/p11-kit ... Installing new version of config file /etc/apparmor.d/abstractions/perl ... Installing new version of config file /etc/apparmor.d/abstractions/php ... Installing new version of config file /etc/apparmor.d/abstractions/php5 ... Installing new version of config file /etc/apparmor.d/abstractions/postfix-common ... Installing new version of config file /etc/apparmor.d/abstractions/private-files ... Installing new version of config file /etc/apparmor.d/abstractions/private-files-strict ... Installing new version of config file /etc/apparmor.d/abstractions/python ... Installing new version of config file /etc/apparmor.d/abstractions/qt5 ... Installing new version of config file /etc/apparmor.d/abstractions/qt5-compose-cache-write ... Installing new version of config file /etc/apparmor.d/abstractions/qt5-settings-write ... Installing new version of config file /etc/apparmor.d/abstractions/recent-documents-write ... Installing new version of config file /etc/apparmor.d/abstractions/ruby ... Installing new version of config file /etc/apparmor.d/abstractions/samba ... Installing new version of config file /etc/apparmor.d/abstractions/smbpass ... Installing new version of config file /etc/apparmor.d/abstractions/ssl_certs ... Installing new version of config file /etc/apparmor.d/abstractions/ssl_keys ... Installing new version of config file /etc/apparmor.d/abstractions/svn-repositories ... Installing new version of config file /etc/apparmor.d/abstractions/ubuntu-bittorrent-clients ... Installing new version of config file /etc/apparmor.d/abstractions/ubuntu-browsers ... Installing new version of config file /etc/apparmor.d/abstractions/ubuntu-browsers.d/java ... Installing new version of config file /etc/apparmor.d/abstractions/ubuntu-browsers.d/kde ... Installing new version of config file /etc/apparmor.d/abstractions/ubuntu-browsers.d/mailto ... Installing new version of config file /etc/apparmor.d/abstractions/ubuntu-browsers.d/multimedia ... Installing new version of config file /etc/apparmor.d/abstractions/ubuntu-browsers.d/plugins-common ... Installing new version of config file /etc/apparmor.d/abstractions/ubuntu-browsers.d/productivity ... Installing new version of config file /etc/apparmor.d/abstractions/ubuntu-browsers.d/text-editors ... Installing new version of config file /etc/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration ... Installing new version of config file /etc/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration-xul ... Installing new version of config file /etc/apparmor.d/abstractions/ubuntu-browsers.d/user-files ... Installing new version of config file /etc/apparmor.d/abstractions/ubuntu-console-browsers ... Installing new version of config file /etc/apparmor.d/abstractions/ubuntu-console-email ... Installing new version of config file /etc/apparmor.d/abstractions/ubuntu-email ... Installing new version of config file /etc/apparmor.d/abstractions/ubuntu-feed-readers ... Installing new version of config file /etc/apparmor.d/abstractions/ubuntu-gnome-terminal ... Installing new version of config file /etc/apparmor.d/abstractions/ubuntu-helpers ... Installing new version of config file /etc/apparmor.d/abstractions/ubuntu-konsole ... Installing new version of config file /etc/apparmor.d/abstractions/ubuntu-media-players ... Installing new version of config file /etc/apparmor.d/abstractions/ubuntu-unity7-base ... Installing new version of config file /etc/apparmor.d/abstractions/ubuntu-unity7-launcher ... Installing new version of config file /etc/apparmor.d/abstractions/ubuntu-unity7-messaging ... Installing new version of config file /etc/apparmor.d/abstractions/ubuntu-xterm ... Installing new version of config file /etc/apparmor.d/abstractions/user-download ... Installing new version of config file /etc/apparmor.d/abstractions/user-mail ... Installing new version of config file /etc/apparmor.d/abstractions/user-manpages ... Installing new version of config file /etc/apparmor.d/abstractions/user-tmp ... Installing new version of config file /etc/apparmor.d/abstractions/user-write ... Installing new version of config file /etc/apparmor.d/abstractions/video ... Installing new version of config file /etc/apparmor.d/abstractions/vulkan ... Installing new version of config file /etc/apparmor.d/abstractions/wayland ... Installing new version of config file /etc/apparmor.d/abstractions/web-data ... Installing new version of config file /etc/apparmor.d/abstractions/winbind ... Installing new version of config file /etc/apparmor.d/abstractions/wutmp ... Installing new version of config file /etc/apparmor.d/abstractions/xad ... Installing new version of config file /etc/apparmor.d/abstractions/xdg-desktop ... Installing new version of config file /etc/apparmor.d/local/README ... Installing new version of config file /etc/apparmor.d/lsb_release ... Installing new version of config file /etc/apparmor.d/nvidia_modprobe ... Installing new version of config file /etc/apparmor.d/tunables/apparmorfs ... Installing new version of config file /etc/apparmor.d/tunables/global ... Installing new version of config file /etc/apparmor.d/tunables/home ... Installing new version of config file /etc/apparmor.d/tunables/multiarch ... Installing new version of config file /etc/apparmor.d/tunables/xdg-user-dirs ... Installing new version of config file /etc/apparmor/parser.conf ... Reloading AppArmor profiles Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Processing triggers for man-db (2.9.3-2) ... Processing triggers for systemd (246.4-1ubuntu1) ... + lxc exec testguest-apparmor-bad -- aa-status apparmor module is loaded. 28 profiles are loaded. 28 profiles are in enforce mode. /snap/snapd/9279/usr/lib/snapd/snap-confine /snap/snapd/9279/usr/lib/snapd/snap-confine//mount-namespace-capture-helper /usr/bin/man /usr/lib/NetworkManager/nm-dhcp-client.action /usr/lib/NetworkManager/nm-dhcp-helper /usr/lib/connman/scripts/dhclient-script /usr/lib/snapd/snap-confine /usr/lib/snapd/snap-confine//mount-namespace-capture-helper /{,usr/}sbin/dhclient lsb_release man_filter man_groff nvidia_modprobe nvidia_modprobe//kmod snap-update-ns.lxd snap.lxd.activate snap.lxd.benchmark snap.lxd.buginfo snap.lxd.check-kernel snap.lxd.daemon snap.lxd.hook.configure snap.lxd.hook.install snap.lxd.hook.remove snap.lxd.lxc snap.lxd.lxc-to-lxd snap.lxd.lxd snap.lxd.migrate tcpdump 0 profiles are in complain mode. 0 profiles are in kill mode. 0 profiles are in unconfined mode. 0 processes have profiles defined. 0 processes are in enforce mode. 0 processes are in complain mode. 0 processes are unconfined but have a profile defined. 0 processes are in mixed mode. 0 processes are in kill mode. + lxc exec testguest-apparmor-bad -- dpkg -l apparmor Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==============-====================-============-====================================== ii apparmor 3.0.0~beta1-0ubuntu5 amd64 user-space parser utility for AppArmor + lxc stop --timeout 300 testguest-apparmor-bad + lxc snapshot testguest-apparmor-bad orig + lxc restore testguest-apparmor-bad orig + lxc start testguest-apparmor-bad + sleep 30s + lxc exec testguest-apparmor-bad runlevel N 5 + lxc exec testguest-apparmor-bad -- bash -c 'H=`cat /etc/hostname`; if [ -f /var/lib/cloud/instance/boot-finished ]; then echo "LXD container $H ready"; else echo "LXD container $H not ready yet"; exit 2; fi' LXD container testguest-apparmor-bad ready + lxc exec testguest-apparmor-bad -- aa-status apparmor module is loaded. 15 profiles are loaded. 15 profiles are in enforce mode. /snap/snapd/9279/usr/lib/snapd/snap-confine /snap/snapd/9279/usr/lib/snapd/snap-confine//mount-namespace-capture-helper snap-update-ns.lxd snap.lxd.activate snap.lxd.benchmark snap.lxd.buginfo snap.lxd.check-kernel snap.lxd.daemon snap.lxd.hook.configure snap.lxd.hook.install snap.lxd.hook.remove snap.lxd.lxc snap.lxd.lxc-to-lxd snap.lxd.lxd snap.lxd.migrate 0 profiles are in complain mode. 0 profiles are in kill mode. 0 profiles are in unconfined mode. 0 processes have profiles defined. 0 processes are in enforce mode. 0 processes are in complain mode. 0 processes are unconfined but have a profile defined. 0 processes are in mixed mode. 0 processes are in kill mode. + lxc exec testguest-apparmor-bad -- systemctl status apparmor ● apparmor.service - Load AppArmor profiles Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled) Active: active (exited) since Tue 2020-09-22 10:39:38 UTC; 30s ago Docs: man:apparmor(7) https://gitlab.com/apparmor/apparmor/wikis/home/ Process: 107 ExecStart=/lib/apparmor/apparmor.systemd reload (code=exited, status=0/SUCCESS) Main PID: 107 (code=exited, status=0/SUCCESS)
Sep 22 10:39:38 testguest-apparmor-bad apparmor.systemd[107]: Not starting AppArmor in container Sep 22 10:39:38 testguest-apparmor-bad systemd[1]: Finished Load AppArmor profiles. Good case: $ ./repro.sh good + '[' good == bad ']' + '[' good == good ']' + echo 'Good case: Keeps apparmor as-is' Good case: Keeps apparmor as-is + BADCASE=0 + lxc stop --force testguest-apparmor-good + lxc delete --force testguest-apparmor-good + lxc launch ubuntu-daily:groovy/amd64 testguest-apparmor-good --profile default --profile kvm Creating testguest-apparmor-good Starting testguest-apparmor-good + sleep 30s + lxc exec testguest-apparmor-good runlevel N 5 + lxc exec testguest-apparmor-good -- bash -c 'H=`cat /etc/hostname`; if [ -f /var/lib/cloud/instance/boot-finished ]; then echo "LXD container $H ready"; else echo "LXD container $H not ready yet"; exit 2; fi' LXD container testguest-apparmor-good ready + lxc exec testguest-apparmor-good --env DEBIAN_FRONTEND=noninteractive -- bash -c 'apt-get --allow-unauthenticated --assume-yes -o Dpkg::Options::='\''--force-confdef'\'' -o Dpkg::Options::='\''--force-confold'\'' install apparmor-utils' Reading package lists... Done Building dependency tree Reading state information... Done The following package was automatically installed and is no longer required: libfreetype6 Use 'apt autoremove' to remove it. The following additional packages will be installed: python3-apparmor python3-libapparmor Suggested packages: vim-addon-manager The following NEW packages will be installed: apparmor-utils python3-apparmor python3-libapparmor 0 upgraded, 3 newly installed, 0 to remove and 0 not upgraded. Need to get 157 kB of archives. After this operation, 966 kB of additional disk space will be used. Get:1 http://archive.ubuntu.com/ubuntu groovy/main amd64 python3-libapparmor amd64 2.13.3-7ubuntu6 [26.7 kB] Get:2 http://archive.ubuntu.com/ubuntu groovy/main amd64 python3-apparmor amd64 2.13.3-7ubuntu6 [78.6 kB] Get:3 http://archive.ubuntu.com/ubuntu groovy/main amd64 apparmor-utils amd64 2.13.3-7ubuntu6 [51.4 kB] Fetched 157 kB in 0s (389 kB/s) Selecting previously unselected package python3-libapparmor. (Reading database ... 31714 files and directories currently installed.) Preparing to unpack .../python3-libapparmor_2.13.3-7ubuntu6_amd64.deb ... Unpacking python3-libapparmor (2.13.3-7ubuntu6) ... Selecting previously unselected package python3-apparmor. Preparing to unpack .../python3-apparmor_2.13.3-7ubuntu6_amd64.deb ... Unpacking python3-apparmor (2.13.3-7ubuntu6) ... Selecting previously unselected package apparmor-utils. Preparing to unpack .../apparmor-utils_2.13.3-7ubuntu6_amd64.deb ... Unpacking apparmor-utils (2.13.3-7ubuntu6) ... Setting up python3-libapparmor (2.13.3-7ubuntu6) ... Setting up python3-apparmor (2.13.3-7ubuntu6) ... Setting up apparmor-utils (2.13.3-7ubuntu6) ... Processing triggers for man-db (2.9.3-2) ... + lxc exec testguest-apparmor-good -- aa-status apparmor module is loaded. 28 profiles are loaded. 28 profiles are in enforce mode. /snap/snapd/9279/usr/lib/snapd/snap-confine /snap/snapd/9279/usr/lib/snapd/snap-confine//mount-namespace-capture-helper /usr/bin/man /usr/lib/NetworkManager/nm-dhcp-client.action /usr/lib/NetworkManager/nm-dhcp-helper /usr/lib/connman/scripts/dhclient-script /usr/lib/snapd/snap-confine /usr/lib/snapd/snap-confine//mount-namespace-capture-helper /{,usr/}sbin/dhclient lsb_release man_filter man_groff nvidia_modprobe nvidia_modprobe//kmod snap-update-ns.lxd snap.lxd.activate snap.lxd.benchmark snap.lxd.buginfo snap.lxd.check-kernel snap.lxd.daemon snap.lxd.hook.configure snap.lxd.hook.install snap.lxd.hook.remove snap.lxd.lxc snap.lxd.lxc-to-lxd snap.lxd.lxd snap.lxd.migrate tcpdump 0 profiles are in complain mode. 0 processes have profiles defined. 0 processes are in enforce mode. 0 processes are in complain mode. 0 processes are unconfined but have a profile defined. + '[' 0 -eq 1 ']' + lxc exec testguest-apparmor-good -- dpkg -l apparmor Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==============-===============-============-====================================== ii apparmor 2.13.3-7ubuntu6 amd64 user-space parser utility for AppArmor + lxc stop --timeout 300 testguest-apparmor-good + lxc snapshot testguest-apparmor-good orig + lxc restore testguest-apparmor-good orig + lxc start testguest-apparmor-good + sleep 30s + lxc exec testguest-apparmor-good runlevel N 5 + lxc exec testguest-apparmor-good -- bash -c 'H=`cat /etc/hostname`; if [ -f /var/lib/cloud/instance/boot-finished ]; then echo "LXD container $H ready"; else echo "LXD container $H not ready yet"; exit 2; fi' LXD container testguest-apparmor-good ready + lxc exec testguest-apparmor-good -- aa-status apparmor module is loaded. 28 profiles are loaded. 28 profiles are in enforce mode. /snap/snapd/9279/usr/lib/snapd/snap-confine /snap/snapd/9279/usr/lib/snapd/snap-confine//mount-namespace-capture-helper /usr/bin/man /usr/lib/NetworkManager/nm-dhcp-client.action /usr/lib/NetworkManager/nm-dhcp-helper /usr/lib/connman/scripts/dhclient-script /usr/lib/snapd/snap-confine /usr/lib/snapd/snap-confine//mount-namespace-capture-helper /{,usr/}sbin/dhclient lsb_release man_filter man_groff nvidia_modprobe nvidia_modprobe//kmod snap-update-ns.lxd snap.lxd.activate snap.lxd.benchmark snap.lxd.buginfo snap.lxd.check-kernel snap.lxd.daemon snap.lxd.hook.configure snap.lxd.hook.install snap.lxd.hook.remove snap.lxd.lxc snap.lxd.lxc-to-lxd snap.lxd.lxd snap.lxd.migrate tcpdump 0 profiles are in complain mode. 0 processes have profiles defined. 0 processes are in enforce mode. 0 processes are in complain mode. 0 processes are unconfined but have a profile defined. + lxc exec testguest-apparmor-good -- systemctl status apparmor ● apparmor.service - Load AppArmor profiles Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled) Active: active (exited) since Tue 2020-09-22 10:39:10 UTC; 30s ago Docs: man:apparmor(7) https://gitlab.com/apparmor/apparmor/wikis/home/ Process: 107 ExecStart=/lib/apparmor/apparmor.systemd reload (code=exited, status=0/SUCCESS) Main PID: 107 (code=exited, status=0/SUCCESS) Sep 22 10:39:10 testguest-apparmor-good apparmor.systemd[107]: Restarting AppArmor Sep 22 10:39:10 testguest-apparmor-good apparmor.systemd[107]: Reloading AppArmor profiles Sep 22 10:39:11 testguest-apparmor-good apparmor.systemd[124]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Sep 22 10:39:10 testguest-apparmor-good systemd[1]: Finished Load AppArmor profiles. ** Changed in: apparmor (Ubuntu) Importance: High => Critical ** Changed in: apparmor (Ubuntu) Status: New => Confirmed ** Summary changed: - 3.0.0~beta1-0ubuntu1 in Groovy breaks Libvirt/Qemu/KVM + Apparmor 3.0.0 does not load profiles in containers anymore -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1895967 Title: Apparmor 3.0.0 does not load profiles in containers anymore Status in apparmor package in Ubuntu: Confirmed Bug description: Hi, I stumbled over this due to automatic tests checking proposed. I found that Focal no more could migrate to Groovy with: $ virsh migrate --unsafe --live fguest qemu+ssh://10.162.30.163/system error: unsupported configuration: Security driver model 'apparmor' is not available I looked after it and found that while all former releases detected apparmor correctly: $ virsh capabilities | grep -C 3 secmodel <cache> <bank id='0' level='3' type='both' size='15' unit='MiB' cpus='0-11'/> </cache> <secmodel> <model>apparmor</model> <doi>0</doi> </secmodel> <secmodel> <model>dac</model> <doi>0</doi> <baselabel type='kvm'>+64055:+108</baselabel> <baselabel type='qemu'>+64055:+108</baselabel> </secmodel> Now on groovy that didn't work anymore: <secmodel> <model>none</model> <doi>0</doi> </secmodel> <secmodel> <model>dac</model> <doi>0</doi> <baselabel type='kvm'>+64055:+108</baselabel> <baselabel type='qemu'>+64055:+108</baselabel> </secmodel> Since 3.0 is only in proposed: # apt-cache policy apparmor apparmor: Installed: 2.13.3-7ubuntu6 Candidate: 3.0.0~beta1-0ubuntu1 Version table: 3.0.0~beta1-0ubuntu1 500 500 http://archive.ubuntu.com/ubuntu groovy-proposed/main amd64 Packages *** 2.13.3-7ubuntu6 500 500 http://archive.ubuntu.com/ubuntu groovy/main amd64 Packages 100 /var/lib/dpkg/status I installed the former version. $ apt install apparmor=2.13.3-7ubuntu6 $ rm /var/cache/libvirt/qemu/capabilities/* $ systemctl restart libvirtd And it works again. Interestingly going back to 3.0 then works and keeps working. Therefore maybe it is a red-herring and I'll consider it incomplete & low prio for now until I know more (allowing others that might see the same to find this bug and chime in). To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1895967/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
