apparmor

Hi. I've read the numerous threads regarding apparmor flooding syslog with messages related to actions not allowed to be performed inside containers but can't figure still how to reduce os investigate and only seem to find the solution of ignoring with conf on syslog. In this case is a new PVE6...

How is apparmor profile "generated" created? How can we add additional rules to this profile? Or is there another way how to create profile with everything default generated profeile has but with added rules? We need to deny some operations inside LXC containers.

Oct 11 11:10:29 pve-lap systemd[1]: Started PVE LXC Container: 118. Oct 11 11:10:29 pve-lap pvedaemon[20472]: <root@pam> end task UPID:pve-lap:00000877:10AC5DF9:5DA04703:vzstart:118:root@pam: OK Oct 11 11:10:30 pve-lap audit[2417]: AVC apparmor="DENIED" operation="mount" info="failed flags...

Hello everyone, I have a ubuntu lxc - container with ubuntu 18.04 and installed snapd, but with problems. In my lxc config I have the following lines added: features: nesting=1,fuse=1,mount=nfs lxc.cap.drop: I can start the snapd container with rocketchat server but in syslog I have the...

Hey fellas, this is what dmesg gives: [153434.316515] audit: type=1400 audit(1566380002.099:292): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" label="lxc-110_</var/lib/lxc>//&:lxc-110_<-var-lib-lxc>:unconfined" name="system_tor" pid=24893...

Hey all, I'm not very good with how Apparmor works, so I was hoping someone might help me solve this one. Two of my many LXC containers, ID 110 and ID 170 are resulting in an absolute spamming of DMESG as follows: Please see this pastebin. It was too much to post in a message here. Two...

Hallo, ich nutze seit über einem Jahr Proxmox VE. Bisher ohne Probleme. Zwischenzeitlich habe ich meine gesamte virtuelle Umgebung dorthin umgezogen. Nun habe ich letze Woche eine Subscription erstanden und heute morgen den Updateprozess von PVE gestartet. Das lief auch alles ohne...

I'm trying to set up a file server (NFS now, Samba after) in a CentOS 7 container, without making it privileged. The NFS service won't start because of dependency issues with RPC Pipe which will not mount (says permission denied). I've found some seemingly relevant information...

Hi, I have a poc proxmox server embedded on a train and running some containers and virtual machines. One of this containers have huge data that I don't want to backup, so I put it on a separate mount point marked to not beeing backed up. The proxmox server is setup to start when ups gets...

Testing an upgraded host and container to Debian 9 we keep getting an apparmor error on syslog. I've read other threads about this being a "warning" of some process trying to remount something not allowed on the container but can't figure out what it is. prox-test kernel: [1893537.445678]...

Hello, since the last update I have strange activity in dmesg related to oom-killer with some processes in Debian LXC images and the problem doesn't really seem to be due to lack of memory, because the system has 70G of memory and 15G available. I guess many users would confirm the issue and it...

I have been using the supplied templates (pveam downloads) for all of my containers and they are mostly built from the Ubuntu 17.10 template, though I have 2 that are built from the Ubuntu 16.04 template. The LXC containers built from the 16.04 template start just fine and have no issues with...

Hallo zusammen, von Turnkey habe ich mir den Mediaserver geholt und damit einen Container erstellt. In diesem habe ich noch eine komplette Partition gemountet, die die ganzen Multimediadaten beherbergt. lxc.mount.entry: /media/sdb1 /var/lib/lxc/303/rootfs/media/multimedia none bind 0 0 Diese...

I ran an apt update && apt dist-upgrade on my home server after a few weeks of uptime as part of its routine maintenance but its LXCs are failing to start after the reboot. All the VMs are still working. journalctl -xe output: -- Unit pve-container@200.service has begun starting up. Mar 10...

So I have on my Host machine: /storage/HDD2 /storage/Internal And I am planning to mount these on my Guest machine which is a container: /srv/samba So in my Guest machine I can see that under /srv/samba I see HDD2 and Internal respectively, but not their contents, so I am asking the wizards in...

Hi, I am trying to test Snap applications inside an Ubuntu 16.04 LXC container in Proxmox, and I am running into problems. I found this link: https://stgraber.org/2017/01/31/ubuntu-core-in-lxd-containers/ And it seems snapd needs "unprivileged FUSE mounts and AppArmor namespacing and stacking"'...

Hello, I recently installed and configured a fully working 3 nodes cluster HA with CEPH and all works fine. Up to the point when in SYSLOG of each nodes, I get this, repetitively each day: APPARMOR Related: Jul 21 03:40:06 node01-sxb-pve01 kernel: audit_printk_skb: 384 callbacks suppressed...

The output of dmesg: How to fix it?

Hi, Proxmox uses apparmor to confine its LXC containers, but it doesn't do so for KVM virtual machines. Libvirt (Proxmox's open source competitor, kind-of) does do so. Would this be worth adding to a new Proxmox release, for additional security? I wanted to post here about it before adding...

Hi, I'm trying to mount scsi tape drive into lxc containter and it I cannot figure out how to do it... My UDEV config looks like this: #/etc/udev/rules.d/70-persistent-iscsi.rules SUBSYSTEM=="scsi_generic",ATTRS{vendor}=="IBM",ATTRS{model}=="ULTRIUM-HH4", SYMLINK="ultrium", MODE="0660"...