Thank you for reading this post, don't forget to subscribe!
Если возникает ошибка libvirt destroy lxc permission denied, при попытке остановить контейнер:
1 2 3 |
# virsh -c lxc:/// destroy test-ubuntu error: Failed to destroy domain test-ubuntu error: Failed to kill process test-ubuntu: Permission denied |
То это значит, что libvirtd не может уничтожить процессы, запущенные в контейнере, в частности процесс /sbin/dhclient
Чтобы узнать конкретную ошибку, выполните tail -n 4 /var/log/syslog
1 2 3 4 |
Dec 16 23:39:06 alfabook kernel: [38705.576041] audit: type=1400 audit(1513445946.303:206): apparmor="DENIED" operation="signal" profile="/sbin/dhclient" pid=18321 comm="libvirtd" requested_mask="receive" denied_mask="receive" signal=term peer="/usr/sbin/libvirtd" Dec 16 23:40:43 alfabook libvirtd[18314]: 2017-12-16 17:40:43.193+0000: 18321: error : virCgroupKillInternal:3597 : Failed to kill process 20299: Permission denied Dec 16 23:40:43 alfabook kernel: [38802.469210] audit: type=1400 audit(1513446043.192:207): apparmor="DENIED" operation="signal" profile="/sbin/dhclient" pid=18321 comm="libvirtd" requested_mask="receive" denied_mask="receive" signal=term peer="/usr/sbin/libvirtd" Dec 16 23:40:44 alfabook libvirtd[18314]: 2017-12-16 17:40:44.650+0000: 18321: error : virCgroupKillInternal:3597 : Failed to kill process 20299: Permission denied |
В данном случае peer="/usr/sbin/libvirtd" Не может(DENIED) отправить сигнал signal=term процесу profile="/sbin/dhclient" pid=18321
Это можно решить двумя методами.
Метод 1:
Нужно в файл /etc/apparmor.d/sbin.dhclient добавить строчку:
1 |
signal (receive) peer=/usr/sbin/libvirtd, |
Перезагружаем правило:
1 |
cat /etc/apparmor.d/sbin.dhclient | sudo apparmor_parser -r |
Метод 2:
Более сложный.
Перевести в режим обучения apparmor для dhclient:
1 |
sudo aa-complain /etc/apparmor.d/sbin.dhclient |
Затем уничтожить контейнер:
1 |
virsh -c lxc:/// destroy test-ubuntu |
Проанализируйте логи коммандой aa-logprof
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 |
Reading log entries from /var/log/syslog. Updating AppArmor profiles in /etc/apparmor.d. Complain-mode changes: Profile: /sbin/dhclient Access mode: receive Signal: term Peer: /usr/sbin/libvirtd [1 - #include <abstractions/libvirt-qemu>] 2 - #include <abstractions/lxc/container-base> 3 - #include <abstractions/lxc/start-container> 4 - signal receive set=term peer=/usr/sbin/libvirtd, (A)llow / [(D)eny] / (I)gnore / Audi(t) / Abo(r)t / (F)inish Adding #include <abstractions/libvirt-qemu> to profile. Deleted 2 previous matching profile entries. Profile: /{usr/,}bin/ping Capability: dac_override Severity: 9 [1 - #include <abstractions/libvirt-qemu>] 2 - #include <abstractions/lxc/container-base> 3 - #include <abstractions/lxc/start-container> 4 - capability dac_override, (A)llow / [(D)eny] / (I)gnore / Audi(t) / Abo(r)t / (F)inish Adding #include <abstractions/libvirt-qemu> to profile. Deleted 1 previous matching profile entries. Enforce-mode changes: = Changed Local Profiles = The following local profiles were changed. Would you like to save them? [1 - /sbin/dhclient] 2 - /{usr/,}bin/ping (S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Changes b/w (C)lean profiles / Abo(r)t Writing updated profile for /sbin/dhclient. Writing updated profile for /{usr/,}bin/ping. |
Востановить защиту:
1 |
aa-enforce /etc/apparmor.d/sbin.dhclient |