Search results

@bank, What problems were you having? I tested your acltype suggestion on a ZFS version of the debian 7 template, and I still get the postqueue: close: warning problem. Only with ZFS it doesn't happen on the first call, like it does with a LXC raw image, but from the second call onward.

@bank, interesting. I did try myself to remove the Posix acls in the /var/spool/postfix path in the debian install, but that didn't seem to matter in itself. Maybe with a ZFS install this would do the trick. Also, I can reproduce the postqueue close warning problem on a clean Ubuntu Wily, which...

Hello Carlos, So, if you look in /proc/net/unix, you see the mysql socket starting with a / from the root of the container? /var/run/mysqld/mysql.sock or something? Do you see any errors in the syslog of the host with apparmor DENIED messages at the moment of using mysql? What is the error you...

I took another look at this problem. Tested lxc on Ubuntu trusty, and the postfix test *just* worked. Also tried with a 4.2.6 kernel on Ubuntu 14.04 and it also worked. The apparmor profiles look pretty much the same. Starting on a loopback mounted file as disk also worked. So it seems the...

@carlosmp, The issue seems to revolve around programs creating a normal Unix path connected socket inside a chroot inside the container. Like the helper programs of postfix do in the Debian 7 template. And there also is a tiny difference if the container is loop mounted on the file system or...

Thanks IceProx, now I will need some hero outfit. :-)

One further observation, If you store the LXC container on an Ext4 storage it behaves worse. I wanted to test the flag chroot_attach with the apparmor profile, but if your container storage is in a raw file on ext4, the socket cannot even get created with the active apparmor confinement. My...

It seems that chrooting within an apparmor profile is one tough cookie to crack, apparently if you have a disconnected path, you are too late. There is some talk about it here: https://lists.ubuntu.com/archives/apparmor/2011-December/001776.html

No it does not. Incidently this has been discussed already I found: https://forum.proxmox.com/threads/after-upgrade-to-4-apparmor-errors-in-syslog.24114/

This can certainly curdle your milk. LXC depends heavily on apparmor to keep the inhabitants of the container confined to their litte inside world and not affect the host OS. If you are forced to disable apparmor protection AND like proxmox you run a privileged container then there is little...

I have tried a standard debian 7 from proxmox 4.1 (which is 64-bit). I can say with certainty that to run it correctly, or at least not to run into socket problems rightaway, you MUST set lxc.aa_profile to unconfined in your vm config. If you make a new Debian 7 and don't change the apparmor...

I have checked and the umask of init process did not change. Just to be sure, if you look in /var/log/syslog of the host, you are not seeing messages like this? pve007 kernel: [ 3007.731120] audit: type=1400 audit(1450625064.487:69): apparmor="DENIED" operation="file_perm"...

Actually the init process is a child of the lxc-start process. It appears that the lxc-start process itself remains confined by the usr.bin.lxc-start profile. Anyway, it doesn't seem to be an apparmor issue here after having done this test. I am wondering why the socket permissions are now...

Can you try adding a line to your /etc/pve/lxc/{vmid}.conf file for testing this? If you add something yourself to a config file in /var/lib/lxc/{vmid}/config it will be erased by proxmox on startup. lxc.aa_profile: unconfined ...And shutdown and start the container after that.. aa-status...

I looked some things up. It seems that pct does not create a login shell, so that is a little different from the situation with openVZ on proxmox 3.4. Anyway, there also seem to be problems concering unix socketfiles and AppArmor on newer kernels like the Proxmox 4 series has. Can you try...

Hello IceProx, It is not a problem with your filesystem gone wrong, /etc/pve is actually a mountpoint of Proxmox's own cluster file system, so it is empty on your root file system. I think the data is all in /var/lib/pve-cluster/config.db in the form of a sqlite database. There is a sqlite3...

Ok, so you are trying to migrate from OpenVZ to LXC containers or from KVM? The single biggest difference between Debian/Ubuntu and Centos/RedHat is selinux. Could it be that your CentOS containers are now trying to enforce selinux permissions, or that they already did, but selinux attributes...

@carlosmp, It is not completely clear to me how you are entering the machine here. But I do think that it doesn't start a login shell, because then /etc/profile would run. You can start login shells with a -l to your shell or with a - in su or -i in sudo. Also see...

@LnxBill, Are you sure you need the -F on the receiving side, even on the first time? If I understand correctly it would cause the receiver to do a rollback on your proxmox/2007 space first before actually storing. Also it seems your snapshots on proxmox/2007 also include the proxmox/2007/samba...

Good :) The problem was that is was not available at first. You can see this in the lvs output. First you got: vm-104-disk-1 pve -wi------- 32.00g After lvchange -ay you got: vm-104-disk-1 pve -wi-a----- 32.00g If you see the "a" in the fifth field, then it is available. If a LVM...