Distribution EOLE

La première erreur rapportée est un timeout qui existe aussi quand on exécute la commande hostnamectl à la main dans le conteneur.
La connexion au conteneur est par ailleurs très longue a aboutir.

Dans le même temps, dmseg enregistre l’activité suivante :

[ 6435.897758] audit: type=1400 audit(1718012376.097:1937): apparmor="DENIED" operation="mount" class="mount" info="failed perms check" error=-13 profile="lxc-partage_</var/lib/lxc>" name="/dev/" pid=36502 comm="(sd-mkdcreds)" flags="rw, rslave" 
[ 6435.948892] audit: type=1400 audit(1718012376.148:1938): apparmor="DENIED" operation="mount" class="mount" info="failed perms check" error=-13 profile="lxc-reseau_</var/lib/lxc>" name="/dev/" pid=36504 comm="(sd-mkdcreds)" flags="rw, rslave" 
[ 6436.068802] audit: type=1400 audit(1718012376.268:1939): apparmor="DENIED" operation="mount" class="mount" info="failed perms check" error=-13 profile="lxc-bdd_</var/lib/lxc>" name="/dev/" pid=36520 comm="(sd-mkdcreds)" flags="rw, rslave" 
[ 6436.146281] audit: type=1400 audit(1718012376.346:1940): apparmor="DENIED" operation="mount" class="mount" info="failed perms check" error=-13 profile="lxc-partage_</var/lib/lxc>" name="/dev/" pid=36527 comm="(sd-mkdcreds)" flags="rw, rslave" 
[ 6436.226729] audit: type=1400 audit(1718012376.426:1941): apparmor="DENIED" operation="mount" class="mount" info="failed perms check" error=-13 profile="lxc-bdd_</var/lib/lxc>" name="/dev/" pid=36529 comm="(sd-mkdcreds)" flags="rw, rslave" 
[ 6436.478778] audit: type=1400 audit(1718012376.678:1942): apparmor="DENIED" operation="mount" class="mount" info="failed perms check" error=-13 profile="lxc-bdd_</var/lib/lxc>" name="/dev/" pid=36531 comm="(sd-mkdcreds)" flags="rw, rslave" 
[ 6436.724028] audit: type=1400 audit(1718012376.924:1943): apparmor="DENIED" operation="mount" class="mount" info="failed perms check" error=-13 profile="lxc-bdd_</var/lib/lxc>" name="/dev/" pid=36533 comm="(sd-mkdcreds)" flags="rw, rslave" 
[ 6436.974419] audit: type=1400 audit(1718012377.174:1944): apparmor="DENIED" operation="mount" class="mount" info="failed perms check" error=-13 profile="lxc-bdd_</var/lib/lxc>" name="/dev/" pid=36535 comm="(sd-mkdcreds)" flags="rw, rslave" 
[ 6437.313494] audit: type=1400 audit(1718012377.513:1945): apparmor="DENIED" operation="mount" class="mount" info="failed perms check" error=-13 profile="lxc-addc_</var/lib/lxc>" name="/dev/" pid=36548 comm="(sd-mkdcreds)" flags="rw, rslave" 
[ 6437.565311] audit: type=1400 audit(1718012377.765:1946): apparmor="DENIED" operation="mount" class="mount" info="failed perms check" error=-13 profile="lxc-addc_</var/lib/lxc>" name="/dev/" pid=36559 comm="(sd-mkdcreds)" flags="rw, rslave" 

Cela se traduit par une procédure d’instance très longue (plus d’une heure).
Après aa-teardown pour décharger les profils d’apparmor, la procédure d’instance est beaucoup plus rapide : 10 minutes.

Les autres problèmes immédiatement visible lors de l’instance sont :
- l’exécution de quotacheck en pretemplate

quotacheck: Impossible de remonter le système de fichier monté sur / en lecture seule, les valeurs comptabilisées riquent d'être fausses.
Veuillez interrompre tous les programmes qui écrivent sur ce système de fichiers ou utilisez l'option -m pour forcer la vérification.

run-parts: executing /usr/share/eole/postservice/30-eole-workstation-manager instance
Résolution du nom d'hôte "salt" en 10.3.2.5 : Record added successfully

Ajout du compte de jonction au domaine 'eole-workstation-manager'... 
User 'eole-workstation-manager' added successfully
Mise en conformité de l’utilisateur 'eole-workstation-manager'... 
Expiry for user 'eole-workstation-manager' disabled.
WARNING: Using passwords on command line is insecure. Installing the setproctitle python module will hide these from shortly after program start.
Changed password OK
Délégation pour 'eole-workstation-manager' absentes sur CN=Computers
ERROR(<class 'ValueError'>): uncaught exception - Unable to parse SDDL
  File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 279, in _run
    return self.run(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/samba/netcmd/dsacl.py", line 148, in run
    self.add_ace(sd_helper, objectdn, new_ace)
  File "/usr/lib/python3/dist-packages/samba/netcmd/dsacl.py", line 103, in add_ace
    ai,ii = sd_helper.dacl_prepend_aces(object_dn, new_ace)
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/samba/sd_utils.py", line 171, in dacl_prepend_aces
    ace_sd = security.descriptor.from_sddl("D:" + aces, self.domain_sid)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Impossible de positionner la délégation pour 'eole-workstation-manager' sur CN=Computers
Ajout du compte de lecture 'eole-workstation-reader'... 
User 'eole-workstation-reader' added successfully

This version of Nextcloud is not compatible with PHP>=8.2.<br/>You are currently running 8.3.6.

Extrait de la configuration apparmor qui serait en cause :

  # currently blocked by apparmor bug
  mount -> /usr/lib*/*/lxc/{**,},
  mount -> /usr/lib*/lxc/{**,},
  mount -> /usr/lib/x86_64-linux-gnu/lxc/rootfs/{,**},
  mount fstype=devpts -> /dev/pts/,
  mount options=bind /dev/pts/ptmx/ -> /dev/ptmx/,
  mount options=bind /dev/pts/** -> /dev/**,
  mount options=(rw, make-slave) -> **,
  mount options=(rw, make-rslave) -> **,
  mount options=(rw, make-shared) -> **,
  mount options=(rw, make-rshared) -> **,
  mount fstype=debugfs,
  mount fstype=fuse.*,

Le service en conteneur qui n’est pas compatible avec les règles de montage de Apparmor est systemd-logind (d’où la lenteur de connexion ssh, pam_systemd étant déclaré dans /etc/pam.d/common-session).
Il semble nécessaire de permettre le montage hors sandbox pour ce se soit fonctionnel.

Un problème similaire a déjà été rencontré par le passé :
https://wiki.debian.org/LXC/SystemdMountsAndAppArmor

Dans le contexte d’exécution sur EOLE, l’assouplissement des règles de contrôle semble acceptable.

Il y a peut-être d’autres services systemd-* impactés en conteneur :
- systemd-hostnamed (fonctionne quand on arrête apparmor)
- d’autres services en échec mais peut-être pas en lien avec apparmor : systemd-networkd, systemd-resolved, systemd-sysctl, systemd-tmpfiles-setup-*

Les services systemd-* forment le gros des services en échec dans le conteneur addc.

Rapport de bug qui semble lié : https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064144

En jouant avec le profil apparmor chargé :

root@partage:~# systemctl list-units -t service --failed
  UNIT                                     LOAD   ACTIVE SUB    DESCRIPTION                                  
● console-getty.service                    loaded failed failed Console Getty
● systemd-resolved.service                 loaded failed failed Network Name Resolution
● systemd-sysctl.service                   loaded failed failed Apply Kernel Variables
● systemd-tmpfiles-setup-dev-early.service loaded failed failed Create Static Device Nodes in /dev gracefully
● systemd-tmpfiles-setup-dev.service       loaded failed failed Create Static Device Nodes in /dev
● systemd-tmpfiles-setup.service           loaded failed failed Create Volatile Files and Directories

Legend: LOAD   → Reflects whether the unit definition was properly loaded.
        ACTIVE → The high-level unit activation state, i.e. generalization of SUB.
        SUB    → The low-level unit activation state, values depend on unit type.

6 loaded units listed.
root@partage:~# exit
déconnexion
root@amonecole:~# vim /var/lib/lxc/partage/config 
root@amonecole:~# lxc-stop partage
root@amonecole:~# lxc-start partage
root@amonecole:~# ssh partage

EOLE est une distribution libre dérivée de la distribution Ubuntu.
Veuillez consulter les licences de chacun des produits dans
/usr/share/doc/*/copyright/.

Documentation EOLE : http://eole.ac-dijon.fr/documentations/
Last login: Mon Jun 17 14:51:02 2024 from 192.0.2.1
root@partage:~# systemctl list-units -t service --failed
  UNIT                     LOAD   ACTIVE SUB    DESCRIPTION            
● systemd-resolved.service loaded failed failed Network Name Resolution

Avec comme différence (profil généré VS profil généré avec règles décommentées)

< #  mount options=(rw,make-slave) -> **,
< #  mount options=(rw,make-rslave) -> **,
< #  mount options=(rw,make-shared) -> **,
< #  mount options=(rw,make-rshared) -> **,
< #  mount options=(rw,make-private) -> **,
< #  mount options=(rw,make-rprivate) -> **,
< #  mount options=(rw,make-unbindable) -> **,
< #  mount options=(rw,make-runbindable) -> **,
---
>   mount options=(rw,make-slave) -> **,
>   mount options=(rw,make-rslave) -> **,
>   mount options=(rw,make-shared) -> **,
>   mount options=(rw,make-rshared) -> **,
>   mount options=(rw,make-private) -> **,
>   mount options=(rw,make-rprivate) -> **,
>   mount options=(rw,make-unbindable) -> **,
>   mount options=(rw,make-runbindable) -> **,

Le changement de syntaxe (* devenant {,/*}) ne semble pas indispensable (mais offre une meilleure protection ?).

La version générée du profil n’est, a priori, pas modifiable. Elle semble construite au moment de la compilation de lxc (la version du paquet liblxc-common sur oracular est corrigée).

Il reste toutefois des services en erreurs (variables selon les conteneurs).

ssh addc "systemctl list-units -t service --failed" 
  UNIT                                     LOAD   ACTIVE SUB    DESCRIPTION
● console-getty.service                    loaded failed failed Console Getty
● systemd-resolved.service                 loaded failed failed Network Name Resolution
● systemd-sysctl.service                   loaded failed failed Apply Kernel Variables
● systemd-tmpfiles-setup-dev-early.service loaded failed failed Create Static Device Nodes in /dev gracefully
● systemd-tmpfiles-setup-dev.service       loaded failed failed Create Static Device Nodes in /dev
● systemd-tmpfiles-setup.service           loaded failed failed Create Volatile Files and Directories

ssh reseau "systemctl list-units -t service --failed" 
  UNIT                                     LOAD   ACTIVE SUB    DESCRIPTION
● console-getty.service                    loaded failed failed Console Getty
● courier-authdaemon.service               loaded failed failed Courier Authentification Daemon
● eoleapps.service                         loaded failed failed Eole flask server
● exim4.service                            loaded failed failed exim Mail Transport Agent
● spamd.service                            loaded failed failed Perl-based spam filter using text analysis
● systemd-resolved.service                 loaded failed failed Network Name Resolution
● systemd-sysctl.service                   loaded failed failed Apply Kernel Variables
● systemd-tmpfiles-setup-dev-early.service loaded failed failed Create Static Device Nodes in /dev gracefully
● systemd-tmpfiles-setup-dev.service       loaded failed failed Create Static Device Nodes in /dev
● systemd-tmpfiles-setup.service           loaded failed failed Create Volatile Files and Directories

ssh partage "systemctl list-units -t service --failed" 
  UNIT                                     LOAD   ACTIVE SUB    DESCRIPTION
● console-getty.service                    loaded failed failed Console Getty
● systemd-resolved.service                 loaded failed failed Network Name Resolution
● systemd-sysctl.service                   loaded failed failed Apply Kernel Variables
● systemd-tmpfiles-setup-dev-early.service loaded failed failed Create Static Device Nodes in /dev gracefully
● systemd-tmpfiles-setup-dev.service       loaded failed failed Create Static Device Nodes in /dev
● systemd-tmpfiles-setup.service           loaded failed failed Create Volatile Files and Directories

ssh internet "systemctl list-units -t service --failed" 
  UNIT                                     LOAD   ACTIVE SUB    DESCRIPTION
● console-getty.service                    loaded failed failed Console Getty
● systemd-resolved.service                 loaded failed failed Network Name Resolution
● systemd-sysctl.service                   loaded failed failed Apply Kernel Variables
● systemd-tmpfiles-setup-dev-early.service loaded failed failed Create Static Device Nodes in /dev gracefully
● systemd-tmpfiles-setup-dev.service       loaded failed failed Create Static Device Nodes in /dev
● systemd-tmpfiles-setup.service           loaded failed failed Create Volatile Files and Directories

ssh bdd "systemctl list-units -t service --failed" 
  UNIT                                     LOAD   ACTIVE SUB    DESCRIPTION
● console-getty.service                    loaded failed failed Console Getty
● systemd-resolved.service                 loaded failed failed Network Name Resolution
● systemd-sysctl.service                   loaded failed failed Apply Kernel Variables
● systemd-tmpfiles-setup-dev-early.service loaded failed failed Create Static Device Nodes in /dev gracefully
● systemd-tmpfiles-setup-dev.service       loaded failed failed Create Static Device Nodes in /dev
● systemd-tmpfiles-setup.service           loaded failed failed Create Volatile Files and Directories

● courier-authdaemon.service loaded failed failed Courier Authentification Daemon
-> path /run/courier (/authdaemon?) manquant. Un lxc-destroy gen_conteneur semble résoudre le problème. -> problème à l'instance non lié à Apparmor ? En tout cas, sur une daily, Maj-Auto + instance n'a pas le problème.