LXC won't start after upgrade from 8 to 9 "Failed to write AppArmor profile"

F

Fardenco

New Member
Aug 7, 2025
4
0
1
I updated to Proxmox 9 and all my VMs are running great, but my only LXC won't start.
Here is the output with debug enabled :

Code: 
explicitly configured lxc.apparmor.profile overrides the following settings: features:nesting
sync_wait: 34 An error occurred in another process (expected sequence number 4)
__lxc_start: 2114 Failed to spawn container "104"
un_script_argv:587 - Executing script "/usr/share/lxc/hooks/lxc-pve-prestart-hook" for container "104", config section "lxc"
INFO     cgfsng - ../src/lxc/cgroups/cgfsng.c:unpriv_systemd_create_scope:1508 - Running privileged, not using a systemd unit
DEBUG    seccomp - ../src/lxc/seccomp.c:parse_config_v2:664 - Host native arch is [3221225534]
INFO     seccomp - ../src/lxc/seccomp.c:parse_config_v2:815 - Processing "reject_force_umount  # comment this to allow umount -f;  not recommended"
INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:532 - Set seccomp rule to reject force umounts
INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:532 - Set seccomp rule to reject force umounts
INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:532 - Set seccomp rule to reject force umounts
INFO     seccomp - ../src/lxc/seccomp.c:parse_config_v2:815 - Processing "[all]"
INFO     seccomp - ../src/lxc/seccomp.c:parse_config_v2:815 - Processing "kexec_load errno 1"
INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding native rule for syscall[246:kexec_load] action[327681:errno] arch[0]
INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding compat rule for syscall[246:kexec_load] action[327681:errno] arch[1073741827]
INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding compat rule for syscall[246:kexec_load] action[327681:errno] arch[1073741886]
INFO     seccomp - ../src/lxc/seccomp.c:parse_config_v2:815 - Processing "open_by_handle_at errno 1"
INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding native rule for syscall[304:open_by_handle_at] action[327681:errno] arch[0]
INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding compat rule for syscall[304:open_by_handle_at] action[327681:errno] arch[1073741827]
INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding compat rule for syscall[304:open_by_handle_at] action[327681:errno] arch[1073741886]
INFO     seccomp - ../src/lxc/seccomp.c:parse_config_v2:815 - Processing "init_module errno 1"
INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding native rule for syscall[175:init_module] action[327681:errno] arch[0]
INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding compat rule for syscall[175:init_module] action[327681:errno] arch[1073741827]
INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding compat rule for syscall[175:init_module] action[327681:errno] arch[1073741886]
INFO     seccomp - ../src/lxc/seccomp.c:parse_config_v2:815 - Processing "finit_module errno 1"
INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding native rule for syscall[313:finit_module] action[327681:errno] arch[0]
INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding compat rule for syscall[313:finit_module] action[327681:errno] arch[1073741827]
INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding compat rule for syscall[313:finit_module] action[327681:errno] arch[1073741886]
INFO     seccomp - ../src/lxc/seccomp.c:parse_config_v2:815 - Processing "delete_module errno 1"
INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding native rule for syscall[176:delete_module] action[327681:errno] arch[0]
INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding compat rule for syscall[176:delete_module] action[327681:errno] arch[1073741827]
INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding compat rule for syscall[176:delete_module] action[327681:errno] arch[1073741886]
INFO     seccomp - ../src/lxc/seccomp.c:parse_config_v2:1036 - Merging compat seccomp contexts into main context
INFO     start - ../src/lxc/start.c:lxc_init:882 - Container "104" is initialized
INFO     cgfsng - ../src/lxc/cgroups/cgfsng.c:cgfsng_monitor_create:1679 - The monitor process uses "lxc.monitor/104" as cgroup
DEBUG    storage - ../src/lxc/storage/storage.c:storage_query:231 - Detected rootfs type "dir"
INFO     cgfsng - ../src/lxc/cgroups/cgfsng.c:cgfsng_payload_create:1787 - The container process uses "lxc/104/ns" as inner and "lxc/104" as limit cgroup
INFO     start - ../src/lxc/start.c:lxc_spawn:1769 - Cloned CLONE_NEWNS
INFO     start - ../src/lxc/start.c:lxc_spawn:1769 - Cloned CLONE_NEWPID
INFO     start - ../src/lxc/start.c:lxc_spawn:1769 - Cloned CLONE_NEWUTS
INFO     start - ../src/lxc/start.c:lxc_spawn:1769 - Cloned CLONE_NEWIPC
INFO     start - ../src/lxc/start.c:lxc_spawn:1769 - Cloned CLONE_NEWNET
INFO     start - ../src/lxc/start.c:lxc_spawn:1769 - Cloned CLONE_NEWCGROUP
DEBUG    start - ../src/lxc/start.c:lxc_try_preserve_namespace:140 - Preserved mnt namespace via fd 18 and stashed path as mnt:/proc/7454/fd/18
DEBUG    start - ../src/lxc/start.c:lxc_try_preserve_namespace:140 - Preserved pid namespace via fd 19 and stashed path as pid:/proc/7454/fd/19
DEBUG    start - ../src/lxc/start.c:lxc_try_preserve_namespace:140 - Preserved uts namespace via fd 20 and stashed path as uts:/proc/7454/fd/20
DEBUG    start - ../src/lxc/start.c:lxc_try_preserve_namespace:140 - Preserved ipc namespace via fd 21 and stashed path as ipc:/proc/7454/fd/21
DEBUG    start - ../src/lxc/start.c:lxc_try_preserve_namespace:140 - Preserved net namespace via fd 22 and stashed path as net:/proc/7454/fd/22
DEBUG    start - ../src/lxc/start.c:lxc_try_preserve_namespace:140 - Preserved cgroup namespace via fd 23 and stashed path as cgroup:/proc/7454/fd/23
WARN     cgfsng - ../src/lxc/cgroups/cgfsng.c:cgfsng_setup_limits_legacy:3442 - Invalid argument - Ignoring legacy cgroup limits on pure cgroup2 system
INFO     cgfsng - ../src/lxc/cgroups/cgfsng.c:cgfsng_setup_limits:3538 - Limits for the unified cgroup hierarchy have been setup
INFO     utils - ../src/lxc/utils.c:run_script_argv:587 - Executing script "/usr/share/lxc/lxcnetaddbr" for container "104", config section "net"
DEBUG    network - ../src/lxc/network.c:netdev_configure_server_veth:879 - Instantiated veth tunnel "veth104i0 <--> vethhfITll"
DEBUG    conf - ../src/lxc/conf.c:lxc_mount_rootfs:1244 - Mounted rootfs "/var/lib/lxc/104/rootfs" onto "/usr/lib/x86_64-linux-gnu/lxc/rootfs" with options "(null)"
INFO     conf - ../src/lxc/conf.c:setup_utsname:683 - Set hostname to "frigate"
DEBUG    network - ../src/lxc/network.c:setup_hw_addr:3866 - Mac address "BC:24:11:1D:12:91" on "eth0" has been setup
DEBUG    network - ../src/lxc/network.c:lxc_network_setup_in_child_namespaces_common:4007 - Network device "eth0" has been setup
INFO     network - ../src/lxc/network.c:lxc_setup_network_in_child_namespaces:4064 - Finished setting up network devices with caller assigned names
INFO     conf - ../src/lxc/conf.c:mount_autodev:1027 - Preparing "/dev"
INFO     conf - ../src/lxc/conf.c:mount_autodev:1088 - Prepared "/dev"
DEBUG    conf - ../src/lxc/conf.c:lxc_mount_auto_mounts:543 - Invalid argument - Tried to ensure procfs is unmounted
DEBUG    conf - ../src/lxc/conf.c:lxc_mount_auto_mounts:566 - Invalid argument - Tried to ensure sysfs is unmounted
DEBUG    conf - ../src/lxc/conf.c:mount_entry:2223 - Remounting "/sys/fs/fuse/connections" on "/usr/lib/x86_64-linux-gnu/lxc/rootfs/sys/fs/fuse/connections" to respect bind or remount options
DEBUG    conf - ../src/lxc/conf.c:mount_entry:2242 - Flags for "/sys/fs/fuse/connections" were 4110, required extra flags are 14
DEBUG    conf - ../src/lxc/conf.c:mount_entry:2286 - Mounted "/sys/fs/fuse/connections" on "/usr/lib/x86_64-linux-gnu/lxc/rootfs/sys/fs/fuse/connections" with filesystem type "none"
DEBUG    conf - ../src/lxc/conf.c:mount_entry:2223 - Remounting "/dev/dri/renderD128" on "/usr/lib/x86_64-linux-gnu/lxc/rootfs/dev/dri/renderD128" to respect bind or remount options
DEBUG    conf - ../src/lxc/conf.c:mount_entry:2242 - Flags for "/dev/dri/renderD128" were 4098, required extra flags are 2
DEBUG    conf - ../src/lxc/conf.c:mount_entry:2286 - Mounted "/dev/dri/renderD128" on "/usr/lib/x86_64-linux-gnu/lxc/rootfs/dev/dri/renderD128" with filesystem type "none"
DEBUG    conf - ../src/lxc/conf.c:mount_entry:2223 - Remounting "/dev/apex_0" on "/usr/lib/x86_64-linux-gnu/lxc/rootfs/dev/apex_0" to respect bind or remount options
DEBUG    conf - ../src/lxc/conf.c:mount_entry:2242 - Flags for "/dev/apex_0" were 4098, required extra flags are 2
DEBUG    conf - ../src/lxc/conf.c:mount_entry:2286 - Mounted "/dev/apex_0" on "/usr/lib/x86_64-linux-gnu/lxc/rootfs/dev/apex_0" with filesystem type "none"
DEBUG    cgfsng - ../src/lxc/cgroups/cgfsng.c:__cgroupfs_mount:2197 - Mounted cgroup filesystem cgroup2 onto 20((null))
INFO     utils - ../src/lxc/utils.c:run_script_argv:587 - Executing script "/usr/share/lxcfs/lxc.mount.hook" for container "104", config section "lxc"
INFO     utils - ../src/lxc/utils.c:run_script_argv:587 - Executing script "/usr/share/lxc/hooks/lxc-pve-autodev-hook" for container "104", config section "lxc"
INFO     conf - ../src/lxc/conf.c:lxc_fill_autodev:1125 - Populating "/dev"
DEBUG    conf - ../src/lxc/conf.c:lxc_fill_autodev:1134 - Created device node "full"
DEBUG    conf - ../src/lxc/conf.c:lxc_fill_autodev:1134 - Created device node "null"
DEBUG    conf - ../src/lxc/conf.c:lxc_fill_autodev:1134 - Created device node "random"
DEBUG    conf - ../src/lxc/conf.c:lxc_fill_autodev:1134 - Created device node "tty"
DEBUG    conf - ../src/lxc/conf.c:lxc_fill_autodev:1134 - Created device node "urandom"
DEBUG    conf - ../src/lxc/conf.c:lxc_fill_autodev:1134 - Created device node "zero"
INFO     conf - ../src/lxc/conf.c:lxc_fill_autodev:1213 - Populated "/dev"
INFO     conf - ../src/lxc/conf.c:lxc_transient_proc:3315 - Caller's PID is 1; /proc/self points to 1
DEBUG    conf - ../src/lxc/conf.c:lxc_setup_devpts_child:1558 - Attached detached devpts mount 21 to 19/pts
DEBUG    conf - ../src/lxc/conf.c:lxc_setup_devpts_child:1644 - Created "/dev/ptmx" file as bind mount target
DEBUG    conf - ../src/lxc/conf.c:lxc_setup_devpts_child:1651 - Bind mounted "/dev/pts/ptmx" to "/dev/ptmx"
DEBUG    conf - ../src/lxc/conf.c:lxc_allocate_ttys:912 - Created tty with ptx fd 23 and pty fd 24 and index 1
DEBUG    conf - ../src/lxc/conf.c:lxc_allocate_ttys:912 - Created tty with ptx fd 25 and pty fd 26 and index 2
INFO     conf - ../src/lxc/conf.c:lxc_allocate_ttys:917 - Finished creating 2 tty devices
DEBUG    conf - ../src/lxc/conf.c:lxc_setup_ttys:873 - Bind mounted "pts/1" onto "tty1"
DEBUG    conf - ../src/lxc/conf.c:lxc_setup_ttys:873 - Bind mounted "pts/2" onto "tty2"
INFO     conf - ../src/lxc/conf.c:lxc_setup_ttys:880 - Finished setting up 2 /dev/tty<N> device(s)
INFO     conf - ../src/lxc/conf.c:setup_personality:1724 - Set personality to "0lx0"
DEBUG    conf - ../src/lxc/conf.c:capabilities_deny:3014 - Capabilities have been setup
NOTICE   conf - ../src/lxc/conf.c:lxc_setup:4022 - The container "104" is set up
ERROR    apparmor - ../src/lxc/lsm/apparmor.c:apparmor_process_label_set_at:1176 - No such file or directory - Failed to write AppArmor profile "unconfined #unbreaks docker for reasons unknown" to 11
ERROR    apparmor - ../src/lxc/lsm/apparmor.c:apparmor_process_label_set:1222 - Invalid argument - Failed to change AppArmor profile to unconfined #unbreaks docker for reasons unknown
ERROR    sync - ../src/lxc/sync.c:sync_wait:34 - An error occurred in another process (expected sequence number 4)
DEBUG    network - ../src/lxc/network.c:lxc_delete_network:4220 - Deleted network devices
ERROR    start - ../src/lxc/start.c:__lxc_start:2114 - Failed to spawn container "104"
WARN     start - ../src/lxc/start.c:lxc_abort:1037 - No such process - Failed to send SIGKILL via pidfd 17 for process 7470

TASK ERROR: startup for container '104' failed

I don't really know what to do, any help is welcome.
Thank you
 
please post the full container config!
 
fabian said:
please post the full container config!
Click to expand...
Here it is :

Code: 
arch: amd64
cores: 2
features: nesting=1
hostname: frigate
memory: 12288
net0: name=eth0,bridge=vmbr0,hwaddr=BC:24:11:1D:12:91,ip=dhcp,type=veth
onboot: 1
ostype: debian
rootfs: local-lvm:vm-104-disk-0,size=4G
swap: 512
tags: proxmox-helper-scripts
lxc.cgroup2.devices.allow: a
lxc.cap.drop:
lxc.cgroup2.devices.allow: c 188:* rwm
lxc.cgroup2.devices.allow: c 226:0 rwm #igpu
lxc.cgroup2.devices.allow: c 226:128 rwm #igpu
lxc.cgroup2.devices.allow: c 29:0 rwm #coral
lxc.cgroup2.devices.allow: c 189:* rwm #coral
lxc.apparmor.profile: unconfined #unbreaks docker for reasons unknown
lxc.cgroup2.devices.allow: a
lxc.mount.entry: /dev/dri/renderD128 dev/dri/renderD128 none bind,optional,create=file 0, 0 #igpu
lxc.mount.entry: /dev/apex_0 dev/apex_0 none bind,optional,create=file 0, 0 #coral
lxc.cap.drop:
lxc.mount.auto: cgroup:rw

Commenting the line
lxc.apparmor.profile: unconfined #unbreaks docker for reasons unknown
allows the LXC to start
To be honest I don't really know what it means or if i even need it but what I know is that before the upgrade to Proxmox 9 it worked without issue
 
running docker inside LXC is not support in any case. that line removes most of the containment provider by LXC, so it's not a good idea no matter what you run inside the container..
 
  • Like
Reactions: Johannes S
I'm running Frigate.
I know docker in LXC is not officially supported, but it seems to be the go to solution for using Frigate in Proxmox
 
You're right, that's what the documentation say, but from some tests I read the inference time with Coral TPU is usually much better when running inside a LXC compared to a VM. I guess that explains why all of the "how to" I found are going the LXC way, which is why I set it up that way in the first place.
Because of that, there are a lot of Frigate users that are using Docker in LXC, without any issue.
But to be honest I think we are all making this decision based of what others are doing and based on the same old post talking about bad performance when using a VM, and I suspect that today things have probably evolved quite a lot, and maybe this is not an issue anymore.
So I will set it up on a VM to try and get some performance values and judge the difference by myself.
Thank you for your help
 
You must log in or register to reply here.
Top Bottom