Skip to Content.
Sympa Menu

perfsonar-user - [perfsonar-user] owamp/twamp apparmor problem in lxd container

Subject: perfSONAR User Q&A and Other Discussion

List archive

[perfsonar-user] owamp/twamp apparmor problem in lxd container


Chronological Thread 
    < Chronological >      < Thread >
  • From: Brian Candler <>
  • To: "" <>
  • Subject: [perfsonar-user] owamp/twamp apparmor problem in lxd container
  • Date: Sat, 31 Aug 2019 13:41:49 +0100
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=pobox.com; h=to:from:subject :message-id:date:mime-version:content-type :content-transfer-encoding; q=dns; s=sasl; b=oHxVvuSDA9aGXoR60NP YTOVbLxuOUg/7rRH2hqiHaqpPNShI1A3TnIndTEIuHDfzEzzEr07ekJxkKJRTgRF lbGxbCJrOJYBDNukB4RgQlRO+CoM3v3KdB/0DcY8N8J/v/o1KFCnBebyl3aMh87P K7yk9NZgmPMsS+Bj9f6szVIA=
I've just been trying to install the latest perfsonar-toolkit from deb packages inside an Ubuntu 18.04 lxd container.  I set security.privileged=true to avoid any issues with uid mapping.

The owamp and twamp packages fail to complete installation, because the daemons fail to start, terminating with signal 11 (SEGV).  Testing this by hand, I see the same:

root@perf1:~# /usr/sbin/owampd
Segmentation fault
root@perf1:~# strace -f /usr/sbin/owampd
execve("/usr/sbin/owampd", ["/usr/sbin/owampd"], 0x7ffeaf823578 /* 12 vars */) = -1 EACCES (Permission denied)
--- SIGSEGV {si_signo=SIGSEGV, si_code=SI_KERNEL, si_addr=NULL} ---
+++ killed by SIGSEGV +++
Segmentation fault (core dumped)

On googling this, I found a similar problem here:

https://discuss.linuxcontainers.org/t/solved-ipsec-status-segfaults-in-lxd-container/2201

It seems the issue is to do with apparmor, although /etc/apparmor.d/usr.sbin.owampd exists and I don't have enough apparmor fu to see if there's anything wrong with it.

Changed it to complain mode:

root@perf1:~# apt-get install apparmor-utils
...
root@perf1:~# aa-complain /etc/apparmor.d/usr.sbin.owampd
Setting /etc/apparmor.d/usr.sbin.owampd to complain mode.

And now it starts:

root@perf1:~# /usr/sbin/owampd -c /etc/owamp-server -R /var/run
root@perf1:~# ps auxwww | grep owamp
owamp     1779  0.0  0.0  11208   156 ?        Ss   12:23   0:00 /usr/sbin/owampd -c /etc/owamp-server -R /var/run
root      1782  0.0  0.0  14856  1092 ?        S+   12:23   0:00 grep --color=auto owamp

dmesg shows this as the affected action:

[75933.788639] audit: type=1400 audit(1567254235.684:566): apparmor="ALLOWED" operation="file_mmap" namespace="root//lxd-perf1_<var-lib-lxd>" profile="/usr/sbin/owampd" name="/usr/sbin/owampd" pid=26877 comm="owampd" requested_mask="rm" denied_mask="rm" fsuid=0 ouid=0

Following the suggestion in the ticket above, I added

  /usr/sbin/owampd rm,

to the apparmor profile (note: rm not rw!), and now it seems happy in enforcing mode.  Corresponding change required for twampd too.

Like I say, I don't really understand why this is required, or why it's required in an lxd container but not outside, but I wonder if this change should be included in the distribution packages.

Regards,

Brian.


  • [perfsonar-user] owamp/twamp apparmor problem in lxd container, Brian Candler, 08/31/2019

Archive powered by MHonArc 2.6.19.

Top of Page