canonical-ci-engineering team mailing list archive

Thread
Date

Re: Otto / LXC problems

To: Stéphane Graber <stephane.graber@xxxxxxxxxxxxx>
From: Vincent Ladeuil <vila+ci@xxxxxxxxxxxxx>
Date: Thu, 10 Oct 2013 17:28:45 +0200
Cc: Mathieu Trudel-Lapierre <mathieu.trudel-lapierre@xxxxxxxxxxxxx>, Didier Roche <didier.roche@xxxxxxxxxxxxx>, Timo Jyrinki <timo.jyrinki@xxxxxxxxxxxxx>, canonical-ci-engineering@xxxxxxxxxxxxxxxxxxx
In-reply-to: <20131010125833.GA3453@castiana> ("Stéphane Graber"'s message of "Thu, 10 Oct 2013 08:58:33 -0400")
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (gnu/linux)

>>>>> Stéphane Graber <stephane.graber@xxxxxxxxxxxxx> writes:

    > On Thu, Oct 10, 2013 at 10:12:39AM +0300, Timo Jyrinki wrote:
    >> Hi,
    >> 
    >> Thanks to the efforts yesterday, an lxc problem was identified and
    >> fixed (https://lists.ubuntu.com/archives/saucy-changes/2013-October/011959.html)
    >> during the night my time.
    >> 
    >> However, cyphermox reported to me that he updated the containers and
    >> the 'check' (autopilot) jobs of cu2d continue to fail. So the dbus <->
    >> apparmor <-> lxc triangle is not yet in complete harmony. He suggested
    >> checking the /var/log/upstart/lightdm.log and sending it to stgraber /
    >> security team. So here goes:
    >> 
    >> http://pastebin.ubuntu.com/6216936/
    >> 
    >> It's taken from dx-autopilot-intel and the latest container
    >> saucy-i386-20131010-0216.
    >> 
    >> -Timo
    >> 
    >> ps. thanks Evan for the ubuntu-engineering post

    > Can you make sure the host is up to date,

It is.

    > reboot it after that

Done.

    > (since the dbus apparmor changes came through a kernel change) and
    > then tell me what version of LXC is on the host

root@dx-autopilot-intel:/var/lib/jenkins# apt-cache policy lxc
lxc:
  Installed: 1.0.0~alpha1-0ubuntu10
  Candidate: 1.0.0~alpha1-0ubuntu10
  Version table:
 *** 1.0.0~alpha1-0ubuntu10 0
        500 http://us.archive.ubuntu.com/ubuntu/ saucy/main i386 Packages
        100 /var/lib/dpkg/status

    > and attach the "dmesg" output right after a failure.

dmesg attached.

    > If it's really still an apparmor profile issue, there will be denials in
    > the dmesg output, if not, then it's something else that's breaking your
    > tests.

Now, otto (which is creating the lxc container) mounts an iso and as
such requires a loop device. To get that it disables:

root@dx-autopilot-intel:/etc/apparmor.d/disable# ls -lart
total 8
lrwxrwxrwx 1 root root   33 Jun  4 10:34 usr.sbin.rsyslogd -> /etc/apparmor.d/usr.sbin.rsyslogd
drwxr-xr-x 9 root root 4096 Oct 10 13:14 ..
lrwxrwxrwx 1 root root   33 Oct 10 13:15 usr.bin.lxc-start -> /etc/apparmor.d/usr.bin.lxc-start
drwxr-xr-x 2 root root 4096 Oct 10 13:15 .

Not sure how that interacts with the profiles but without them the
container can't be started and use its iso.

          Vincent

Follow ups

Re: Otto / LXC problems
From: Vincent Ladeuil, 2013-10-10

References

Otto / LXC problems
From: Timo Jyrinki, 2013-10-10
Re: Otto / LXC problems
From: Stéphane Graber, 2013-10-10