apparmor="DENIED" operation="mount" error=-13

[verhugues]

Hello,
I have this message when i look at my dmesg log:

audit: type=1400 audit(1586503510.635:32): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-104_</var/lib/lxc>" name="/dev/" pid=28429 comm="(install)" flags="ro, nosuid, noexec, remount, strictatime"

This is a Zabbix container and the log when i restart mariadb is:

● mariadb.service - MariaDB 10.1.41 database server
Loaded: loaded (/lib/systemd/system/mariadb.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Thu 2020-04-23 19:41:37 UTC; 28s ago

The /etc/pve/lxc/ conf is:

arch: amd64
cores: 1
hostname: zabbix4
memory: 512
net0: name=eth0,bridge=vmbr0,hwaddr=66:2A:B2:97:3A5,type=veth
onboot: 1
ostype: debian
rootfs: local:104/vm-104-disk-0.raw,size=32G
swap: 512

My Proxmox is a "Virtual Environment 5.4-13"

Thank you for help
Hugues

 

[oguz]

hi,

try using an unprivileged container with 'Nesting' enabled

 

[verhugues]

Hi,
Thanks for your answer.

I configured with this option:

features: nesting=1

but the dmesg log are:

audit: type=1400 audit(1587673014.605:111): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-104_</var/lib/lxc>" name="/dev/" pid=3937 comm="(install)" flags="ro, nosuid, noexec, remount, strictatime"
[1249317.364635] audit: type=1400 audit(1587673014.881:112): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-104_</var/lib/lxc>" name="/dev/" pid=4157 comm="(sh)" flags="ro, nosuid, noexec, remount, strictatime"
[1249317.592800] audit: type=1400 audit(1587673015.109:113): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-104_</var/lib/lxc>" name="/dev/" pid=4161 comm="(sh)" flags="ro, nosuid, noexec, remount, strictatime"
[1249317.868785] audit: type=1400 audit(1587673015.385:114): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-104_</var/lib/lxc>" name="/dev/" pid=4239 comm="(mysqld)" flags="ro, nosuid, noexec, remount, strictatime"
[1249330.704762] audit: type=1400 audit(1587673028.221:115): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-104_</var/lib/lxc>" name="/dev/" pid=4517 comm="(install)" flags="ro, nosuid, noexec, remount, strictatime"
[1249330.957827] audit: type=1400 audit(1587673028.473:116): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-104_</var/lib/lxc>" name="/dev/" pid=4537 comm="(sh)" flags="ro, nosuid, noexec, remount, strictatime"
[1249331.236746] audit: type=1400 audit(1587673028.753:117): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-104_</var/lib/lxc>" name="/dev/" pid=4638 comm="(sh)" flags="ro, nosuid, noexec, remount, strictatime"
[1249331.508578] audit: type=1400 audit(1587673029.025:118): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-104_</var/lib/lxc>" name="/dev/" pid=4719 comm="(mysqld)" flags="ro, nosuid, noexec, remount, strictatime"

and journalctl :

avril 24 20:42:47 zabbix4 systemd[1]: Failed to set devices.allow on /system.slice/mariadb.service: Operation not permitted
avril 24 20:42:47 zabbix4 systemd[1]: Failed to set devices.allow on /system.slice/mariadb.service: Operation not permitted

Others trails?

Best regards
Hugues

 

[verhugues]

Hi,
i try also with :

features: nesting=1
unprivileged: 1

The messages are:

root@proxmox5:~# pct enter 104
bash: /root/.bashrc: Permission non accordé


# systemctl restart mariadb
Job for mariadb.service failed because the control process exited with error code.
See "systemctl status mariadb.service" and "journalctl -xe" for details.

root@zabbix4:~# journalctl -xe
avril 25 13:23:28 zabbix4 mysqld[330]: 2020-04-25 13:23:28 140223862177152 [Note] InnoDB: innodb_empty_free_list_algorithm has been changed to legacy because of small buffer pool size. In order to use backoff, i
avril 25 13:23:28 zabbix4 mysqld[330]: 2020-04-25 13:23:28 140223862177152 [Note] InnoDB: Using mutexes to ref count buffer pool pages
avril 25 13:23:28 zabbix4 mysqld[330]: 2020-04-25 13:23:28 140223862177152 [Note] InnoDB: The InnoDB memory heap is disabled
avril 25 13:23:28 zabbix4 mysqld[330]: 2020-04-25 13:23:28 140223862177152 [Note] InnoDB: Mutexes and rw_locks use GCC atomic builtins
avril 25 13:23:28 zabbix4 mysqld[330]: 2020-04-25 13:23:28 140223862177152 [Note] InnoDB: GCC builtin __atomic_thread_fence() is used for memory barrier
avril 25 13:23:28 zabbix4 mysqld[330]: 2020-04-25 13:23:28 140223862177152 [Note] InnoDB: Compressed tables use zlib 1.2.8
avril 25 13:23:28 zabbix4 mysqld[330]: 2020-04-25 13:23:28 140223862177152 [Note] InnoDB: Using Linux native AIO
avril 25 13:23:28 zabbix4 mysqld[330]: 2020-04-25 13:23:28 140223862177152 [Note] InnoDB: Using SSE crc32 instructions
avril 25 13:23:28 zabbix4 mysqld[330]: 2020-04-25 13:23:28 140223862177152 [Note] InnoDB: Initializing buffer pool, size = 128.0M
avril 25 13:23:28 zabbix4 mysqld[330]: 2020-04-25 13:23:28 140223862177152 [Note] InnoDB: Completed initialization of buffer pool
avril 25 13:23:28 zabbix4 mysqld[330]: 2020-04-25 13:23:28 140223862177152 [ERROR] InnoDB: ./ibdata1 can't be opened in read-write mode
avril 25 13:23:28 zabbix4 mysqld[330]: 2020-04-25 13:23:28 140223862177152 [ERROR] InnoDB: The system tablespace must be writable!
avril 25 13:23:28 zabbix4 mysqld[330]: 2020-04-25 13:23:28 140223862177152 [ERROR] Plugin 'InnoDB' init function returned error.
avril 25 13:23:28 zabbix4 mysqld[330]: 2020-04-25 13:23:28 140223862177152 [ERROR] Plugin 'InnoDB' registration as a STORAGE ENGINE failed.
avril 25 13:23:28 zabbix4 mysqld[330]: 2020-04-25 13:23:28 140223862177152 [Note] Plugin 'FEEDBACK' is disabled.
avril 25 13:23:28 zabbix4 mysqld[330]: 2020-04-25 13:23:28 140223862177152 [ERROR] Could not open mysql.plugin table. Some plugins may be not loaded
avril 25 13:23:28 zabbix4 mysqld[330]: 2020-04-25 13:23:28 140223862177152 [ERROR] Unknown/unsupported storage engine: InnoDB
avril 25 13:23:28 zabbix4 mysqld[330]: 2020-04-25 13:23:28 140223862177152 [ERROR] Aborting
avril 25 13:23:28 zabbix4 systemd[1]: mariadb.service: Main process exited, code=exited, status=1/FAILURE
avril 25 13:23:28 zabbix4 systemd[1]: Failed to start MariaDB 10.1.41 database server.
-- Subject: L'unité (unit) mariadb.service a échoué
-- Defined-By: systemd
-- Support: https://www.debian.org/support

Hugues

 

[oguz]

you can't just edit the config for unprivileged.

revert to the older version, then do a backup of the container. during restore, you can choose