Page MenuHomePhabricator

Pulling Vagrant up in Cloud VPS on buster fails with apparmor preventing the mount
Closed, ResolvedPublic

Description

On a fresh buster box on Cloud VPS, after applying the vagrant Puppet role, and the fix from T236455: Make MediaWiki-Vagrant work with LXC provider on Debian Buster when using role::labs::mediawiki_vagrant, vagrant up fails with

The following SSH command responded with a non-zero exit status.
Vagrant assumes that this means the command failed!

systemctl stop ifup@eth0.service;systemctl start ifup@eth0.service

Stdout from the command:

Stderr from the command:

A dependency job for ifup@eth0.service failed. See 'journalctl -xe' for details.

The journal file says

kernel: audit: type=1400 audit(1572001341.170:32): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=11962 comm="(ostnamed)" flags="rw, rslave"

Per /etc/apparmor.d/lxc/lxc-default-cgns, the profile is

profile lxc-container-default-cgns flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/lxc/container-base>

  # the container may never be allowed to mount devpts.  If it does, it
  # will remount the host's devpts.  We could allow it to do it with
  # the newinstance option (but, right now, we don't).
  deny mount fstype=devpts,
  mount fstype=cgroup -> /sys/fs/cgroup/**,
  mount fstype=cgroup2 -> /sys/fs/cgroup/**,
}

Despite all that, the vagrant box seems to be running, but broken (which might or might not be related).

Event Timeline

Tgr created this task.Fri, Oct 25, 4:07 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFri, Oct 25, 4:07 PM

This should have been fixed by https://gerrit.wikimedia.org/r/#/c/mediawiki/vagrant/+/546372/. Have you done a git pull in /srv/mediawiki-vagrant since that change was merged?

Tgr added a comment.Mon, Nov 11, 3:47 AM

Yes but I don't know if I have restarted the vagrant box since then, and apart from the error during vagrant up I never saw any obvious effect in the first place. vagrant reload does work fine now.

bd808 closed this task as Resolved.Mon, Nov 11, 3:27 PM
bd808 claimed this task.