Apparmor DENIED audid failed flags warnings after LXCupgrades to Debian Bullseye

M

Machtl

Member
Proxmox Subscriber
Jan 9, 2021
29
11
8
46
Hi,

i have updated two LXC container on my Proxmox Server 7.0-11 from buster to bullseyes within the LXC container using the typical way: apt-get update -> upgrade -> dist-upgrade -> all on the latest state -> changing to the bullseye repos -> apt-get update -> apt full-upgrade". containers are running normal what i have seen so far, but i get a ton of those messages on the host:

Code: 
[259206.876014] audit: type=1400 audit(1629629524.302:99694): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-302_</var/lib/lxc>" name="/run/systemd/unit-root/proc/" pid=1907297 comm="(d-logind)" fstype="proc" srcname="proc" flags="rw, nosuid, nodev, noexec"
[259212.393988] audit: type=1400 audit(1629629529.818:99695): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-301_</var/lib/lxc>" name="/run/systemd/unit-root/proc/" pid=1907365 comm="(d-logind)" fstype="proc" srcname="proc" flags="rw, nosuid, nodev, noexec"

LXC 301 and 302 are the two ones that i have updated. I have a third one LXC 303 that is still running on bullseye without any upgrade yet. The Containers were originally created with a debian-buster template.

Anybody knowing a solution to that problem?

Thx!

Best regards, Martin

P.S.: Gerade gesehen ich bin ja im DE Forum, wenn ichs nochmal auf Deutsch posten soll bitte melden.
 
  • Like
Reactions: noko
you need to enable the 'nesting' feature for unprivileged containers running recent systemd versions
 
Why this isn't enabled by defaults?

When creating container the "unprivileged container" option is set by default.
 
yarii said:
Why this isn't enabled by defaults?

When creating container the "unprivileged container" option is set by default.
Click to expand...
it is set by default for unprivileged containers that are newly created (on the GUI). we can't change it for existing containers as it might have side-effects.
 
I mean: Why the Nesting feature is not enabled for newly created containers?
(and not why the "unprivileged container" option is set by default) :)
 
the nesting feature is enabled for newly created unprivileged containers (if created over the GUI - over the API we tend to be more conservative with such default changes as they might break integration). it's now also possible to toggle the nesting flag for unprivileged containers for non-root users.
 
You must log in or register to reply here.
Top Bottom