[SOLVED] mounting nfs inside lxc container

lethargos

Well-Known Member
Jun 10, 2017
128
4
58
74
Hi,
On the machine on which I'm running proxmox 5.2-1 I'm trying to mount a nfs volume within an lxc container, but apparmor won't allow me to.
On a container for testing purposes I've added this line at the end of the lxc config:
Code:
lxc.apparmor.profile: lxc-container-default-with-nfs
cat /etc/apparmor.d/lxc-default-with-nfs
Code:
# Do not load this file.  Rather, load /etc/apparmor.d/lxc-containers, which
# will source all profiles under /etc/apparmor.d/lxc

profile lxc-container-default-with-nfs flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/lxc/container-base>

# allow NFS (nfs/nfs4) mounts.
  mount fstype=nfs*,
}


So when I try to start it, I get the following error:
Code:
Nov 26 17:50:31 svorng11 audit[3242]: AVC apparmor="DENIED" operation="change_profile" info="label not found" error=-2 profile="/usr/bin/lxc-start" name="lxc-default-with-nfs" pid=3242 comm="lxc-start"
Nov 26 17:50:31 svorng11 kernel: audit: type=1400 audit(1543247431.188:12205): apparmor="DENIED" operation="change_profile" info="label not found" error=-2 profile="/usr/bin/lxc-start" name="lxc-default-with-nfs" pid=3242 comm="lxc-start"
Nov 26 17:50:31 svorng11 kernel: vmbr0: port 10(veth535i0) entered disabled state
Nov 26 17:50:31 svorng11 kernel: device veth535i0 left promiscuous mode
Nov 26 17:50:31 svorng11 kernel: vmbr0: port 10(veth535i0) entered disabled state
Nov 26 17:50:31 svorng11 lxc-start[3170]: lxc-start: 535: lxccontainer.c: wait_on_daemonized_start: 824 Received container state "ABORTING" instead of "RUNNING"
Nov 26 17:50:31 svorng11 lxc-start[3170]: The container failed to start.
Nov 26 17:50:31 svorng11 lxc-start[3170]: To get more details, run the container in foreground mode.
Nov 26 17:50:31 svorng11 lxc-start[3170]: Additional information can be obtained by setting the --logfile and --logpriority options.
Nov 26 17:50:31 svorng11 systemd[1]: pve-container@535.service: Control process exited, code=exited status=1
Nov 26 17:50:31 svorng11 systemd[1]: pve-container@535.service: Killing process 3172 (lxc-start) with signal SIGKILL.
Nov 26 17:50:31 svorng11 systemd[1]: Failed to start PVE LXC Container: 535.
-- Subject: Unit pve-container@535.service has failed
-- Defined-By: systemd
-- Support: https://www.debian.org/support
In the meantime I deleted the line referring to the apparmor profile from the /etc/pve/lxc/535.conf and the container won't start anyway:
Code:
lxc-start -l DEBUG -F -n 535 -o /root/535.log
lxc-start: 535: cgroups/cgfsng.c: create_path_for_hierarchy: 1752 Path "/sys/fs/cgroup/rdma//lxc/535" already existed.
                                                                                                                      lxc-start: 535: cgroups/cgfsng.c: cgfsng_create: 1862 Failed to create cgroup "/sys/fs/cgroup/rdma//lxc/535"
                      lxc-start: 535: cgroups/cgfsng.c: create_path_for_hierarchy: 1752 Path "/sys/fs/cgroup/cpuset//lxc/535-1" already existed.
                                                                                                                                                lxc-start: 535: cgroups/cgfsng.c: cgfsng_create: 1862 Failed to create cgroup "/sys/fs/cgroup/cpuset//lxc/535-1"
                                                    lxc-start: 535: cgroups/cgfsng.c: create_path_for_hierarchy: 1752 Path "/sys/fs/cgroup/cpuset//lxc/535-2" already existed.
                                                                                                                                                                              lxc-start: 535: cgroups/cgfsng.c: cgfsng_create: 1862 Failed to create cgroup "/sys/fs/cgroup/cpuset//lxc/535-2"
                                                                                  lxc-start: 535: cgroups/cgfsng.c: create_path_for_hierarchy: 1752 Path "/sys/fs/cgroup/cpuset//lxc/535-3" already existed.
                                                                                                                                                                                                           lxc-start: 535: cgroups/cgfsng.c: cgfsng_create: 1862 Failed to create cgroup "/sys/fs/cgroup/cpuset//lxc/535-3"
                                                                                                               lxc-start: 535: lsm/lsm.c: lsm_process_label_set_at: 167 No such file or directory - Failed to set AppArmor label "lxc-default-with-nfs"
                                           lxc-start: 535: lsm/apparmor.c: apparmor_process_label_set: 243 No such file or directory - Failed to change apparmor profile to lxc-default-with-nfs
                                                                                                                                                                                                lxc-start: 535: sync.c: __sync_wait: 57 An error occurred in another process (expected sequence number 5)
                                                                                             lxc-start: 535: start.c: __lxc_start: 1883 Failed to spawn container "535"
                                                                                                                                                                       The container failed to start.
Additional information can be obtained by setting the --logfile and --logpriority options.

This is the log from /root/535.log:
Code:
lxc-start 535 20181126155416.219 INFO     lxc_lsm - lsm/lsm.c:lsm_init:46 - LSM security driver AppArmor
lxc-start 535 20181126155416.219 INFO     lxc_seccomp - seccomp.c:parse_config_v2:585 - processing: .reject_force_umount  # comment this to allow umount -f;  not recommended
lxc-start 535 20181126155416.219 INFO     lxc_seccomp - seccomp.c:parse_config_v2:761 - Adding native rule for reject_force_umount  # comment this to allow umount -f;  not recommended action 0(kill)
lxc-start 535 20181126155416.219 INFO     lxc_seccomp - seccomp.c:do_resolve_add_rule:411 - Setting Seccomp rule to reject force umounts
lxc-start 535 20181126155416.219 INFO     lxc_seccomp - seccomp.c:parse_config_v2:765 - Adding compat rule for reject_force_umount action 0(kill)
lxc-start 535 20181126155416.219 INFO     lxc_seccomp - seccomp.c:do_resolve_add_rule:411 - Setting Seccomp rule to reject force umounts
lxc-start 535 20181126155416.219 INFO     lxc_seccomp - seccomp.c:do_resolve_add_rule:411 - Setting Seccomp rule to reject force umounts
lxc-start 535 20181126155416.219 INFO     lxc_seccomp - seccomp.c:parse_config_v2:585 - processing: .[all]
lxc-start 535 20181126155416.219 INFO     lxc_seccomp - seccomp.c:parse_config_v2:585 - processing: .kexec_load errno 1
lxc-start 535 20181126155416.219 INFO     lxc_seccomp - seccomp.c:parse_config_v2:761 - Adding native rule for kexec_load errno 1 action 327681(errno)
lxc-start 535 20181126155416.219 INFO     lxc_seccomp - seccomp.c:parse_config_v2:765 - Adding compat rule for kexec_load action 327681(errno)
lxc-start 535 20181126155416.219 INFO     lxc_seccomp - seccomp.c:parse_config_v2:585 - processing: .open_by_handle_at errno 1
lxc-start 535 20181126155416.219 INFO     lxc_seccomp - seccomp.c:parse_config_v2:761 - Adding native rule for open_by_handle_at errno 1 action 327681(errno)
lxc-start 535 20181126155416.219 INFO     lxc_seccomp - seccomp.c:parse_config_v2:765 - Adding compat rule for open_by_handle_at action 327681(errno)
lxc-start 535 20181126155416.219 INFO     lxc_seccomp - seccomp.c:parse_config_v2:585 - processing: .init_module errno 1
lxc-start 535 20181126155416.219 INFO     lxc_seccomp - seccomp.c:parse_config_v2:761 - Adding native rule for init_module errno 1 action 327681(errno)
lxc-start 535 20181126155416.219 INFO     lxc_seccomp - seccomp.c:parse_config_v2:765 - Adding compat rule for init_module action 327681(errno)
lxc-start 535 20181126155416.219 INFO     lxc_seccomp - seccomp.c:parse_config_v2:585 - processing: .finit_module errno 1
lxc-start 535 20181126155416.219 INFO     lxc_seccomp - seccomp.c:parse_config_v2:761 - Adding native rule for finit_module errno 1 action 327681(errno)
lxc-start 535 20181126155416.219 INFO     lxc_seccomp - seccomp.c:parse_config_v2:765 - Adding compat rule for finit_module action 327681(errno)
lxc-start 535 20181126155416.219 INFO     lxc_seccomp - seccomp.c:parse_config_v2:585 - processing: .delete_module errno 1
lxc-start 535 20181126155416.219 INFO     lxc_seccomp - seccomp.c:parse_config_v2:761 - Adding native rule for delete_module errno 1 action 327681(errno)
lxc-start 535 20181126155416.219 INFO     lxc_seccomp - seccomp.c:parse_config_v2:765 - Adding compat rule for delete_module action 327681(errno)
lxc-start 535 20181126155416.219 INFO     lxc_seccomp - seccomp.c:parse_config_v2:775 - Merging in the compat Seccomp ctx into the main one
lxc-start 535 20181126155416.219 INFO     lxc_conf - conf.c:run_script_argv:368 - Executing script "/usr/share/lxc/hooks/lxc-pve-prestart-hook" for container "535", config section "lxc"
lxc-start 535 20181126155416.662 DEBUG    terminal - terminal.c:lxc_terminal_peer_default:701 - Using terminal "/dev/tty" as proxy
lxc-start 535 20181126155416.662 DEBUG    terminal - terminal.c:lxc_terminal_signal_init:188 - Created signal fd 9
lxc-start 535 20181126155416.662 DEBUG    terminal - terminal.c:lxc_terminal_winsz:85 - Set window size to 204 columns and 53 rows
lxc-start 535 20181126155416.662 INFO     lxc_start - start.c:lxc_init:846 - Container "535" is initialized
lxc-start 535 20181126155416.663 INFO     lxc_conf - conf.c:run_script:506 - Executing script "/usr/share/lxc/lxcnetaddbr" for container "535", config section "net"
lxc-start 535 20181126155417.219 DEBUG    lxc_network - network.c:instantiate_veth:227 - Instantiated veth "veth535i0/veth70F6F2", index is "86"
lxc-start 535 20181126155417.220 INFO     lxc_cgroup - cgroups/cgroup.c:cgroup_init:60 - cgroup driver cgfsng initing for 535
lxc-start 535 20181126155417.223 DEBUG    lxc_cgfsng - cgroups/cgfsng.c:cg_legacy_handle_cpuset_hierarchy:751 - "cgroup.clone_children" was already set to "1"
lxc-start 535 20181126155417.223 ERROR    lxc_cgfsng - cgroups/cgfsng.c:create_path_for_hierarchy:1752 - Path "/sys/fs/cgroup/rdma//lxc/535" already existed.
lxc-start 535 20181126155417.224 ERROR    lxc_cgfsng - cgroups/cgfsng.c:cgfsng_create:1862 - Failed to create cgroup "/sys/fs/cgroup/rdma//lxc/535"
lxc-start 535 20181126155417.226 ERROR    lxc_cgfsng - cgroups/cgfsng.c:create_path_for_hierarchy:1752 - Path "/sys/fs/cgroup/cpuset//lxc/535-1" already existed.
lxc-start 535 20181126155417.226 ERROR    lxc_cgfsng - cgroups/cgfsng.c:cgfsng_create:1862 - Failed to create cgroup "/sys/fs/cgroup/cpuset//lxc/535-1"
lxc-start 535 20181126155417.227 ERROR    lxc_cgfsng - cgroups/cgfsng.c:create_path_for_hierarchy:1752 - Path "/sys/fs/cgroup/cpuset//lxc/535-2" already existed.
lxc-start 535 20181126155417.227 ERROR    lxc_cgfsng - cgroups/cgfsng.c:cgfsng_create:1862 - Failed to create cgroup "/sys/fs/cgroup/cpuset//lxc/535-2"
lxc-start 535 20181126155417.228 ERROR    lxc_cgfsng - cgroups/cgfsng.c:create_path_for_hierarchy:1752 - Path "/sys/fs/cgroup/cpuset//lxc/535-3" already existed.
lxc-start 535 20181126155417.228 ERROR    lxc_cgfsng - cgroups/cgfsng.c:cgfsng_create:1862 - Failed to create cgroup "/sys/fs/cgroup/cpuset//lxc/535-3"
lxc-start 535 20181126155417.230 DEBUG    lxc_cgfsng - cgroups/cgfsng.c:cg_legacy_handle_cpuset_hierarchy:751 - "cgroup.clone_children" was already set to "1"
lxc-start 535 20181126155417.244 INFO     lxc_start - start.c:lxc_spawn:1614 - Cloned CLONE_NEWNS
lxc-start 535 20181126155417.244 INFO     lxc_start - start.c:lxc_spawn:1614 - Cloned CLONE_NEWPID
lxc-start 535 20181126155417.244 INFO     lxc_start - start.c:lxc_spawn:1614 - Cloned CLONE_NEWUTS
lxc-start 535 20181126155417.244 INFO     lxc_start - start.c:lxc_spawn:1614 - Cloned CLONE_NEWIPC
lxc-start 535 20181126155417.244 INFO     lxc_start - start.c:lxc_spawn:1614 - Cloned CLONE_NEWNET
lxc-start 535 20181126155417.244 DEBUG    lxc_start - start.c:lxc_try_preserve_namespaces:199 - Preserved mnt namespace via fd 15
lxc-start 535 20181126155417.244 DEBUG    lxc_start - start.c:lxc_try_preserve_namespaces:199 - Preserved pid namespace via fd 16
lxc-start 535 20181126155417.245 DEBUG    lxc_start - start.c:lxc_try_preserve_namespaces:199 - Preserved uts namespace via fd 17
lxc-start 535 20181126155417.245 DEBUG    lxc_start - start.c:lxc_try_preserve_namespaces:199 - Preserved ipc namespace via fd 18
lxc-start 535 20181126155417.245 DEBUG    lxc_start - start.c:lxc_try_preserve_namespaces:199 - Preserved net namespace via fd 19
lxc-start 535 20181126155417.246 DEBUG    lxc_cgfsng - cgroups/cgfsng.c:__cg_legacy_setup_limits:2792 - Set controller "memory.limit_in_bytes" set to "536870912"
lxc-start 535 20181126155417.246 DEBUG    lxc_cgfsng - cgroups/cgfsng.c:__cg_legacy_setup_limits:2792 - Set controller "memory.memsw.limit_in_bytes" set to "1073741824"
lxc-start 535 20181126155417.246 DEBUG    lxc_cgfsng - cgroups/cgfsng.c:__cg_legacy_setup_limits:2792 - Set controller "cpu.shares" set to "1024"
lxc-start 535 20181126155417.249 DEBUG    lxc_cgfsng - cgroups/cgfsng.c:__cg_legacy_setup_limits:2792 - Set controller "cpuset.cpus" set to "1"
lxc-start 535 20181126155417.249 INFO     lxc_cgfsng - cgroups/cgfsng.c:__cg_legacy_setup_limits:2797 - Limits for the legacy cgroup hierarchies have been setup
lxc-start 535 20181126155417.251 DEBUG    lxc_start - start.c:lxc_spawn:1668 - Preserved net namespace via fd 10
lxc-start 535 20181126155417.636 DEBUG    lxc_network - network.c:lxc_network_move_created_netdev_priv:2484 - Moved network device "veth70F6F2"/"eth0" to network namespace of 4582
lxc-start 535 20181126155417.638 DEBUG    lxc_cgfsng - cgroups/cgfsng.c:__cg_legacy_setup_limits:2792 - Set controller "devices.deny" set to "a"
lxc-start 535 20181126155417.638 DEBUG    lxc_cgfsng - cgroups/cgfsng.c:__cg_legacy_setup_limits:2792 - Set controller "devices.allow" set to "c *:* m"
lxc-start 535 20181126155417.638 DEBUG    lxc_cgfsng - cgroups/cgfsng.c:__cg_legacy_setup_limits:2792 - Set controller "devices.allow" set to "b *:* m"
lxc-start 535 20181126155417.638 DEBUG    lxc_cgfsng - cgroups/cgfsng.c:__cg_legacy_setup_limits:2792 - Set controller "devices.allow" set to "c 1:3 rwm"
lxc-start 535 20181126155417.639 DEBUG    lxc_cgfsng - cgroups/cgfsng.c:__cg_legacy_setup_limits:2792 - Set controller "devices.allow" set to "c 1:5 rwm"
lxc-start 535 20181126155417.639 DEBUG    lxc_cgfsng - cgroups/cgfsng.c:__cg_legacy_setup_limits:2792 - Set controller "devices.allow" set to "c 1:7 rwm"
lxc-start 535 20181126155417.639 DEBUG    lxc_cgfsng - cgroups/cgfsng.c:__cg_legacy_setup_limits:2792 - Set controller "devices.allow" set to "c 5:0 rwm"
lxc-start 535 20181126155417.639 DEBUG    lxc_cgfsng - cgroups/cgfsng.c:__cg_legacy_setup_limits:2792 - Set controller "devices.allow" set to "c 5:1 rwm"
lxc-start 535 20181126155417.639 DEBUG    lxc_cgfsng - cgroups/cgfsng.c:__cg_legacy_setup_limits:2792 - Set controller "devices.allow" set to "c 5:2 rwm"
lxc-start 535 20181126155417.639 DEBUG    lxc_cgfsng - cgroups/cgfsng.c:__cg_legacy_setup_limits:2792 - Set controller "devices.allow" set to "c 1:8 rwm"
lxc-start 535 20181126155417.639 DEBUG    lxc_cgfsng - cgroups/cgfsng.c:__cg_legacy_setup_limits:2792 - Set controller "devices.allow" set to "c 1:9 rwm"
lxc-start 535 20181126155417.639 DEBUG    lxc_cgfsng - cgroups/cgfsng.c:__cg_legacy_setup_limits:2792 - Set controller "devices.allow" set to "c 136:* rwm"
lxc-start 535 20181126155417.639 DEBUG    lxc_cgfsng - cgroups/cgfsng.c:__cg_legacy_setup_limits:2792 - Set controller "devices.allow" set to "c 10:229 rwm"
lxc-start 535 20181126155417.639 DEBUG    lxc_cgfsng - cgroups/cgfsng.c:__cg_legacy_setup_limits:2792 - Set controller "devices.allow" set to "c 254:0 rm"
lxc-start 535 20181126155417.639 DEBUG    lxc_cgfsng - cgroups/cgfsng.c:__cg_legacy_setup_limits:2792 - Set controller "devices.allow" set to "c 10:200 rwm"
lxc-start 535 20181126155417.639 DEBUG    lxc_cgfsng - cgroups/cgfsng.c:__cg_legacy_setup_limits:2792 - Set controller "devices.allow" set to "c 10:228 rwm"
lxc-start 535 20181126155417.640 DEBUG    lxc_cgfsng - cgroups/cgfsng.c:__cg_legacy_setup_limits:2792 - Set controller "devices.allow" set to "c 10:232 rwm"
lxc-start 535 20181126155417.640 INFO     lxc_cgfsng - cgroups/cgfsng.c:__cg_legacy_setup_limits:2797 - Limits for the legacy cgroup hierarchies have been setup
lxc-start 535 20181126155417.647 INFO     lxc_start - start.c:do_start:1177 - Unshared CLONE_NEWCGROUP
lxc-start 535 20181126155417.651 DEBUG    storage - storage/storage.c:storage_query:247 - Detected rootfs type "dir"
lxc-start 535 20181126155417.651 DEBUG    lxc_conf - conf.c:lxc_setup_rootfs:1338 - Mounted rootfs "/var/lib/lxc/535/rootfs" onto "/usr/lib/x86_64-linux-gnu/lxc/rootfs" with options "(null)"
lxc-start 535 20181126155417.652 INFO     lxc_conf - conf.c:setup_utsname:774 - Set hostname to "testnfs"
lxc-start 535 20181126155417.955 DEBUG    lxc_network - network.c:setup_hw_addr:2750 - Mac address "5E:0B:1D:9A:7B:18" on "eth0" has been setup
lxc-start 535 20181126155417.955 DEBUG    lxc_network - network.c:lxc_setup_netdev_in_child_namespaces:3008 - Network device "eth0" has been setup
lxc-start 535 20181126155417.955 INFO     lxc_network - network.c:lxc_setup_network_in_child_namespaces:3029 - network has been setup
lxc-start 535 20181126155417.957 INFO     lxc_conf - conf.c:mount_autodev:1163 - Preparing "/dev"
lxc-start 535 20181126155417.961 INFO     lxc_conf - conf.c:mount_autodev:1185 - Mounted tmpfs on "/usr/lib/x86_64-linux-gnu/lxc/rootfs/dev"
lxc-start 535 20181126155417.961 INFO     lxc_conf - conf.c:mount_autodev:1202 - Prepared "/dev"
lxc-start 535 20181126155417.965 INFO     lxc_conf - conf.c:run_script_argv:368 - Executing script "/usr/share/lxcfs/lxc.mount.hook" for container "535", config section "lxc"
lxc-start 535 20181126155417.111 INFO     lxc_conf - conf.c:run_script_argv:368 - Executing script "/usr/share/lxc/hooks/lxc-pve-autodev-hook" for container "535", config section "lxc"
lxc-start 535 20181126155417.240 INFO     lxc_conf - conf.c:lxc_fill_autodev:1238 - Populating "/dev"
lxc-start 535 20181126155417.240 DEBUG    lxc_conf - conf.c:lxc_fill_autodev:1253 - Created device node "/usr/lib/x86_64-linux-gnu/lxc/rootfs/dev/full"
lxc-start 535 20181126155417.240 DEBUG    lxc_conf - conf.c:lxc_fill_autodev:1253 - Created device node "/usr/lib/x86_64-linux-gnu/lxc/rootfs/dev/null"
lxc-start 535 20181126155417.240 DEBUG    lxc_conf - conf.c:lxc_fill_autodev:1253 - Created device node "/usr/lib/x86_64-linux-gnu/lxc/rootfs/dev/random"
lxc-start 535 20181126155417.240 DEBUG    lxc_conf - conf.c:lxc_fill_autodev:1253 - Created device node "/usr/lib/x86_64-linux-gnu/lxc/rootfs/dev/tty"
lxc-start 535 20181126155417.240 DEBUG    lxc_conf - conf.c:lxc_fill_autodev:1253 - Created device node "/usr/lib/x86_64-linux-gnu/lxc/rootfs/dev/urandom"
lxc-start 535 20181126155417.240 DEBUG    lxc_conf - conf.c:lxc_fill_autodev:1253 - Created device node "/usr/lib/x86_64-linux-gnu/lxc/rootfs/dev/zero"
lxc-start 535 20181126155417.240 INFO     lxc_conf - conf.c:lxc_fill_autodev:1291 - Populated "/dev"
lxc-start 535 20181126155417.241 DEBUG    lxc_conf - conf.c:mount_entry:1934 - Remounting "/sys/fs/fuse/connections" on "/usr/lib/x86_64-linux-gnu/lxc/rootfs/sys/fs/fuse/connections" to respect bind or remount options
lxc-start 535 20181126155417.241 DEBUG    lxc_conf - conf.c:mount_entry:1955 - Flags for "/sys/fs/fuse/connections" were 4096, required extra flags are 0
lxc-start 535 20181126155417.241 DEBUG    lxc_conf - conf.c:mount_entry:1965 - Mountflags already were 4096, skipping remount
lxc-start 535 20181126155417.241 DEBUG    lxc_conf - conf.c:mount_entry:2011 - Mounted "/sys/fs/fuse/connections" on "/usr/lib/x86_64-linux-gnu/lxc/rootfs/sys/fs/fuse/connections" with filesystem type "none"
lxc-start 535 20181126155417.241 DEBUG    lxc_conf - conf.c:mount_entry:1934 - Remounting "/sys/kernel/debug" on "/usr/lib/x86_64-linux-gnu/lxc/rootfs/sys/kernel/debug" to respect bind or remount options
lxc-start 535 20181126155417.241 DEBUG    lxc_conf - conf.c:mount_entry:1955 - Flags for "/sys/kernel/debug" were 4096, required extra flags are 0
lxc-start 535 20181126155417.241 DEBUG    lxc_conf - conf.c:mount_entry:1965 - Mountflags already were 4096, skipping remount
lxc-start 535 20181126155417.241 DEBUG    lxc_conf - conf.c:mount_entry:2011 - Mounted "/sys/kernel/debug" on "/usr/lib/x86_64-linux-gnu/lxc/rootfs/sys/kernel/debug" with filesystem type "none"
lxc-start 535 20181126155417.241 DEBUG    lxc_conf - conf.c:mount_entry:1934 - Remounting "/sys/kernel/security" on "/usr/lib/x86_64-linux-gnu/lxc/rootfs/sys/kernel/security" to respect bind or remount options
lxc-start 535 20181126155417.241 DEBUG    lxc_conf - conf.c:mount_entry:1955 - Flags for "/sys/kernel/security" were 4110, required extra flags are 14
lxc-start 535 20181126155417.241 DEBUG    lxc_conf - conf.c:mount_entry:2011 - Mounted "/sys/kernel/security" on "/usr/lib/x86_64-linux-gnu/lxc/rootfs/sys/kernel/security" with filesystem type "none"
lxc-start 535 20181126155417.241 DEBUG    lxc_conf - conf.c:mount_entry:1934 - Remounting "/sys/fs/pstore" on "/usr/lib/x86_64-linux-gnu/lxc/rootfs/sys/fs/pstore" to respect bind or remount options
lxc-start 535 20181126155417.241 DEBUG    lxc_conf - conf.c:mount_entry:1955 - Flags for "/sys/fs/pstore" were 4110, required extra flags are 14
lxc-start 535 20181126155417.241 DEBUG    lxc_conf - conf.c:mount_entry:2011 - Mounted "/sys/fs/pstore" on "/usr/lib/x86_64-linux-gnu/lxc/rootfs/sys/fs/pstore" with filesystem type "none"
lxc-start 535 20181126155417.241 DEBUG    lxc_conf - conf.c:mount_entry:2011 - Mounted "mqueue" on "/usr/lib/x86_64-linux-gnu/lxc/rootfs/dev/mqueue" with filesystem type "mqueue"
lxc-start 535 20181126155417.241 INFO     lxc_conf - conf.c:mount_file_entries:2243 - Finished setting up mounts
lxc-start 535 20181126155417.241 DEBUG    lxc_conf - conf.c:lxc_setup_ttydir_console:1697 - Created directory for console and tty devices at "/usr/lib/x86_64-linux-gnu/lxc/rootfs/dev/lxc"
lxc-start 535 20181126155417.241 DEBUG    lxc_conf - conf.c:lxc_setup_ttydir_console:1748 - Mounted "/dev/pts/4" onto "/usr/lib/x86_64-linux-gnu/lxc/rootfs/dev/lxc/console"
lxc-start 535 20181126155417.241 DEBUG    lxc_conf - conf.c:lxc_setup_ttydir_console:1756 - Mounted "/dev/pts/4" onto "/usr/lib/x86_64-linux-gnu/lxc/rootfs/dev/lxc/console"
lxc-start 535 20181126155417.241 DEBUG    lxc_conf - conf.c:lxc_setup_ttydir_console:1758 - Console has been setup under "/usr/lib/x86_64-linux-gnu/lxc/rootfs/dev/lxc/console" and mounted to "/usr/lib/x86_64-linux-gnu/lxc/rootfs/dev/console"
lxc-start 535 20181126155417.241 INFO     lxc_utils - utils.c:lxc_mount_proc_if_needed:1720 - I am 1, /proc/self points to "1"
lxc-start 535 20181126155417.255 DEBUG    lxc_conf - conf.c:setup_rootfs_pivot_root:1140 - pivot_root("/usr/lib/x86_64-linux-gnu/lxc/rootfs") successful
lxc-start 535 20181126155417.255 DEBUG    lxc_conf - conf.c:setup_pivot_root:1469 - Finished pivot_root()
lxc-start 535 20181126155417.255 DEBUG    lxc_conf - conf.c:lxc_setup_devpts:1549 - Mount new devpts instance with options "gid=5,newinstance,ptmxmode=0666,mode=0620,max=1024"
lxc-start 535 20181126155417.255 DEBUG    lxc_conf - conf.c:lxc_setup_devpts:1569 - Created dummy "/dev/ptmx" file as bind mount target
lxc-start 535 20181126155417.255 DEBUG    lxc_conf - conf.c:lxc_setup_devpts:1574 - Bind mounted "/dev/pts/ptmx" to "/dev/ptmx"
lxc-start 535 20181126155417.256 DEBUG    lxc_conf - conf.c:lxc_allocate_ttys:970 - Created tty "/dev/pts/0" with master fd 11 and slave fd 14
lxc-start 535 20181126155417.256 DEBUG    lxc_conf - conf.c:lxc_allocate_ttys:970 - Created tty "/dev/pts/1" with master fd 15 and slave fd 16
lxc-start 535 20181126155417.256 INFO     lxc_conf - conf.c:lxc_allocate_ttys:990 - Finished creating 2 tty devices
lxc-start 535 20181126155417.256 DEBUG    lxc_conf - conf.c:lxc_setup_ttys:896 - Bind mounted "/dev/pts/0" onto "/dev/tty1"
lxc-start 535 20181126155417.256 DEBUG    lxc_conf - conf.c:lxc_setup_ttys:896 - Bind mounted "/dev/pts/1" onto "/dev/tty2"
lxc-start 535 20181126155417.256 INFO     lxc_conf - conf.c:lxc_setup_ttys:940 - Finished setting up 2 /dev/tty<N> device(s)
lxc-start 535 20181126155417.256 INFO     lxc_conf - conf.c:setup_personality:1613 - Set personality to "0x0"
lxc-start 535 20181126155417.256 DEBUG    lxc_conf - conf.c:setup_caps:2416 - Dropped mac_admin (33) capability
lxc-start 535 20181126155417.256 DEBUG    lxc_conf - conf.c:setup_caps:2416 - Dropped mac_override (32) capability
lxc-start 535 20181126155417.256 DEBUG    lxc_conf - conf.c:setup_caps:2416 - Dropped sys_time (25) capability
lxc-start 535 20181126155417.256 DEBUG    lxc_conf - conf.c:setup_caps:2416 - Dropped sys_module (16) capability
lxc-start 535 20181126155417.256 DEBUG    lxc_conf - conf.c:setup_caps:2416 - Dropped sys_rawio (17) capability
lxc-start 535 20181126155417.256 DEBUG    lxc_conf - conf.c:setup_caps:2419 - Capabilities have been setup
lxc-start 535 20181126155417.256 NOTICE   lxc_conf - conf.c:lxc_setup:3482 - The container "535" is set up
lxc-start 535 20181126155417.256 ERROR    lxc_lsm - lsm/lsm.c:lsm_process_label_set_at:167 - No such file or directory - Failed to set AppArmor label "lxc-default-with-nfs"
lxc-start 535 20181126155417.256 ERROR    lxc_apparmor - lsm/apparmor.c:apparmor_process_label_set:243 - No such file or directory - Failed to change apparmor profile to lxc-default-with-nfs
lxc-start 535 20181126155417.256 ERROR    lxc_sync - sync.c:__sync_wait:57 - An error occurred in another process (expected sequence number 5)
lxc-start 535 20181126155417.257 INFO     lxc_network - network.c:lxc_delete_network_priv:2568 - Interface "eth0" with index 86 already deleted or existing in different network namespace
lxc-start 535 20181126155417.257 INFO     lxc_network - network.c:lxc_delete_network_priv:2578 - Removed interface "eth0" with index 86
lxc-start 535 20181126155417.295 INFO     lxc_network - network.c:lxc_delete_network_priv:2599 - Removed interface "veth535i0" from ""
lxc-start 535 20181126155417.295 DEBUG    lxc_network - network.c:lxc_delete_network:3156 - Deleted network devices
lxc-start 535 20181126155417.295 ERROR    lxc_start - start.c:__lxc_start:1883 - Failed to spawn container "535"
lxc-start 535 20181126155417.297 INFO     lxc_conf - conf.c:run_script_argv:368 - Executing script "/usr/share/lxc/hooks/lxc-pve-poststop-hook" for container "535", config section "lxc"
lxc-start 535 20181126155417.656 INFO     lxc_conf - conf.c:run_script_argv:368 - Executing script "/usr/share/lxcfs/lxc.reboot.hook" for container "535", config section "lxc"

Any ideas what's going on?
 
When I try to start it within the gui I also get:

Code:
can't open '/sys/fs/cgroup/cpuacct/lxc/535/ns/cpuacct.stat' - No such file or directory (500)

So basically tinkering a little with the apparmor profile within the lxc configuration of the containers messes up the container itself. I'm not sure what's going on. Now I have two containers that I cannot start because of the same error.

Under /sys/fs/cgroup/cpuacct/lxc/ I have directories 535-1, 535-2, 535-3, but no 535.
 
Last edited:
I eventually made it work by manually creating the empty directories /sys/fs/cgroup/cpuacct/lxc/535 and /sys/fc/cgroup/cpuacct/lxc/535/ns. Really upsetting and idiotic bug. It works as expected now.
 
Hi,
this is our apparmor configuration:

profile lxc-container-default-cgns flags=(attach_disconnected,mediate_deleted) {
deny mount fstype=devpts,
mount fstype=cgroup -> /sys/fs/cgroup/**,
mount fstype=nfs*,
mount fstype=rpc_pipefs,
}

After reloading apparmor ( service apparmor reload ) and adding the profile to the lxc files und /etc/pve/lxc/ ("lxc.apparmor.profile: lxc-container-default-cgns") everything works fine.

regards,
Harry
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!