apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="/usr/bin/lxc-start" name="/proc/sys/kernel/random/boot_id"

[Splise]

Hi,

I have been attempting to mount a ZFS dataset in a LXC container, but cannot get past the "error=-13 profile" error. I have been searching the internet and forums to find a concrete solution, but nothing seems to work. Adding "nesting=1", seems to resolve most of the apparmor errors, except for one. I have tried just about everything, but cannot get rid of the error. I initially tried with the TK File Server, then moved on to Debian with Samba, but always the same error. Does anyone know how to resolve this?

"apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="/usr/bin/lxc-start" name="/proc/sys/kernel/random/boot_id" pid=49104 comm="lxc-start" srcname="/dev/.lxc-boot-id" flags="rw, bind""

pveversion
proxmox-ve: 6.2-1 (running kernel: 5.4.44-1-pve)
pve-manager: 6.2-6 (running version: 6.2-6/ee1d7754)
pve-kernel-5.4: 6.2-3
pve-kernel-helper: 6.2-3
pve-kernel-5.3: 6.1-6
pve-kernel-5.4.44-1-pve: 5.4.44-1
pve-kernel-5.4.41-1-pve: 5.4.41-1
pve-kernel-5.3.18-3-pve: 5.3.18-3
pve-kernel-5.3.10-1-pve: 5.3.10-1
ceph-fuse: 12.2.11+dfsg1-2.1+b1
corosync: 3.0.3-pve1
criu: 3.11-3
glusterfs-client: 5.5-3
ifupdown: residual config
ifupdown2: 3.0.0-1+pve2
ksm-control-daemon: 1.3-1
libjs-extjs: 6.0.1-10
libknet1: 1.15-pve1
libproxmox-acme-perl: 1.0.4
libpve-access-control: 6.1-1
libpve-apiclient-perl: 3.0-3
libpve-common-perl: 6.1-3
libpve-guest-common-perl: 3.0-10
libpve-http-server-perl: 3.0-5
libpve-storage-perl: 6.1-8
libqb0: 1.0.5-1
libspice-server1: 0.14.2-4~pve6+1
lvm2: 2.03.02-pve4
lxc-pve: 4.0.2-1
lxcfs: 4.0.3-pve2
novnc-pve: 1.1.0-1
openvswitch-switch: 2.12.0-1
proxmox-mini-journalreader: 1.1-1
proxmox-widget-toolkit: 2.2-7
pve-cluster: 6.1-8
pve-container: 3.1-8
pve-docs: 6.2-4
pve-edk2-firmware: 2.20200531-1
pve-firewall: 4.1-2
pve-firmware: 3.1-1
pve-ha-manager: 3.0-9
pve-i18n: 2.1-3
pve-qemu-kvm: 5.0.0-4
pve-xtermjs: 4.3.0-1
qemu-server: 6.2-3
smartmontools: 7.1-pve2
spiceterm: 3.1-1
vncterm: 1.6-1
zfsutils-linux: 0.8.4-pve1

systemctl -a |grep lxcfs
  var-lib-lxcfs.mount    loaded    active mounted   /var/lib/lxcfs
  lxcfs.service          loaded    active

systemctl status -l lxcfs.service
● lxcfs.service - FUSE filesystem for LXC
   Loaded: loaded (/lib/systemd/system/lxcfs.service; enabled; vendor preset: enabled)
   Active: active (running) since Fri 2020-06-19 10:07:36 MDT; 5 days ago
     Docs: man:lxcfs(1)
Main PID: 3439 (lxcfs)
    Tasks: 4 (limit: 8601)
   Memory: 33.6M
   CGroup: /system.slice/lxcfs.service
           └─3439 /usr/bin/lxcfs /var/lib/lxcfs

Jun 19 10:07:36 tu-psvr-vs-01 lxcfs[3439]: - proc_diskstats
Jun 19 10:07:36 tu-psvr-vs-01 lxcfs[3439]: - proc_loadavg
Jun 19 10:07:36 tu-psvr-vs-01 lxcfs[3439]: - proc_meminfo
Jun 19 10:07:36 tu-psvr-vs-01 lxcfs[3439]: - proc_stat
Jun 19 10:07:36 tu-psvr-vs-01 lxcfs[3439]: - proc_swaps
Jun 19 10:07:36 tu-psvr-vs-01 lxcfs[3439]: - proc_uptime
Jun 19 10:07:36 tu-psvr-vs-01 lxcfs[3439]: - shared_pidns
Jun 19 10:07:36 tu-psvr-vs-01 lxcfs[3439]: - cpuview_daemon
Jun 19 10:07:36 tu-psvr-vs-01 lxcfs[3439]: - loadavg_daemon
Jun 19 10:07:36 tu-psvr-vs-01 lxcfs[3439]: - pidfds

fgrep -r cgns /etc/apparmor.d
/etc/apparmor.d/lxc/lxc-default-cgns:profile lxc-container-default-cgns flags=(attach_disconnected,mediate_deleted) {

arch: amd64
cores: 1
features: mount=nfs;cifs,nesting=1
hostname: fileserver
memory: 512
mp0: /dpool/storage,mp=/storage
nameserver: 192.168.10.1
net0: name=eth0,bridge=vmbr1,gw=192.168.10.1,hwaddr=0A:E0:F0:95:8A:3C,ip=192.168.10.31/24,tag=10,type=veth
ostype: debian
rootfs: zfs-containers:subvol-101-disk-0,size=8G
swap: 512

# Do not load this file.  Rather, load /etc/apparmor.d/lxc-containers, which
# will source all profiles under /etc/apparmor.d/lxc

profile lxc-container-default-cgns flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/lxc/container-base>

  # the container may never be allowed to mount devpts.  If it does, it
  # will remount the host's devpts.  We could allow it to do it with
  # the newinstance option (but, right now, we don't).
  deny mount fstype=devpts,
  mount fstype=cgroup -> /sys/fs/cgroup/**,
  mount fstype=cgroup2 -> /sys/fs/cgroup/**,
  mount fstype=nfs*,
  mount fstype=rpc_pipefs,
}

 

[matrix]

could you getting debug logs please [0]

[0] https://pve.proxmox.com/pve-docs/chapter-pct.html#_obtaining_debugging_logs

 

[oguz]

hi,

"apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="/usr/bin/lxc-start" name="/proc/sys/kernel/random/boot_id" pid=49104 comm="lxc-start" srcname="/dev/.lxc-boot-id" flags="rw, bind""

this error can be ignored.

you've set the mp0 as bind mount to the directory mounted on the host.

what is not working exactly?
does the mountpoint not show up in the CT?
does the CT not start?

 

[Splise]

could you getting debug logs please [0]

[0] https://pve.proxmox.com/pve-docs/chapter-pct.html#_obtaining_debugging_logs

For sure, please see below. I am testing with the TK File-Server as that is really what I am looking to use if possible. Thanks for your help

Part1:

lxc-start 101 20200626024149.728 INFO     lsm - lsm/lsm.c:lsm_init:29 - LSM security driver AppArmor
lxc-start 101 20200626024149.728 INFO     conf - conf.c:run_script_argv:340 - Executing script "/usr/share/lxc/hooks/lxc-pve-prestart-hook" for container "101", config section "lxc"
lxc-start 101 20200626024150.326 DEBUG    terminal - terminal.c:lxc_terminal_peer_default:662 - Using terminal "/dev/tty" as proxy
lxc-start 101 20200626024150.326 DEBUG    terminal - terminal.c:lxc_terminal_winsz:61 - Set window size to 206 columns and 70 rows
lxc-start 101 20200626024150.327 INFO     seccomp - seccomp.c:parse_config_v2:770 - Processing "reject_force_umount  # comment this to allow umount -f;  not recommended"
lxc-start 101 20200626024150.327 INFO     seccomp - seccomp.c:do_resolve_add_rule:516 - Set seccomp rule to reject force umounts
lxc-start 101 20200626024150.327 INFO     seccomp - seccomp.c:parse_config_v2:967 - Added native rule for arch 0 for reject_force_umount action 0(kill)
lxc-start 101 20200626024150.327 INFO     seccomp - seccomp.c:do_resolve_add_rule:516 - Set seccomp rule to reject force umounts
lxc-start 101 20200626024150.327 INFO     seccomp - seccomp.c:parse_config_v2:976 - Added compat rule for arch 1073741827 for reject_force_umount action 0(kill)
lxc-start 101 20200626024150.327 INFO     seccomp - seccomp.c:do_resolve_add_rule:516 - Set seccomp rule to reject force umounts
lxc-start 101 20200626024150.327 INFO     seccomp - seccomp.c:parse_config_v2:986 - Added compat rule for arch 1073741886 for reject_force_umount action 0(kill)
lxc-start 101 20200626024150.327 INFO     seccomp - seccomp.c:do_resolve_add_rule:516 - Set seccomp rule to reject force umounts
lxc-start 101 20200626024150.327 INFO     seccomp - seccomp.c:parse_config_v2:996 - Added native rule for arch -1073741762 for reject_force_umount action 0(kill)
lxc-start 101 20200626024150.327 INFO     seccomp - seccomp.c:parse_config_v2:770 - Processing "[all]"
lxc-start 101 20200626024150.327 INFO     seccomp - seccomp.c:parse_config_v2:770 - Processing "kexec_load errno 1"
lxc-start 101 20200626024150.327 INFO     seccomp - seccomp.c:parse_config_v2:967 - Added native rule for arch 0 for kexec_load action 327681(errno)
lxc-start 101 20200626024150.327 INFO     seccomp - seccomp.c:parse_config_v2:976 - Added compat rule for arch 1073741827 for kexec_load action 327681(errno)
lxc-start 101 20200626024150.327 INFO     seccomp - seccomp.c:parse_config_v2:986 - Added compat rule for arch 1073741886 for kexec_load action 327681(errno)
lxc-start 101 20200626024150.327 INFO     seccomp - seccomp.c:parse_config_v2:996 - Added native rule for arch -1073741762 for kexec_load action 327681(errno)
lxc-start 101 20200626024150.327 INFO     seccomp - seccomp.c:parse_config_v2:770 - Processing "open_by_handle_at errno 1"
lxc-start 101 20200626024150.327 INFO     seccomp - seccomp.c:parse_config_v2:967 - Added native rule for arch 0 for open_by_handle_at action 327681(errno)
lxc-start 101 20200626024150.327 INFO     seccomp - seccomp.c:parse_config_v2:976 - Added compat rule for arch 1073741827 for open_by_handle_at action 327681(errno)
lxc-start 101 20200626024150.327 INFO     seccomp - seccomp.c:parse_config_v2:986 - Added compat rule for arch 1073741886 for open_by_handle_at action 327681(errno)
lxc-start 101 20200626024150.327 INFO     seccomp - seccomp.c:parse_config_v2:996 - Added native rule for arch -1073741762 for open_by_handle_at action 327681(errno)
lxc-start 101 20200626024150.327 INFO     seccomp - seccomp.c:parse_config_v2:770 - Processing "init_module errno 1"
lxc-start 101 20200626024150.327 INFO     seccomp - seccomp.c:parse_config_v2:967 - Added native rule for arch 0 for init_module action 327681(errno)
lxc-start 101 20200626024150.327 INFO     seccomp - seccomp.c:parse_config_v2:976 - Added compat rule for arch 1073741827 for init_module action 327681(errno)
lxc-start 101 20200626024150.327 INFO     seccomp - seccomp.c:parse_config_v2:986 - Added compat rule for arch 1073741886 for init_module action 327681(errno)
lxc-start 101 20200626024150.327 INFO     seccomp - seccomp.c:parse_config_v2:996 - Added native rule for arch -1073741762 for init_module action 327681(errno)
lxc-start 101 20200626024150.327 INFO     seccomp - seccomp.c:parse_config_v2:770 - Processing "finit_module errno 1"
lxc-start 101 20200626024150.327 INFO     seccomp - seccomp.c:parse_config_v2:967 - Added native rule for arch 0 for finit_module action 327681(errno)
lxc-start 101 20200626024150.327 INFO     seccomp - seccomp.c:parse_config_v2:976 - Added compat rule for arch 1073741827 for finit_module action 327681(errno)
lxc-start 101 20200626024150.327 INFO     seccomp - seccomp.c:parse_config_v2:986 - Added compat rule for arch 1073741886 for finit_module action 327681(errno)
lxc-start 101 20200626024150.327 INFO     seccomp - seccomp.c:parse_config_v2:996 - Added native rule for arch -1073741762 for finit_module action 327681(errno)
lxc-start 101 20200626024150.327 INFO     seccomp - seccomp.c:parse_config_v2:770 - Processing "delete_module errno 1"
lxc-start 101 20200626024150.327 INFO     seccomp - seccomp.c:parse_config_v2:967 - Added native rule for arch 0 for delete_module action 327681(errno)
lxc-start 101 20200626024150.327 INFO     seccomp - seccomp.c:parse_config_v2:976 - Added compat rule for arch 1073741827 for delete_module action 327681(errno)
lxc-start 101 20200626024150.327 INFO     seccomp - seccomp.c:parse_config_v2:986 - Added compat rule for arch 1073741886 for delete_module action 327681(errno)
lxc-start 101 20200626024150.327 INFO     seccomp - seccomp.c:parse_config_v2:996 - Added native rule for arch -1073741762 for delete_module action 327681(errno)
lxc-start 101 20200626024150.327 INFO     seccomp - seccomp.c:parse_config_v2:1000 - Merging compat seccomp contexts into main context
lxc-start 101 20200626024150.635 INFO     start - start.c:lxc_init:850 - Container "101" is initialized
lxc-start 101 20200626024150.679 INFO     cgfsng - cgroups/cgfsng.c:cgfsng_monitor_create:1366 - The monitor process uses "lxc.monitor/101" as cgroup
lxc-start 101 20200626024150.681 DEBUG    cgfsng - cgroups/cgfsng.c:cgfsng_setup_limits_legacy:2870 - Set controller "devices.deny" set to "a"
lxc-start 101 20200626024150.681 DEBUG    cgfsng - cgroups/cgfsng.c:cgfsng_setup_limits_legacy:2870 - Set controller "devices.allow" set to "c *:* m"
lxc-start 101 20200626024150.681 DEBUG    cgfsng - cgroups/cgfsng.c:cgfsng_setup_limits_legacy:2870 - Set controller "devices.allow" set to "b *:* m"
lxc-start 101 20200626024150.681 DEBUG    cgfsng - cgroups/cgfsng.c:cgfsng_setup_limits_legacy:2870 - Set controller "devices.allow" set to "c 1:3 rwm"
lxc-start 101 20200626024150.681 DEBUG    cgfsng - cgroups/cgfsng.c:cgfsng_setup_limits_legacy:2870 - Set controller "devices.allow" set to "c 1:5 rwm"
lxc-start 101 20200626024150.681 DEBUG    cgfsng - cgroups/cgfsng.c:cgfsng_setup_limits_legacy:2870 - Set controller "devices.allow" set to "c 1:7 rwm"
lxc-start 101 20200626024150.681 DEBUG    cgfsng - cgroups/cgfsng.c:cgfsng_setup_limits_legacy:2870 - Set controller "devices.allow" set to "c 5:0 rwm"
lxc-start 101 20200626024150.681 DEBUG    cgfsng - cgroups/cgfsng.c:cgfsng_setup_limits_legacy:2870 - Set controller "devices.allow" set to "c 5:1 rwm"
lxc-start 101 20200626024150.681 DEBUG    cgfsng - cgroups/cgfsng.c:cgfsng_setup_limits_legacy:2870 - Set controller "devices.allow" set to "c 5:2 rwm"
lxc-start 101 20200626024150.681 DEBUG    cgfsng - cgroups/cgfsng.c:cgfsng_setup_limits_legacy:2870 - Set controller "devices.allow" set to "c 1:8 rwm"
lxc-start 101 20200626024150.681 DEBUG    cgfsng - cgroups/cgfsng.c:cgfsng_setup_limits_legacy:2870 - Set controller "devices.allow" set to "c 1:9 rwm"
lxc-start 101 20200626024150.681 DEBUG    cgfsng - cgroups/cgfsng.c:cgfsng_setup_limits_legacy:2870 - Set controller "devices.allow" set to "c 136:* rwm"
lxc-start 101 20200626024150.682 DEBUG    cgfsng - cgroups/cgfsng.c:cgfsng_setup_limits_legacy:2870 - Set controller "devices.allow" set to "c 10:229 rwm"
lxc-start 101 20200626024150.682 DEBUG    cgfsng - cgroups/cgfsng.c:cgfsng_setup_limits_legacy:2870 - Set controller "devices.allow" set to "c 254:0 rm"
lxc-start 101 20200626024150.682 DEBUG    cgfsng - cgroups/cgfsng.c:cgfsng_setup_limits_legacy:2870 - Set controller "devices.allow" set to "c 10:200 rwm"
lxc-start 101 20200626024150.682 DEBUG    cgfsng - cgroups/cgfsng.c:cgfsng_setup_limits_legacy:2870 - Set controller "devices.allow" set to "c 10:228 rwm"
lxc-start 101 20200626024150.682 DEBUG    cgfsng - cgroups/cgfsng.c:cgfsng_setup_limits_legacy:2870 - Set controller "devices.allow" set to "c 10:232 rwm"
lxc-start 101 20200626024150.682 INFO     cgfsng - cgroups/cgfsng.c:cgfsng_setup_limits_legacy:2875 - Limits for the legacy cgroup hierarchies have been setup
lxc-start 101 20200626024150.682 INFO     cgfsng - cgroups/cgfsng.c:cgfsng_payload_create:1470 - The container process uses "lxc/101/ns" as cgroup
lxc-start 101 20200626024150.684 INFO     start - start.c:lxc_spawn:1664 - Cloned CLONE_NEWNS
lxc-start 101 20200626024150.684 INFO     start - start.c:lxc_spawn:1664 - Cloned CLONE_NEWPID
lxc-start 101 20200626024150.684 INFO     start - start.c:lxc_spawn:1664 - Cloned CLONE_NEWUTS
lxc-start 101 20200626024150.684 INFO     start - start.c:lxc_spawn:1664 - Cloned CLONE_NEWIPC
lxc-start 101 20200626024150.684 INFO     start - start.c:lxc_spawn:1664 - Cloned CLONE_NEWNET

 

[Splise]

Part2:

lxc-start 101 20200626024150.684 DEBUG    start - start.c:lxc_try_preserve_namespaces:166 - Preserved mnt namespace via fd 56
lxc-start 101 20200626024150.684 DEBUG    start - start.c:lxc_try_preserve_namespaces:166 - Preserved pid namespace via fd 57
lxc-start 101 20200626024150.684 DEBUG    start - start.c:lxc_try_preserve_namespaces:166 - Preserved uts namespace via fd 58
lxc-start 101 20200626024150.684 DEBUG    start - start.c:lxc_try_preserve_namespaces:166 - Preserved ipc namespace via fd 59
lxc-start 101 20200626024150.684 DEBUG    start - start.c:lxc_try_preserve_namespaces:166 - Preserved net namespace via fd 60
lxc-start 101 20200626024150.684 DEBUG    cgfsng - cgroups/cgfsng.c:cgfsng_setup_limits_legacy:2870 - Set controller "memory.limit_in_bytes" set to "2147483648"
lxc-start 101 20200626024150.684 DEBUG    cgfsng - cgroups/cgfsng.c:cgfsng_setup_limits_legacy:2870 - Set controller "memory.memsw.limit_in_bytes" set to "2684354560"
lxc-start 101 20200626024150.684 DEBUG    cgfsng - cgroups/cgfsng.c:cgfsng_setup_limits_legacy:2870 - Set controller "cpu.shares" set to "1024"
lxc-start 101 20200626024150.686 DEBUG    cgfsng - cgroups/cgfsng.c:cgfsng_setup_limits_legacy:2870 - Set controller "cpuset.cpus" set to "11,14"
lxc-start 101 20200626024150.686 INFO     cgfsng - cgroups/cgfsng.c:cgfsng_setup_limits_legacy:2875 - Limits for the legacy cgroup hierarchies have been setup
lxc-start 101 20200626024150.688 INFO     conf - conf.c:run_script_argv:340 - Executing script "/usr/share/lxc/lxcnetaddbr" for container "101", config section "net"
lxc-start 101 20200626024151.337 DEBUG    network - network.c:instantiate_veth:450 - Instantiated veth tunnel "veth101i0 <--> vethaBg2jT"
lxc-start 101 20200626024151.338 INFO     start - start.c:do_start:1211 - Unshared CLONE_NEWCGROUP
lxc-start 101 20200626024151.338 DEBUG    storage - storage/storage.c:storage_query:233 - Detected rootfs type "dir"
lxc-start 101 20200626024151.338 DEBUG    conf - conf.c:lxc_mount_rootfs:1260 - Mounted rootfs "/var/lib/lxc/101/rootfs" onto "/usr/lib/x86_64-linux-gnu/lxc/rootfs" with options "(null)"
lxc-start 101 20200626024151.338 INFO     conf - conf.c:setup_utsname:751 - Set hostname to "tu-vsvr-fs-01"
lxc-start 101 20200626024151.430 DEBUG    network - network.c:setup_hw_addr:3388 - Mac address "AE:B6:E0:E8:7D:B5" on "eth0" has been setup
lxc-start 101 20200626024151.431 DEBUG    network - network.c:lxc_network_setup_in_child_namespaces_common:3538 - Network device "eth0" has been setup
lxc-start 101 20200626024151.431 INFO     network - network.c:lxc_setup_network_in_child_namespaces:3560 - Network has been setup
lxc-start 101 20200626024151.431 INFO     conf - conf.c:mount_autodev:1059 - Preparing "/dev"
lxc-start 101 20200626024151.431 DEBUG    conf - conf.c:mount_autodev:1065 - Using mount options: size=500000,mode=755
lxc-start 101 20200626024151.431 INFO     conf - conf.c:mount_autodev:1108 - Prepared "/dev"
lxc-start 101 20200626024151.431 DEBUG    conf - conf.c:mount_entry:1861 - Remounting "/sys/fs/fuse/connections" on "/usr/lib/x86_64-linux-gnu/lxc/rootfs/sys/fs/fuse/connections" to respect bind or remount options
lxc-start 101 20200626024151.431 DEBUG    conf - conf.c:mount_entry:1880 - Flags for "/sys/fs/fuse/connections" were 4096, required extra flags are 0
lxc-start 101 20200626024151.431 DEBUG    conf - conf.c:mount_entry:1888 - Mountflags already were 4096, skipping remount
lxc-start 101 20200626024151.431 DEBUG    conf - conf.c:mount_entry:1924 - Mounted "/sys/fs/fuse/connections" on "/usr/lib/x86_64-linux-gnu/lxc/rootfs/sys/fs/fuse/connections" with filesystem type "none"
lxc-start 101 20200626024151.431 DEBUG    conf - conf.c:mount_entry:1924 - Mounted "proc" on "/usr/lib/x86_64-linux-gnu/lxc/rootfs/dev/.lxc/proc" with filesystem type "proc"
lxc-start 101 20200626024151.432 DEBUG    conf - conf.c:mount_entry:1924 - Mounted "sys" on "/usr/lib/x86_64-linux-gnu/lxc/rootfs/dev/.lxc/sys" with filesystem type "sysfs"
lxc-start 101 20200626024151.432 INFO     conf - conf.c:run_script_argv:340 - Executing script "/usr/share/lxcfs/lxc.mount.hook" for container "101", config section "lxc"
lxc-start 101 20200626024151.459 INFO     conf - conf.c:run_script_argv:340 - Executing script "/usr/share/lxc/hooks/lxc-pve-autodev-hook" for container "101", config section "lxc"
lxc-start 101 20200626024151.576 INFO     conf - conf.c:lxc_fill_autodev:1152 - Populating "/dev"
lxc-start 101 20200626024151.576 DEBUG    conf - conf.c:lxc_fill_autodev:1167 - Created device node "/usr/lib/x86_64-linux-gnu/lxc/rootfs/dev/full"
lxc-start 101 20200626024151.576 DEBUG    conf - conf.c:lxc_fill_autodev:1167 - Created device node "/usr/lib/x86_64-linux-gnu/lxc/rootfs/dev/null"
lxc-start 101 20200626024151.576 DEBUG    conf - conf.c:lxc_fill_autodev:1167 - Created device node "/usr/lib/x86_64-linux-gnu/lxc/rootfs/dev/random"
lxc-start 101 20200626024151.576 DEBUG    conf - conf.c:lxc_fill_autodev:1167 - Created device node "/usr/lib/x86_64-linux-gnu/lxc/rootfs/dev/tty"
lxc-start 101 20200626024151.576 DEBUG    conf - conf.c:lxc_fill_autodev:1167 - Created device node "/usr/lib/x86_64-linux-gnu/lxc/rootfs/dev/urandom"
lxc-start 101 20200626024151.576 DEBUG    conf - conf.c:lxc_fill_autodev:1167 - Created device node "/usr/lib/x86_64-linux-gnu/lxc/rootfs/dev/zero"
lxc-start 101 20200626024151.576 INFO     conf - conf.c:lxc_fill_autodev:1222 - Populated "/dev"
lxc-start 101 20200626024151.576 DEBUG    conf - conf.c:lxc_setup_dev_console:1618 - Mounted pts device "/dev/pts/1" onto "/usr/lib/x86_64-linux-gnu/lxc/rootfs/dev/console"
lxc-start 101 20200626024151.576 INFO     utils - utils.c:lxc_mount_proc_if_needed:1200 - I am 1, /proc/self points to "1"
lxc-start 101 20200626024151.577 ERROR    conf - conf.c:lxc_setup_boot_id:3250 - Permission denied - Failed to mount /dev/.lxc-boot-id to /proc/sys/kernel/random/boot_id
lxc-start 101 20200626024151.577 DEBUG    conf - conf.c:lxc_setup_devpts:1521 - Mount new devpts instance with options "gid=5,newinstance,ptmxmode=0666,mode=0620,max=1024"
lxc-start 101 20200626024151.577 DEBUG    conf - conf.c:lxc_setup_devpts:1536 - Created dummy "/dev/ptmx" file as bind mount target
lxc-start 101 20200626024151.577 DEBUG    conf - conf.c:lxc_setup_devpts:1541 - Bind mounted "/dev/pts/ptmx" to "/dev/ptmx"
lxc-start 101 20200626024151.578 DEBUG    conf - conf.c:lxc_allocate_ttys:939 - Created tty "/dev/pts/0" with master fd 54 and slave fd 55
lxc-start 101 20200626024151.578 DEBUG    conf - conf.c:lxc_allocate_ttys:939 - Created tty "/dev/pts/1" with master fd 56 and slave fd 57
lxc-start 101 20200626024151.578 INFO     conf - conf.c:lxc_allocate_ttys:955 - Finished creating 2 tty devices
lxc-start 101 20200626024151.578 DEBUG    conf - conf.c:lxc_setup_ttys:893 - Bind mounted "/dev/pts/0" onto "/dev/tty1"
lxc-start 101 20200626024151.578 DEBUG    conf - conf.c:lxc_setup_ttys:893 - Bind mounted "/dev/pts/1" onto "/dev/tty2"
lxc-start 101 20200626024151.578 INFO     conf - conf.c:lxc_setup_ttys:900 - Finished setting up 2 /dev/tty<N> device(s)
lxc-start 101 20200626024151.578 INFO     conf - conf.c:setup_personality:1572 - Set personality to "0x0"
lxc-start 101 20200626024151.578 DEBUG    conf - conf.c:setup_caps:2335 - Dropped mac_admin (33) capability
lxc-start 101 20200626024151.578 DEBUG    conf - conf.c:setup_caps:2335 - Dropped mac_override (32) capability
lxc-start 101 20200626024151.578 DEBUG    conf - conf.c:setup_caps:2335 - Dropped sys_time (25) capability
lxc-start 101 20200626024151.578 DEBUG    conf - conf.c:setup_caps:2335 - Dropped sys_module (16) capability
lxc-start 101 20200626024151.578 DEBUG    conf - conf.c:setup_caps:2335 - Dropped sys_rawio (17) capability
lxc-start 101 20200626024151.578 DEBUG    conf - conf.c:setup_caps:2338 - Capabilities have been setup
lxc-start 101 20200626024151.578 NOTICE   conf - conf.c:lxc_setup:3433 - The container "101" is set up
lxc-start 101 20200626024151.578 INFO     lsm - lsm/lsm.c:lsm_process_label_set_at:157 - Set AppArmor label to "lxc-101_</var/lib/lxc>//&:lxc-101_<-var-lib-lxc>:"
lxc-start 101 20200626024151.578 INFO     apparmor - lsm/apparmor.c:apparmor_process_label_set:1185 - Changed AppArmor profile to lxc-101_</var/lib/lxc>//&:lxc-101_<-var-lib-lxc>:
lxc-start 101 20200626024151.581 DEBUG    start - start.c:lxc_spawn:1813 - Preserved cgroup namespace via fd 5
lxc-start 101 20200626024151.581 NOTICE   utils - utils.c:lxc_setgroups:1366 - Dropped additional groups
lxc-start 101 20200626024151.582 NOTICE   start - start.c:start:2046 - Exec'ing "/sbin/init"
lxc-start 101 20200626024151.583 NOTICE   start - start.c:post_start:2057 - Started "/sbin/init" with pid "33320"
lxc-start 101 20200626024151.583 NOTICE   start - start.c:signal_handler:394 - Received 17 from pid 33309 instead of container init 33320

 

[Splise]

hi,



this error can be ignored.

you've set the mp0 as bind mount to the directory mounted on the host.

what is not working exactly?
does the mountpoint not show up in the CT?
does the CT not start?

Thanks for your response. Why can it be ignored? What does it mean? In my experience, ignoring an error in Linux eventually leads to other issues which eventually cause a catastrophic failure. I would like to understand the error, fix it, and possibly help others with the same problem. It appears to be ongoing without any real context or resolution.

The mount point does show up, but I am concerned with how stable it will be, and if corruption will occur. I do not see mp0 under /mnt, but everything I have read says that it should be. There is a lot of older data out there that doesn't apply anymore, so I am also trying to ensure I did things properly.

The CT starts in Privileged mode, as opposed to Unprivileged. But again, it is not appear to be an ideal situation. Is there a reason Unprivileged cannot be used? There seems to be a lot of disparate opinions on which one should be used.

 

[oguz]

hi,

The CT starts in Privileged mode, as opposed to Unprivileged. But again, it is not appear to be an ideal situation. Is there a reason Unprivileged cannot be used? There seems to be a lot of disparate opinions on which one should be used.

unprivileged containers are preferred since they expose less attack surface to a malicious user in case of the container being compromised (it's easier to "break out" of privileged containers in most cases) [0].

The mount point does show up, but I am concerned with how stable it will be, and if corruption will occur. I do not see mp0 under /mnt, but everything I have read says that it should be. There is a lot of older data out there that doesn't apply anymore, so I am also trying to ensure I did things properly.

your logs look completely fine.

Thanks for your response. Why can it be ignored? What does it mean? In my experience, ignoring an error in Linux eventually leads to other issues which eventually cause a catastrophic failure. I would like to understand the error, fix it, and possibly help others with the same problem. It appears to be ongoing without any real context or resolution.

that error is a red herring, it'll be still there without your bindmount attached. doesn't cause any issues because it doesn't interfere with anything in the operating system, it's a lxc specific thing. if that's the only error and your mount is working then there's no reason to worry.

[0]: https://pve.proxmox.com/wiki/Unprivileged_LXC_containers

 

[Splise]

hi,

unprivileged containers are preferred since they expose less attack surface to a malicious user in case of the container being compromised (it's easier to "break out" of privileged containers in most cases) [0].

Is it recommended to backup the privileged container and restore it as an unprivileged container? I am not able to start the container if configured as unprivileged.

your logs look completely fine.

OK, thanks for verifying that.

that error is a red herring, it'll be still there without your bindmount attached. doesn't cause any issues because it doesn't interfere with anything in the operating system, it's a lxc specific thing. if that's the only error and your mount is working then there's no reason to worry.

Thanks for the explanation, that makes sense. And also, thanks fro taking the time to answer my questions.

[0]: https://pve.proxmox.com/wiki/Unprivileged_LXC_containers

 

[oguz]

Is it recommended to backup the privileged container and restore it as an unprivileged container? I am not able to start the container if configured as unprivileged.

yes, to convert into unprivileged that is the process.

which container is this that can't run as unprivileged?

 

[Splise]

I am not able to create an unprivileged TK File Server. When attempting top create it I receive the following error:

extracting archive '/dpool/vmstorage/template/cache/debian-9-turnkey-fileserver_15.0-1_amd64.tar.gz'
tar: ./var/spool/postfix/dev/urandom: Cannot mknod: Operation not permitted
tar: ./var/spool/postfix/dev/random: Cannot mknod: Operation not permitted
Total bytes read: 844503040 (806MiB, 66MiB/s)
tar: Exiting with failure status due to previous errors
TASK ERROR: unable to create CT 101 - command 'lxc-usernsexec -m u:0:100000:65536 -m g:0:100000:65536 -- tar xpf - -z --totals --one-file-system -p --sparse --numeric-owner --acls --xattrs '--xattrs-include=user.*' '--xattrs-include=security.capability' '--warning=no-file-ignored' '--warning=no-xattr-write' -C /var/lib/lxc/101/rootfs --skip-old-files --anchored --exclude './dev/*'' failed: exit code 2

 

[tom]

I am not able to create an unprivileged TK File Server.

yes, tk templates do not work unprivileged.