canonical-ci-engineering team mailing list archive

Thread
Date

Re: Otto / LXC problems

To: Vincent Ladeuil <vila+ci@xxxxxxxxxxxxx>
From: Vincent Ladeuil <vila+ci@xxxxxxxxxxxxx>
Date: Thu, 10 Oct 2013 18:14:49 +0200
Cc: Mathieu Trudel-Lapierre <mathieu.trudel-lapierre@xxxxxxxxxxxxx>, canonical-ci-engineering@xxxxxxxxxxxxxxxxxxx, jean-baptiste.lallement@xxxxxxxxxxxxx, Timo Jyrinki <timo.jyrinki@xxxxxxxxxxxxx>, Stéphane Graber <stephane.graber@xxxxxxxxxxxxx>, Didier Roche <didier.roche@xxxxxxxxxxxxx>
In-reply-to: <87eh7tw3f6.fsf@canonical.com> (Vincent Ladeuil's message of "Thu, 10 Oct 2013 17:28:45 +0200")
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (gnu/linux)

With dmesg really attached and jibel added in CC.

>>>>> Vincent Ladeuil <vila+ci@xxxxxxxxxxxxx> writes:

>>>>> Stéphane Graber <stephane.graber@xxxxxxxxxxxxx> writes:
    >> On Thu, Oct 10, 2013 at 10:12:39AM +0300, Timo Jyrinki wrote:
    >>> Hi,
    >>> 
    >>> Thanks to the efforts yesterday, an lxc problem was identified and
    >>> fixed (https://lists.ubuntu.com/archives/saucy-changes/2013-October/011959.html)
    >>> during the night my time.
    >>> 
    >>> However, cyphermox reported to me that he updated the containers and
    >>> the 'check' (autopilot) jobs of cu2d continue to fail. So the dbus <->
    >>> apparmor <-> lxc triangle is not yet in complete harmony. He suggested
    >>> checking the /var/log/upstart/lightdm.log and sending it to stgraber /
    >>> security team. So here goes:
    >>> 
    >>> http://pastebin.ubuntu.com/6216936/
    >>> 
    >>> It's taken from dx-autopilot-intel and the latest container
    >>> saucy-i386-20131010-0216.
    >>> 
    >>> -Timo
    >>> 
    >>> ps. thanks Evan for the ubuntu-engineering post

    >> Can you make sure the host is up to date,

    > It is.

    >> reboot it after that

    > Done.

    >> (since the dbus apparmor changes came through a kernel change) and
    >> then tell me what version of LXC is on the host

    > root@dx-autopilot-intel:/var/lib/jenkins# apt-cache policy lxc
    > lxc:
    >   Installed: 1.0.0~alpha1-0ubuntu10
    >   Candidate: 1.0.0~alpha1-0ubuntu10
    >   Version table:
    >  *** 1.0.0~alpha1-0ubuntu10 0
    >         500 http://us.archive.ubuntu.com/ubuntu/ saucy/main i386 Packages
    >         100 /var/lib/dpkg/status

    >> and attach the "dmesg" output right after a failure.

    > dmesg attached.

    >> If it's really still an apparmor profile issue, there will be denials in
    >> the dmesg output, if not, then it's something else that's breaking your
    >> tests.

    > Now, otto (which is creating the lxc container) mounts an iso and as
    > such requires a loop device. To get that it disables:

    > root@dx-autopilot-intel:/etc/apparmor.d/disable# ls -lart
    > total 8
    > lrwxrwxrwx 1 root root   33 Jun  4 10:34 usr.sbin.rsyslogd -> /etc/apparmor.d/usr.sbin.rsyslogd
    > drwxr-xr-x 9 root root 4096 Oct 10 13:14 ..
    > lrwxrwxrwx 1 root root   33 Oct 10 13:15 usr.bin.lxc-start -> /etc/apparmor.d/usr.bin.lxc-start
    > drwxr-xr-x 2 root root 4096 Oct 10 13:15 .

    > Not sure how that interacts with the profiles but without them the
    > container can't be started and use its iso.

    >           Vincent

Attachment: dmesg-autopilot-intel
Description: Binary data

Follow ups

Re: Otto / LXC problems
From: Timo Jyrinki, 2013-10-11

References

Otto / LXC problems
From: Timo Jyrinki, 2013-10-10
Re: Otto / LXC problems
From: Stéphane Graber, 2013-10-10
Re: Otto / LXC problems
From: Vincent Ladeuil, 2013-10-10