After update 5.1 to 5.2 "lxc.aa_profile = unconfined" not working

N

Noka

Active Member
Jun 22, 2018
3
0
41
55
After update proxmox 5.1 to 5.2 docker start in lxc conteiner: error
"lxc.aa_profile = unconfined" in conf not working

Code: 
[root@gw-test ~]# docker start test-proxy
Error response from daemon: OCI runtime create failed: container_linux.go:348: starting container process caused "process_linux.go:402: container init caused \"rootfs_linux.go:46: preparing rootfs caused \\\"permission denied\\\"\"": unknown
Error: failed to start containers: test-proxy

Code: 
Jun 22 18:25:13 host kernel: docker0: port 1(veth29143b2) entered blocking state
Jun 22 18:25:13 host kernel: docker0: port 1(veth29143b2) entered disabled state
Jun 22 18:25:13 host kernel: device veth29143b2 entered promiscuous mode
Jun 22 18:25:13 host kernel: IPv6: ADDRCONF(NETDEV_UP): veth29143b2: link is not ready
Jun 22 18:25:14 host audit[13205]: AVC apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=13205 comm="runc:[2:INIT]" flags="rw, rslave"
Jun 22 18:25:14 host kernel: audit: type=1400 audit(1529681114.045:53): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=13205 comm="run
Jun 22 18:25:14 host kernel: docker0: port 1(veth29143b2) entered disabled state

Replacing with lxc.apparmor.profile: unconfined in /etc/pve/lxc/203.conf does not yield results

Code: 
root@host:~# cat /etc/pve/lxc/203.conf
arch: amd64
cores: 1
hostname: gw-test
memory: 512
net0: name=ext,bridge=vmbr0,firewall=1,gw=XXX,hwaddr=XXX,ip=XXX/32,type=veth
onboot: 1
ostype: centos
rootfs: local:203/vm-203-disk-1.raw,size=8G
swap: 512
lxc.cgroup.devices.allow: c 10:200 rwm
lxc.aa_profile = unconfined

Code: 
root@gra:~# pveversion -v
proxmox-ve: 5.2-2 (running kernel: 4.15.17-3-pve)
pve-manager: 5.2-2 (running version: 5.2-2/b1d1c7f4)
pve-kernel-4.15: 5.2-3
pve-kernel-4.13: 5.1-45
pve-kernel-4.15.17-3-pve: 4.15.17-13
pve-kernel-4.13.16-3-pve: 4.13.16-49
pve-kernel-4.13.16-1-pve: 4.13.16-46
pve-kernel-4.13.13-6-pve: 4.13.13-42
pve-kernel-4.10.17-1-pve: 4.10.17-18
corosync: 2.4.2-pve5
criu: 2.11.1-1~bpo90
glusterfs-client: 3.8.8-1
ksm-control-daemon: 1.2-2
libjs-extjs: 6.0.1-2
libpve-access-control: 5.0-8
libpve-apiclient-perl: 2.0-4
libpve-common-perl: 5.0-33
libpve-guest-common-perl: 2.0-16
libpve-http-server-perl: 2.0-9
libpve-storage-perl: 5.0-23
libqb0: 1.0.1-1
lvm2: 2.02.168-pve6
lxc-pve: 3.0.0-3
lxcfs: 3.0.0-1
novnc-pve: 1.0.0-1
proxmox-widget-toolkit: 1.0-19
pve-cluster: 5.0-27
pve-container: 2.0-23
pve-docs: 5.2-4
pve-firewall: 3.0-12
pve-firmware: 2.0-4
pve-ha-manager: 2.0-5
pve-i18n: 1.0-6
pve-libspice-server1: 0.12.8-3
pve-qemu-kvm: 2.11.1-5
pve-xtermjs: 1.0-5
qemu-server: 5.0-28
smartmontools: 6.5+svn4324-1
spiceterm: 3.0-5
vncterm: 1.5-3
zfsutils-linux: 0.7.9-pve1~bpo9

Code: 
dpkg-query --show apparmor
apparmor        2.11.0-3+deb9u2
 
Were there also updates to the container inside?
With lxc.apparmor.profile the apparmor errors shouldn't happen, and the log shows you're using the regular profile still. Does the log output change after using lxc.apparmor.profile?
 
I stop the container:
Code: 
 systemctl stop pve-container@203.service

correcting the configuration on:
Code: 
root@host:~# cat /etc/pve/lxc/203.conf
arch: amd64
cores: 1
hostname: gw-test
memory: 512
net0: name=ext,bridge=vmbr0,firewall=1,gw=XXX,hwaddr=XXX,ip=XXX/32,type=veth
onboot: 1
ostype: centos
rootfs: local:203/vm-203-disk-1.raw,size=8G
swap: 512
lxc.cgroup.devices.allow: c 10:200 rwm
lxc.apparmor.profile: unconfined

Start the container:
Code: 
systemctl start pve-container@203.service

Errors are repeated,
Inside the container:
Code: 
[root@gw-test ~]# docker start test-proxy
Error response from daemon: OCI runtime create failed: container_linux.go:348: starting container process caused "process_linux.go:402: container init caused \"rootfs_linux.go:46: preparing rootfs caused \\\"permission denied\\\"\"": unknown
Error: failed to start containers: test-proxy

On the host:
Code: 
Jun 25 14:08:41 host audit[13351]: AVC apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=13351 comm="runc:[2:INIT]" flags="rw, rslave"
Jun 25 14:08:41 host kernel: audit: type=1400 audit(1529924921.523:99): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=13351 comm="run

Inside the container, no changes were made.
 
wbumiller said:
Were there also updates to the container inside?
With lxc.apparmor.profile the apparmor errors shouldn't happen, and the log shows you're using the regular profile still. Does the log output change after using lxc.apparmor.profile?
Click to expand...
Are there any other recommendations for solving the problem? Based on the latest additional information
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom