Today I will describe how to deal with missing AppArmor profiles for microk8s on LXD.
Initial information
Guest operating system version.
$ lsb_release -a
No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 20.04 LTS Release: 20.04 Codename: focal
LXD version on the host operating system.
$ lxd --version
4.0.2
Install apparmor-utils inside the guest operating system.
$ sudo apt install apparmor-utils
Reading package lists... Done Building dependency tree Reading state information... Done The following additional packages will be installed: python3-apparmor python3-libapparmor Suggested packages: vim-addon-manager The following NEW packages will be installed: apparmor-utils python3-apparmor python3-libapparmor 0 upgraded, 3 newly installed, 0 to remove and 0 not upgraded. Need to get 157 kB of archives. After this operation, 966 kB of additional disk space will be used. Do you want to continue? [Y/n] y Get:1 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 python3-libapparmor amd64 2.13.3-7ubuntu5.1 [26.7 kB] Get:2 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 python3-apparmor amd64 2.13.3-7ubuntu5.1 [78.6 kB] Get:3 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 apparmor-utils amd64 2.13.3-7ubuntu5.1 [51.4 kB] Fetched 157 kB in 0s (589 kB/s) Selecting previously unselected package python3-libapparmor. (Reading database ... 18379 files and directories currently installed.) Preparing to unpack .../python3-libapparmor_2.13.3-7ubuntu5.1_amd64.deb ... Unpacking python3-libapparmor (2.13.3-7ubuntu5.1) ... Selecting previously unselected package python3-apparmor. Preparing to unpack .../python3-apparmor_2.13.3-7ubuntu5.1_amd64.deb ... Unpacking python3-apparmor (2.13.3-7ubuntu5.1) ... Selecting previously unselected package apparmor-utils. Preparing to unpack .../apparmor-utils_2.13.3-7ubuntu5.1_amd64.deb ... Unpacking apparmor-utils (2.13.3-7ubuntu5.1) ... Setting up python3-libapparmor (2.13.3-7ubuntu5.1) ... Setting up python3-apparmor (2.13.3-7ubuntu5.1) ... Setting up apparmor-utils (2.13.3-7ubuntu5.1) ...
The issue
microk8s does not start as it cannot change apparmor profile.
$ microk8s
cannot change profile for the next exec call: No such file or directory
Guest logs will indicate the same issue.
$ sudo tail /var/log/kern.log
[...] Jul 4 20:51:55 kube-worker-3 kernel: [ 40.914921] audit: type=1400 audit(1593895915.057:50): apparmor="DENIED" operation="change_onexec" info="label not found" error=-2 profile="/snap/core/9436/usr/lib/snapd/snap-confine" name="snap.microk8s.daemon-containerd" pid=6308 comm="snap-confine" Jul 4 20:51:55 kube-worker-3 kernel: [ 40.915857] audit: type=1400 audit(1593895915.057:52): apparmor="DENIED" operation="change_onexec" info="label not found" error=-2 profile="/snap/core/9436/usr/lib/snapd/snap-confine" name="snap.microk8s.daemon-scheduler" pid=6314 comm="snap-confine" Jul 4 20:51:55 kube-worker-3 kernel: [ 40.917363] audit: type=1400 audit(1593895915.061:54): apparmor="DENIED" operation="change_onexec" info="label not found" error=-2 profile="/snap/core/9436/usr/lib/snapd/snap-confine" name="snap.microk8s.daemon-proxy" pid=6313 comm="snap-confine" Jul 4 20:51:55 kube-worker-3 kernel: [ 40.917501] audit: type=1400 audit(1593895915.061:55): apparmor="DENIED" operation="change_onexec" info="label not found" error=-2 profile="/snap/core/9436/usr/lib/snapd/snap-confine" name="snap.microk8s.daemon-apiserver" pid=6306 comm="snap-confine" Jul 4 20:52:03 kube-worker-3 kernel: [ 48.863759] audit: type=1400 audit(1593895923.034:146): apparmor="DENIED" operation="change_onexec" info="label not found" error=-2 profile="/snap/core/9436/usr/lib/snapd/snap-confine" name="snap.microk8s.daemon-proxy" pid=8382 comm="snap-confine" Jul 4 20:52:03 kube-worker-3 kernel: [ 48.867327] audit: type=1400 audit(1593895923.034:149): apparmor="DENIED" operation="change_onexec" info="label not found" error=-2 profile="/snap/core/9436/usr/lib/snapd/snap-confine" name="snap.microk8s.daemon-etcd" pid=8379 comm="snap-confine" Jul 4 20:52:03 kube-worker-3 kernel: [ 48.874465] audit: type=1400 audit(1593895923.042:152): apparmor="DENIED" operation="change_onexec" info="label not found" error=-2 profile="/snap/core/9436/usr/lib/snapd/snap-confine" name="snap.microk8s.daemon-apiserver" pid=8375 comm="snap-confine" [...]
Issue details
Execute microk8s snap using debug mode to confirm that it cannot change AppArmor profile to snap.microk8s.microk8.
$ SNAPD_DEBUG=1 SNAP_DEBUG_CONFINE=1 microk8s
2020/07/04 21:37:58.884019 cmd_linux.go:207: DEBUG: restarting into "/snap/core/current/usr/bin/snap" 2020/07/04 21:37:58.900289 cmd_run.go:398: DEBUG: SELinux not enabled DEBUG: umask reset, old umask was 02 DEBUG: security tag: snap.microk8s.microk8s DEBUG: executable: /snap/core/9665/usr/lib/snapd/snap-exec DEBUG: confinement: classic DEBUG: base snap: core DEBUG: ruid: 2018, euid: 0, suid: 0 DEBUG: rgid: 2018, egid: 2018, sgid: 2018 DEBUG: apparmor label on snap-confine is: /snap/core/9665/usr/lib/snapd/snap-confine DEBUG: apparmor mode is: enforce DEBUG: preparing classic execution environment DEBUG: creating lock directory /run/snapd/lock (if missing) DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes) DEBUG: opening lock directory /run/snapd/lock DEBUG: set_effective_identity uid:0 (change: no), gid:2018 (change: yes) DEBUG: opening lock file: /run/snapd/lock/microk8s.lock DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes) DEBUG: set_effective_identity uid:0 (change: no), gid:2018 (change: yes) DEBUG: sanity timeout initialized and set for 30 seconds DEBUG: acquiring exclusive lock (scope microk8s, uid 0) DEBUG: sanity timeout reset and disabled DEBUG: releasing lock 5 DEBUG: set_effective_identity uid:2018 (change: yes), gid:2018 (change: yes) DEBUG: creating user data directory: /home/ansible/snap/microk8s/1496 DEBUG: requesting changing of apparmor profile on next exec to snap.microk8s.microk8s cannot change profile for the next exec call: No such file or directory
AppArmor is enabled inside the guest operating system.
$ aa-enabled
Yes
Currently loaded AppArmor policy inside the guest operating system.
$ aa-status
apparmor module is loaded. 17 profiles are loaded. 17 profiles are in enforce mode. /snap/core/9436/usr/lib/snapd/snap-confine /snap/core/9436/usr/lib/snapd/snap-confine//mount-namespace-capture-helper snap-update-ns.core snap-update-ns.lxd snap.core.hook.configure snap.lxd.activate snap.lxd.benchmark snap.lxd.buginfo snap.lxd.check-kernel snap.lxd.daemon snap.lxd.hook.configure snap.lxd.hook.install snap.lxd.hook.remove snap.lxd.lxc snap.lxd.lxc-to-lxd snap.lxd.lxd snap.lxd.migrate 0 profiles are in complain mode. 0 processes have profiles defined. 0 processes are in enforce mode. 0 processes are in complain mode. 0 processes are unconfined but have a profile defined.
microk8s profiles are missing as the guest operating system is using unconfined AppArmor profile, so load these by hand to verify that this is the case here.
$ apparmor_parser --add /var/lib/snapd/apparmor/profiles/snap.microk8s.*
AppArmor policy after adding definitions.
$ aa-status
apparmor module is loaded. 53 profiles are loaded. 18 profiles are in enforce mode. /snap/core/9436/usr/lib/snapd/snap-confine /snap/core/9436/usr/lib/snapd/snap-confine//mount-namespace-capture-helper snap-update-ns.core snap-update-ns.lxd snap-update-ns.microk8s snap.core.hook.configure snap.lxd.activate snap.lxd.benchmark snap.lxd.buginfo snap.lxd.check-kernel snap.lxd.daemon snap.lxd.hook.configure snap.lxd.hook.install snap.lxd.hook.remove snap.lxd.lxc snap.lxd.lxc-to-lxd snap.lxd.lxd snap.lxd.migrate 35 profiles are in complain mode. snap.microk8s.add-node snap.microk8s.cilium snap.microk8s.config snap.microk8s.ctr snap.microk8s.daemon-apiserver snap.microk8s.daemon-apiserver-kicker snap.microk8s.daemon-cluster-agent snap.microk8s.daemon-containerd snap.microk8s.daemon-controller-manager snap.microk8s.daemon-etcd snap.microk8s.daemon-flanneld snap.microk8s.daemon-kubelet snap.microk8s.daemon-proxy snap.microk8s.daemon-scheduler snap.microk8s.disable snap.microk8s.enable snap.microk8s.helm snap.microk8s.helm3 snap.microk8s.hook.configure snap.microk8s.hook.install snap.microk8s.hook.remove snap.microk8s.inspect snap.microk8s.istioctl snap.microk8s.join snap.microk8s.juju snap.microk8s.kubectl snap.microk8s.leave snap.microk8s.linkerd snap.microk8s.microk8s snap.microk8s.refresh-certs snap.microk8s.remove-node snap.microk8s.reset snap.microk8s.start snap.microk8s.status snap.microk8s.stop 0 processes have profiles defined. 0 processes are in enforce mode. 0 processes are in complain mode. 0 processes are unconfined but have a profile defined.
microk8s is now usable.
$ microk8s
Available subcommands are:
add-node
cilium
config
ctr
disable
enable
helm
helm3
istioctl
join
juju
kubectl
leave
linkerd
refresh-certs
remove-node
reset
start
status
stop
inspect
It works, so make this change permanent.
First solution
This is the easiest possible solution. Copy microk8s AppArmor profiles to the host operating system.
Create a temporary directory inside the guest operating system.
$ sudo lxc exec kube-worker-3 -- mkdir /tmp/microk8s
Copy microk8s AppArmor profiles.
$ sudo lxc exec kube-worker-3 -- find /var/lib/snapd/apparmor/profiles/ -name "snap.microk8s.*" -exec cp {} /tmp/microk8s/ \;
List files inside the guest operating system.
$ sudo lxc exec kube-worker-3 -- ls /tmp/microk8s/
snap.microk8s.add-node snap.microk8s.daemon-apiserver snap.microk8s.daemon-controller-manager snap.microk8s.daemon-proxy snap.microk8s.helm snap.microk8s.hook.remove snap.microk8s.juju snap.microk8s.microk8s snap.microk8s.start snap.microk8s.cilium snap.microk8s.daemon-apiserver-kicker snap.microk8s.daemon-etcd snap.microk8s.daemon-scheduler snap.microk8s.helm3 snap.microk8s.inspect snap.microk8s.kubectl snap.microk8s.refresh-certs snap.microk8s.status snap.microk8s.config snap.microk8s.daemon-cluster-agent snap.microk8s.daemon-flanneld snap.microk8s.disable snap.microk8s.hook.configure snap.microk8s.istioctl snap.microk8s.leave snap.microk8s.remove-node snap.microk8s.stop snap.microk8s.ctr snap.microk8s.daemon-containerd snap.microk8s.daemon-kubelet snap.microk8s.enable snap.microk8s.hook.install snap.microk8s.join snap.microk8s.linkerd snap.microk8s.reset
Copy these files to the host operating system.
$ sudo lxc file pull -r kube-worker-3/tmp/microk8s /etc/apparmor.d/
List files copied to the host operating system.
$ ls /etc/apparmor.d/microk8s/
snap.microk8s.add-node snap.microk8s.daemon-apiserver snap.microk8s.daemon-controller-manager snap.microk8s.daemon-proxy snap.microk8s.helm snap.microk8s.hook.remove snap.microk8s.juju snap.microk8s.microk8s snap.microk8s.start snap.microk8s.cilium snap.microk8s.daemon-apiserver-kicker snap.microk8s.daemon-etcd snap.microk8s.daemon-scheduler snap.microk8s.helm3 snap.microk8s.inspect snap.microk8s.kubectl snap.microk8s.refresh-certs snap.microk8s.status snap.microk8s.config snap.microk8s.daemon-cluster-agent snap.microk8s.daemon-flanneld snap.microk8s.disable snap.microk8s.hook.configure snap.microk8s.istioctl snap.microk8s.leave snap.microk8s.remove-node snap.microk8s.stop snap.microk8s.ctr snap.microk8s.daemon-containerd snap.microk8s.daemon-kubelet snap.microk8s.enable snap.microk8s.hook.install snap.microk8s.join snap.microk8s.linkerd snap.microk8s.reset
Read microk8s AppArmor profiles inside the host operating system.
$ sudo apparmor_parser --replace /etc/apparmor.d/microk8s/
These profiles will be read automatically after the host operating system reboots.
Second solution
Load microk8s AppArmor profiles inside the guest operating system using rc.local mechanism.
Create /etc/rc.local shell script inside the guest operating system.
$ echo -e '#!/bin/bash\n\napparmor_parser --replace /var/lib/snapd/apparmor/profiles/snap.microk8s.*\nexit 0\n' | sudo tee /etc/rc.local
#!/bin/bash apparmor_parser --replace /var/lib/snapd/apparmor/profiles/snap.microk8s.* exit 0
I am using replace action instead of add to avoid unnecessary errors as these profiles will be available system-wide. Yes, it is enough to add additional profiles once.
Ensure that the executable bit is set.
$ sudo chmod +x /etc/rc.local
Execute systemd-rc-local-generator to create a systemd service.
$ /usr/lib/systemd/system-generators/systemd-rc-local-generator
Reboot the guest operating system and inspect rc-local service.
$ systemctl status rc-local
● rc-local.service - /etc/rc.local Compatibility
Loaded: loaded (/lib/systemd/system/rc-local.service; enabled-runtime; vendor preset: enabled)
Drop-In: /usr/lib/systemd/system/rc-local.service.d
└─debian.conf
Active: active (exited) since Sat 2020-07-04 22:43:40 UTC; 44s ago
Docs: man:systemd-rc-local-generator(8)
Process: 201 ExecStart=/etc/rc.local start (code=exited, status=0/SUCCESS)
Jul 04 22:43:39 kube-master systemd[1]: Starting /etc/rc.local Compatibility...
Jul 04 22:43:40 kube-master systemd[1]: Started /etc/rc.local Compatibility.
microk8s works as expected.
$ microk8s
Available subcommands are:
add-node
cilium
config
[...]