Apparmor doesn't work in container with debian buster

J

jabacrack

Member
Mar 28, 2018
4
0
6
39
I have container with debian and i2p inside. After updating proxmox to 6 I also update debian in container to buster and i2p to latest version. After this i2p service cannot start with error "i2p.service: Failed to prepare AppArmor profile change to system_i2p: No such file or directory".
aa-status say
apparmor module is loaded.
apparmor filesystem is not mounted.

I haven't any special settings on proxmox connected with apparmor. I try to create new debian container from scratch - same thing. In ubunta container i2p start well.

What I need to do for correct work apparmor in my debian container?
 
hi,

in debian buster it doesn't work but on ubuntu container it works? which ubuntu version is working?

can you post pveversion -v and the config of debian container pct config CTID please
 
I try template ubuntu-20.04-standard_20.04-1_amd64.tar.gz

pveversion -v
Code: 
proxmox-ve: 6.2-1 (running kernel: 5.4.55-1-pve)
pve-manager: 6.2-11 (running version: 6.2-11/22fb4983)
pve-kernel-5.4: 6.2-5
pve-kernel-helper: 6.2-5
pve-kernel-5.4.55-1-pve: 5.4.55-1
pve-kernel-4.15: 5.4-19
pve-kernel-4.15.18-30-pve: 4.15.18-58
pve-kernel-4.15.18-10-pve: 4.15.18-32
ceph-fuse: 12.2.11+dfsg1-2.1+b1
corosync: 3.0.4-pve1
criu: 3.11-3
glusterfs-client: 5.5-3
ifupdown: 0.8.35+pve1
ksm-control-daemon: 1.3-1
libjs-extjs: 6.0.1-10
libknet1: 1.16-pve1
libproxmox-acme-perl: 1.0.4
libpve-access-control: 6.1-2
libpve-apiclient-perl: 3.0-3
libpve-common-perl: 6.2-1
libpve-guest-common-perl: 3.1-2
libpve-http-server-perl: 3.0-6
libpve-storage-perl: 6.2-6
libqb0: 1.0.5-1
libspice-server1: 0.14.2-4~pve6+1
lvm2: 2.03.02-pve4
lxc-pve: 4.0.3-1
lxcfs: 4.0.3-pve3
novnc-pve: 1.1.0-1
proxmox-mini-journalreader: 1.1-1
proxmox-widget-toolkit: 2.2-10
pve-cluster: 6.1-8
pve-container: 3.1-13
pve-docs: 6.2-5
pve-edk2-firmware: 2.20200531-1
pve-firewall: 4.1-2
pve-firmware: 3.1-2
pve-ha-manager: 3.0-9
pve-i18n: 2.1-3
pve-qemu-kvm: 5.0.0-13
pve-xtermjs: 4.7.0-2
qemu-server: 6.2-14
smartmontools: 7.1-pve2
spiceterm: 3.1-1
vncterm: 1.6-2
zfsutils-linux: 0.8.4-pve1


pct config CTID
Code: 
arch: amd64
cores: 2
description: mp0%3A /mnt/bindmounts/crypt,mp=/mnt/external,quota=0%0A
hostname: crypt
memory: 1024
net0: name=eth0,bridge=vmbr0,hwaddr=62:88:2D:7C:84:01,ip=dhcp,ip6=dhcp,type=veth
onboot: 1
ostype: debian
rootfs: containers:subvol-101-disk-1,size=8G
searchdomain: crypt
swap: 512
 
Normaly it is enough to remove apparmor with purge and delete the whole /etc/apparmor*. After that reinstall it, now it should work. On Ubuntu Upgrades it is working this way.
 
jabacrack said:
I try template ubuntu-20.04-standard_20.04-1_amd64.tar.gz

pveversion -v
Code: 
proxmox-ve: 6.2-1 (running kernel: 5.4.55-1-pve)
pve-manager: 6.2-11 (running version: 6.2-11/22fb4983)
pve-kernel-5.4: 6.2-5
pve-kernel-helper: 6.2-5
pve-kernel-5.4.55-1-pve: 5.4.55-1
pve-kernel-4.15: 5.4-19
pve-kernel-4.15.18-30-pve: 4.15.18-58
pve-kernel-4.15.18-10-pve: 4.15.18-32
ceph-fuse: 12.2.11+dfsg1-2.1+b1
corosync: 3.0.4-pve1
criu: 3.11-3
glusterfs-client: 5.5-3
ifupdown: 0.8.35+pve1
ksm-control-daemon: 1.3-1
libjs-extjs: 6.0.1-10
libknet1: 1.16-pve1
libproxmox-acme-perl: 1.0.4
libpve-access-control: 6.1-2
libpve-apiclient-perl: 3.0-3
libpve-common-perl: 6.2-1
libpve-guest-common-perl: 3.1-2
libpve-http-server-perl: 3.0-6
libpve-storage-perl: 6.2-6
libqb0: 1.0.5-1
libspice-server1: 0.14.2-4~pve6+1
lvm2: 2.03.02-pve4
lxc-pve: 4.0.3-1
lxcfs: 4.0.3-pve3
novnc-pve: 1.1.0-1
proxmox-mini-journalreader: 1.1-1
proxmox-widget-toolkit: 2.2-10
pve-cluster: 6.1-8
pve-container: 3.1-13
pve-docs: 6.2-5
pve-edk2-firmware: 2.20200531-1
pve-firewall: 4.1-2
pve-firmware: 3.1-2
pve-ha-manager: 3.0-9
pve-i18n: 2.1-3
pve-qemu-kvm: 5.0.0-13
pve-xtermjs: 4.7.0-2
qemu-server: 6.2-14
smartmontools: 7.1-pve2
spiceterm: 3.1-1
vncterm: 1.6-2
zfsutils-linux: 0.8.4-pve1


pct config CTID
Code: 
arch: amd64
cores: 2
description: mp0%3A /mnt/bindmounts/crypt,mp=/mnt/external,quota=0%0A
hostname: crypt
memory: 1024
net0: name=eth0,bridge=vmbr0,hwaddr=62:88:2D:7C:84:01,ip=dhcp,ip6=dhcp,type=veth
onboot: 1
ostype: debian
rootfs: containers:subvol-101-disk-1,size=8G
searchdomain: crypt
swap: 512
Click to expand...

container is privileged? what about the config of the ubuntu container which works?

you can try to set the debian container unprivileged (through backup & restore, make sure the 'unprivileged' checkbox is selected while restoring it)
 
fireon said:
Normaly it is enough to remove apparmor with purge and delete the whole /etc/apparmor*. After that reinstall it, now it should work. On Ubuntu Upgrades it is working this way.
Click to expand...
Doesn't help.
oguz said:
container is privileged? what about the config of the ubuntu container which works?

you can try to set the debian container unprivileged (through backup & restore, make sure the 'unprivileged' checkbox is selected while restoring it)
Click to expand...
Yes container is privileged.
ubuntu container - everything by default
Code: 
arch: amd64
cores: 1
hostname: crypt2
memory: 512
net0: name=eth0,bridge=vmbr0,firewall=1,hwaddr=42:C2:0F:2C:7D:80,ip=dhcp,type=veth
ostype: ubuntu
rootfs: containers:subvol-105-disk-0,size=8G
swap: 512
unprivileged: 1

By the way, I create debian 10 container from scratch (unprivileged) using template "debian-10-turnkey-vanilla_16.0-1_amd64.tar.gz" and install i2p in it - same error.
 
jabacrack said:
Doesn't help.

Yes container is privileged.
ubuntu container - everything by default
Code: 
arch: amd64
cores: 1
hostname: crypt2
memory: 512
net0: name=eth0,bridge=vmbr0,firewall=1,hwaddr=42:C2:0F:2C:7D:80,ip=dhcp,type=veth
ostype: ubuntu
rootfs: containers:subvol-105-disk-0,size=8G
swap: 512
unprivileged: 1

By the way, I create debian 10 container from scratch (unprivileged) using template "debian-10-turnkey-vanilla_16.0-1_amd64.tar.gz" and install i2p in it - same error.
Click to expand...

the turnkey containers need to run privileged - i suggest you to create a debian container from the "system" images:
Code: 
pveam update
pveam available # will list all available templates
pveam available | grep system # "system" container templates, take note of debian container
pveam download local debian-10-standard_10.5-1_amd64.tar.gz # download debian container

then you should be able to go on the GUI and create an unprivileged debian container
 
oguz said:
the turnkey containers need to run privileged - i suggest you to create a debian container from the "system" images:
Click to expand...
I create new unprivileged container from debian-10-standard_10.5-1_amd64.tar.gz and try to install i2p - same error.
 
You must log in or register to reply here.
Top Bottom