Author Topic: Zentyal 5.0 install under LXD container - possible apparmor issue  (Read 2129 times)

sarraceno

  • Zen Apprentice
  • *
  • Posts: 17
  • Karma: +2/-0
    • View Profile
Hi!

Currently I have LXD Container with Ubuntu 16.10
Under this container by apt, I did installed Zentyal 5, which runned fine.

But when I did try to activate/configure File sharing I get a failure.

Seems that is related to apparmor, and probably implied with LXD/LXC.
Anyone had such "experience" or can help on this?

In details for LXD container:
Code: [Select]
root@kvm02:~# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 16.10
Release:        16.10
Codename:       yakkety

root@kvm02:~# uname -a
Linux kvm02 4.8.0-40-generic #43-Ubuntu SMP Thu Feb 23 16:01:19 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

root@kvm02:~# lxc version
2.10

root@kvm02:~# lxc config show nas02
architecture: x86_64
config:
  image.architecture: amd64
  image.description: ubuntu 16.04 LTS amd64 (release) (20170224)
  image.label: release
  image.os: ubuntu
  image.release: xenial
  image.serial: "20170224"
  image.version: "16.04"
  raw.lxc: raw.lxc.aa_profile=unconfined
  volatile.base_image: 96e12fc44b24f052b5f959137fabff715b83856a8a5eb64fbc1338d3f173a82e
  volatile.eth0.hwaddr: 00:16:3e:76:2d:04
  volatile.idmap.base: "0"
  volatile.idmap.next: '[]'
  volatile.last_state.idmap: '[]'
  volatile.last_state.power: RUNNING
devices:
  nas02home:
    path: /home
    source: /vols/datastore03/data/nas02/home
    type: disk
  nas02shares00:
    path: /shares00
    source: /vols/datastore03/data/nas02/shares
    type: disk
  root:
    path: /
    pool: kvm02
    type: disk
ephemeral: false
profiles:
- nasATlan

Code: [Select]
root@kvm02:~# lxc profile show appATlan
config:
  boot.autostart: "true"
  boot.autostart.delay: "60"
  boot.autostart.priority: "1"
  environment.http_proxy: http://[fe80::1%eth0]:13128
  user.network_mode: link-local
description: ""
devices:
  eth0:
    name: eth0
    nictype: macvlan
    parent: tapLANp00
    type: nic
  root:
    path: /
    pool: default
    type: disk
name: appATlan
used_by: []

The error available on Zentyal Log:
Code: [Select]
EBox::Samba::Provision::setupDNS('EBox::Samba::Provision=HASH(0x70f5ed8)') called at /usr/share/perl5/EBox/Samba/Provision.pm line 527
eval {...} at /usr/share/perl5/EBox/Samba/Provision.pm line 488
EBox::Samba::Provision::provisionDC('EBox::Samba::Provision=HASH(0x70f5ed8)', 192.168.30.12) called at /usr/share/perl5/EBox/Samba/Provision.pm line 369
EBox::Samba::Provision::provision('EBox::Samba::Provision=HASH(0x70f5ed8)') called at /usr/share/perl5/EBox/Samba.pm line 673
EBox::Samba::_setConf('EBox::Samba=HASH(0x5df2808)') called at /usr/share/perl5/EBox/Module/Base.pm line 995
EBox::Module::Base::_regenConfig('EBox::Samba=HASH(0x5df2808)') called at /usr/share/perl5/EBox/Module/Service.pm line 933
EBox::Module::Service::_regenConfig('EBox::Samba=HASH(0x5df2808)') called at /usr/share/perl5/EBox/Samba.pm line 646
EBox::Samba::_regenConfig('EBox::Samba=HASH(0x5df2808)') called at /usr/share/perl5/EBox/Module/Base.pm line 234
eval {...} at /usr/share/perl5/EBox/Module/Base.pm line 233
EBox::Module::Base::save('EBox::Samba=HASH(0x5df2808)') called at /usr/share/perl5/EBox/GlobalImpl.pm line 657
eval {...} at /usr/share/perl5/EBox/GlobalImpl.pm line 656
EBox::GlobalImpl::saveAllModules('EBox::GlobalImpl=HASH(0x28f81c8)', 'progress', 'EBox::ProgressIndicator=HASH(0x4e57810)') called at /usr/share/perl5/EBox/Global.pm line 95
EBox::Global::AUTOLOAD('EBox::Global=HASH(0x4e6ffb8)', 'progress', 'EBox::ProgressIndicator=HASH(0x4e57810)') called at /usr/share/zentyal/global-action line 32
eval {...} at /usr/share/zentyal/global-action line 30
2017/03/07 14:01:07 INFO> Provision.pm:299 EBox::Samba::Provision::setupKerberos - Setting up kerberos
2017/03/07 14:01:07 INFO> Provision.pm:276 EBox::Samba::Provision::setupDNS - Setting up DNS
2017/03/07 14:01:07 INFO> Base.pm:231 EBox::Module::Base::save - Restarting service for module: dns
2017/03/07 14:01:07 INFO> DNS.pm:91 EBox::DNS::appArmorProfiles - Setting DNS apparmor profile
2017/03/07 14:01:07 ERROR> Sudo.pm:240 EBox::Sudo::_rootError - root command /sbin/apparmor_parser --write-cache --replace /etc/apparmor.d/usr.sbin.named failed.
Error output: Cache read/write disabled: interface file missing. (Kernel needs AppArmor 2.4 compatibility patch.)
 Warning: unable to find a suitable fs in /proc/mounts, is it mounted?
 Use --subdomainfs to override.

Command output: .
Exit value: 1 at root command /sbin/apparmor_parser --write-cache --replace /etc/apparmor.d/usr.sbin.named failed.
Error output: Cache read/write disabled: interface file missing. (Kernel needs AppArmor 2.4 compatibility patch.)
 Warning: unable to find a suitable fs in /proc/mounts, is it mounted?
 Use --subdomainfs to override.

Command output: .
Exit value: 1 at /usr/share/perl5/EBox/Sudo.pm line 240
EBox::Sudo::_rootError('/usr/bin/sudo -p sudo: /var/lib/zentyal/tmp/heIyelcquS.cmd 2> /var/lib/zentyal/tmp/stderr', '/sbin/apparmor_parser --write-cache --replace /etc/apparmor.d/usr.sbin.named', 256, 'ARRAY(0x722fc88)', 'ARRAY(0x7350520)') called at /usr/share/perl5/EBox/Sudo.pm line 210
EBox::Sudo::_root(1, '/sbin/apparmor_parser --write-cache --replace /etc/apparmor.d/usr.sbin.named') called at /usr/share/perl5/EBox/Sudo.pm line 153
EBox::Sudo::root('/sbin/apparmor_parser --write-cache --replace /etc/apparmor.d/usr.sbin.named') called at /usr/share/perl5/EBox/Module/Base.pm line 979
EBox::Module::Base::_setAppArmorProfiles('EBox::DNS=HASH(0x59bc4b8)') called at /usr/share/perl5/EBox/Module/Base.pm line 996
EBox::Module::Base::_regenConfig('EBox::DNS=HASH(0x59bc4b8)') called at /usr/share/perl5/EBox/Module/Service.pm line 933
EBox::Module::Service::_regenConfig('EBox::DNS=HASH(0x59bc4b8)') called at /usr/share/perl5/EBox/Module/Base.pm line 234
eval {...} at /usr/share/perl5/EBox/Module/Base.pm line 233
EBox::Module::Base::save('EBox::DNS=HASH(0x59bc4b8)') called at /usr/share/perl5/EBox/Samba/Provision.pm line 289
EBox::Samba::Provision::setupDNS('EBox::Samba::Provision=HASH(0x70f5ed8)') called at /usr/share/perl5/EBox/Samba/Provision.pm line 539
EBox::Samba::Provision::provisionDC('EBox::Samba::Provision=HASH(0x70f5ed8)', 192.168.30.12) called at /usr/share/perl5/EBox/Samba/Provision.pm line 369
EBox::Samba::Provision::provision('EBox::Samba::Provision=HASH(0x70f5ed8)') called at /usr/share/perl5/EBox/Samba.pm line 673
EBox::Samba::_setConf('EBox::Samba=HASH(0x5df2808)') called at /usr/share/perl5/EBox/Module/Base.pm line 995
EBox::Module::Base::_regenConfig('EBox::Samba=HASH(0x5df2808)') called at /usr/share/perl5/EBox/Module/Service.pm line 933
EBox::Module::Service::_regenConfig('EBox::Samba=HASH(0x5df2808)') called at /usr/share/perl5/EBox/Samba.pm line 646
EBox::Samba::_regenConfig('EBox::Samba=HASH(0x5df2808)') called at /usr/share/perl5/EBox/Module/Base.pm line 234
eval {...} at /usr/share/perl5/EBox/Module/Base.pm line 233
EBox::Module::Base::save('EBox::Samba=HASH(0x5df2808)') called at /usr/share/perl5/EBox/GlobalImpl.pm line 657
eval {...} at /usr/share/perl5/EBox/GlobalImpl.pm line 656
EBox::GlobalImpl::saveAllModules('EBox::GlobalImpl=HASH(0x28f81c8)', 'progress', 'EBox::ProgressIndicator=HASH(0x4e57810)') called at /usr/share/perl5/EBox/Global.pm line 95
EBox::Global::AUTOLOAD('EBox::Global=HASH(0x4e6ffb8)', 'progress', 'EBox::ProgressIndicator=HASH(0x4e57810)') called at /usr/share/zentyal/global-action line 32
eval {...} at /usr/share/zentyal/global-action line 30
2017/03/07 14:01:07 ERROR> GlobalImpl.pm:661 EBox::GlobalImpl::saveAllModules - Failed to save changes in module samba: root command /sbin/apparmor_parser --write-cache --replace /etc/apparmor.d/usr.sbin.named failed.
Error output: Cache read/write disabled: interface file missing. (Kernel needs AppArmor 2.4 compatibility patch.)
 Warning: unable to find a suitable fs in /proc/mounts, is it mounted?
 Use --subdomainfs to override.

Command output: .
Exit value: 1
2017/03/07 14:01:07 INFO> Base.pm:231 EBox::Module::Base::save - Restarting service for module: logs
2017/03/07 14:01:07 ERROR> GlobalImpl.pm:736 EBox::GlobalImpl::saveAllModules - The following modules failed while saving their changes, their state is unknown: dns samba  at The following modules failed while saving their changes, their state is unknown: dns samba  at /usr/share/perl5/EBox/GlobalImpl.pm line 736
EBox::GlobalImpl::saveAllModules('EBox::GlobalImpl=HASH(0x28f81c8)', 'progress', 'EBox::ProgressIndicator=HASH(0x4e57810)') called at /usr/share/perl5/EBox/Global.pm line 95
EBox::Global::AUTOLOAD('EBox::Global=HASH(0x4e6ffb8)', 'progress', 'EBox::ProgressIndicator=HASH(0x4e57810)') called at /usr/share/zentyal/global-action line 32
eval {...} at /usr/share/zentyal/global-action line 30


Best regards!

damiannogueiras

  • Zen Apprentice
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: Zentyal 5.0 install under LXD container - possible apparmor issue
« Reply #1 on: December 28, 2017, 11:57:37 am »
I have the same failure.
Have you been able to solve it?

elurex

  • Zen Apprentice
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Re: Zentyal 5.0 install under LXD container - possible apparmor issue
« Reply #2 on: January 09, 2018, 08:31:04 am »
I have the same failure as well.

the lxc does not auto start ntp and bind9... and after systemctl enable bind9  systemctl enable ntp,  everytime ntp need to be manually started.

same for samba-ad-dc, must manually run the systemctl start samba-ad-dc.service or put the entry in /etc/rc.local

However the webadmin does not allow me to make any configuration.

Code: [Select]
Command output: .
Exit value: 243 at /usr/share/perl5/EBox/Module/Service.pm line 964
EBox::Module::Service::restartService('EBox::Samba=HASH(0x6415200)', 'restartModules', 1) called at /usr/share/perl5/EBox/Util/Init.pm line 121
eval {...} at /usr/share/perl5/EBox/Util/Init.pm line 119
EBox::Util::Init::moduleAction('samba', 'restartService', 'restart') called at /usr/share/perl5/EBox/Util/Init.pm line 247
EBox::Util::Init::moduleRestart('samba') called at /usr/bin/zs line 62
main::main at /usr/bin/zs line 82

« Last Edit: January 09, 2018, 11:14:02 am by elurex »

yosansi

  • Zen Apprentice
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Error loading class: EBox::Firewall error: Attempt to reload EBox/Firewall.pm aborted. Compilation failed in require at (eval 280) line 2. BEGIN failed--compilation aborted at (eval 280) line 2. at /usr/share/perl5/EBox/GlobalImpl.pm line 838
HOLA

NO SE SI ESTO SE HACE DE ESTA MANERA PERO NECESITO AYUDA
resulta que tengo instalado zentyal community edition 4  yntrabaja bien hasta que me dio por actualizar a la version 5 donde me sale este erro y no me deja entrar al dash board
este es el error
Error loading class: EBox::Firewall error: Attempt to reload EBox/Firewall.pm aborted. Compilation failed in require at (eval 280) line 2. BEGIN failed--compilation aborted at (eval 280) line 2. at /usr/share/perl5/EBox/GlobalImpl.pm line 838


alguien me prodria ayudar soy muy nuevo en zentyal y en el mundo libre

sarraceno

  • Zen Apprentice
  • *
  • Posts: 17
  • Karma: +2/-0
    • View Profile
Re: Zentyal 5.0 install under LXD container - possible apparmor issue
« Reply #4 on: February 17, 2018, 03:50:32 pm »
Hi all!

First: Per my projects experience I do see to many apparmor conflits raised from bottom into LXD containers... To me this demands higher work time. Once did try to spent some time to build a new apparmor profile, but integrated within runtime lxd containers was making me more a LXD contributor/developer, which I can't, I do not know much as needed... :(

So, my question stands... Not know also if using U17.10 things are different...

Segundo: yosansi, tu es nuebo en este mundo libre de lo software... mas por que non tentas submeter lo post en un ponto mas correto?
Also, try to backup (you will find pages here to do such), install fresh, and put files needed in place... will work perfectly. The most annoying work will only be Wizard reconfiguration for users and other things, but do not forget to do applicationall backup under Zentyal 4 WebAdminGui. This also applyes to similar under other versions... more or less the same since 2.x

damiannogueiras

  • Zen Apprentice
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: Zentyal 5.0 install under LXD container - possible apparmor issue
« Reply #5 on: July 08, 2019, 09:34:20 am »
My solution was disable the apparmor profile usr.sbin.named, usr.sbin.mysqld and usr.sbin.ntpd in Zentyal LXC:
#ln -s /etc/apparmor.d/profile disable/ /etc/apparmor.d/profile
https://help.ubuntu.com/community/AppArmor#Disable_one_profile

Apparmor doesn't permit reload a profile. When you change config in zentyal, if the profile is enable, it changes and try to re-load the profile.

doncamilo

  • Zen Warrior
  • ***
  • Posts: 158
  • Karma: +27/-0
    • View Profile
Re: Zentyal 5.0 install under LXD container - possible apparmor issue
« Reply #6 on: July 17, 2019, 06:02:29 pm »
Hi!  :)
I don't like to disable "apparmor". I think this isn't a useful fix for a production environment.
Here https://debian-handbook.info/browse/es-ES/stable/sect.apparmor.html there's a valuable resource in order to understand and to configure Apparmor.
To modify an apparmor rule isn't so difficult!
Cheers!