Containers with Ubuntu 12.04.5 LTS are not getting IPv4's anymore

amikhalitsyn · September 12, 2024, 1:03pm

ok, reverting of a Ubuntu-specific commit dc757a645cfa82f6ac252365df20a36a9ff82760:

commit dc757a645cfa82f6ac252365df20a36a9ff82760
Author: John Johansen <john.johansen@canonical.com>
Date:   Thu Nov 30 11:48:33 2023 -0800

    UBUNTU: SAUCE: apparmor4.0.0 [81/90]: apparmor: convert easy uses of unconfined() to label_mediates()
    
    BugLink: http://bugs.launchpad.net/bugs/2028253
    
    This begins the transition from doing a broad unconfined() check to a
    finer label_mediates() check. Not only does this allow for finer control
    but it simplifies some code paths, removing redundant checks, will allow
    us to refactor and simplify the code more, and is generally a small
    performance win.
    
    Note: capabilities and resource need to be converted to use pdb
          before they can use label_mediates
    
    Signed-off-by: John Johansen <john.johansen@canonical.com>
    (cherry picked from commit d9b866dc2f134a9e8dc21dbfacc935f454896c49
    https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next)
    Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>

solves the problem.

And precisely the same commit was also known for introducing another issue:

sdeziel1 · September 12, 2024, 1:46pm

A possible workaround is to disable the dhclient Apparmor profile in the instance:

$ lxc launch ubuntu:12.04 c1
$ lxc ls c1
+------+---------+------+--------------------------------------+-----------+-----------+
| NAME |  STATE  | IPV4 |                IPV6                  |   TYPE    | SNAPSHOTS |
+------+---------+------+--------------------------------------+-----------+-----------+
| c1   | RUNNING |      | 2001:a:b:c:216:3eff:fe35:3f87 (eth0) | CONTAINER | 0         |
+------+---------+------+--------------------------------------+-----------+-----------+
$ lxc exec c1 -- ln -sf /etc/apparmor.d/sbin.dhclient /etc/apparmor.d/disable/
$ lxc restart c1
$ lxc ls c1
+------+---------+----------------------+--------------------------------------+-----------+-----------+
| NAME |  STATE  |         IPV4         |                IPV6                  |   TYPE    | SNAPSHOTS |
+------+---------+----------------------+--------------------------------------+-----------+-----------+
| c1   | RUNNING | 172.24.26.135 (eth0) | 2001:a:b:c:216:3eff:fe35:3f87 (eth0) | CONTAINER | 0         |
+------+---------+----------------------+--------------------------------------+-----------+-----------+

harold-snel · September 12, 2024, 2:06pm

Thats a nice workaround!