[SOLVED] apparmor - error CT ubuntu 18.04 LTS

[Raito00]

Hi!

how to fix this error?

apparmor="STATUS" operation="profile_replace" info="not policy admin" error=-13 label="lxc-172_</var/lib/lxc>//&:lxc-172_<-var-lib-lxc>:unconfined" pid=7120 comm="apparmor_parser"

Thanks!

 

[fiona]

Hi,
when and where does this message appear?

 

[Raito00]

Hi!
Whe i start CT - ubuntu 18.04 LTS it freeze and not starting and then i can see in proxmox syslog:

apparmor="STATUS" operation="profile_replace" info="not policy admin" error=-13 label="lxc-172_</var/lib/lxc>//&:lxc-172_<-var-lib-lxc>:unconfined" pid=7120 comm="apparmor_parser"

Then after about 5 min ubuntu 18.04 LTS starting (unfreeze) and running

 

[fiona]

Could you post the configuration of your container in '/etc/pve/nodes/<node>/lxc/<id>.conf'?

 

[Raito00]

Could you post the configuration of your container in '/etc/pve/nodes/<node>/lxc/<id>.conf'?

arch: amd64
cores: 6
hostname: Jauns-www.ubuntu
memory: 6000
net0: name=eth0,bridge=vmbr0,gw=10.10.0.1,hwaddr=XX:XX:XX:XX:XX:XX,ip=10.10.0.107/24,type=veth
onboot: 1
ostype: ubuntu
rootfs: local-lvm:vm-172-disk-1,size=100G
swap: 6000

 

[fiona]

I tried to replicate your situation and I get the same kind of message, but there is no freeze. Could the reason for the freeze be a timeout for network or some other resource?
What does 'dmesg' produce around the time you start the container? Which version of PVE are you running ('pveversion -v')?

 

[Raito00]

#dmesg:

[ 2834.623661] audit: type=1400 audit(1568136139.508:51): apparmor="STATUS" operation="profile_replace" info="not policy admin" error=-13 label="lxc-172_</var/lib/lxc>//&:lxc-172_<-var-lib-lxc>:unconfined" pid=7133 comm="apparmor_parser"
[ 3014.184476] audit: type=1400 audit(1568136319.066:52): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-172_</var/lib/lxc>" name="/run/systemd/unit-root/" pid=9087 comm="(resolved)" srcname="/" flags="rw, rbind"

#pveversion -v

proxmox-ve: 5.4-2 (running kernel: 4.15.18-20-pve)
pve-manager: 5.4-13 (running version: 5.4-13/aee6f0ec)
pve-kernel-4.15: 5.4-8
pve-kernel-4.15.18-20-pve: 4.15.18-46
pve-kernel-4.15.18-13-pve: 4.15.18-37
pve-kernel-4.15.18-11-pve: 4.15.18-34
pve-kernel-4.15.18-9-pve: 4.15.18-30
pve-kernel-4.10.17-2-pve: 4.10.17-20
corosync: 2.4.4-pve1
criu: 2.11.1-1~bpo90
glusterfs-client: 3.8.8-1
ksm-control-daemon: 1.2-2
libjs-extjs: 6.0.1-2
libpve-access-control: 5.1-12
libpve-apiclient-perl: 2.0-5
libpve-common-perl: 5.0-54
libpve-guest-common-perl: 2.0-20
libpve-http-server-perl: 2.0-14
libpve-storage-perl: 5.0-44
libqb0: 1.0.3-1~bpo9
lvm2: 2.02.168-pve6
lxc-pve: 3.1.0-6
lxcfs: 3.0.3-pve1
novnc-pve: 1.0.0-3
proxmox-widget-toolkit: 1.0-28
pve-cluster: 5.0-38
pve-container: 2.0-40
pve-docs: 5.4-2
pve-edk2-firmware: 1.20190312-1
pve-firewall: 3.0-22
pve-firmware: 2.0-7
pve-ha-manager: 2.0-9
pve-i18n: 1.1-4
pve-libspice-server1: 0.14.1-2
pve-qemu-kvm: 3.0.1-4
pve-xtermjs: 3.12.0-1
qemu-server: 5.0-54
smartmontools: 6.5+svn4324-1
spiceterm: 3.0-5
vncterm: 1.5-3
zfsutils-linux: 0.7.13-pve1~bpo2

 

[fiona]

Could you run the following to start up the container

lxc-start -n ID -F -l DEBUG -o /tmp/lxc-ID.log

replacing 'ID' with the container id both times and post the contents of '/tmp/lxc-ID.log' afterwards?

 

[Raito00]

Debug

 

[fiona]

My log file basically looks the same and I don't experience a freeze. It seems rather unlikely that the apparmor message is relevant for the freeze. Does any change you made before the problem appeared come to mind or is it a fresh container?

 

[Raito00]

After this steps no more freeze!

apt remove apparmor --purge -y
rm -rf /etc/apparmor*
apt install apparmor -y
systemctl restart apparmor.service
systemctl status apparmor.service

 

[fiona]

It surprises me that apparmor was indeed the problem, since I got the same message without a freeze. Glad you were able to solve it yourself!

 

[StanTastic]

@Raito00 , were the commands run in the container or on the host?

 

[phoenixsampras]

After this steps no more freeze!

apt remove apparmor --purge -y
rm -rf /etc/apparmor*
apt install apparmor -y
systemctl restart apparmor.service
systemctl status apparmor.service

Hello, After trying your suggestion got this warning, as its trying to remove all PVE:

W: (pve-apt-hook) !! WARNING !!
W: (pve-apt-hook) You are attempting to remove the meta-package 'proxmox-ve'!
W: (pve-apt-hook)
W: (pve-apt-hook) If you really want to permanently remove 'proxmox-ve' from your system, run the following command
W: (pve-apt-hook) touch '/please-remove-proxmox-ve'
W: (pve-apt-hook) run apt purge proxmox-ve to remove the meta-package
W: (pve-apt-hook) and repeat your apt invocation.
W: (pve-apt-hook)
W: (pve-apt-hook) If you are unsure why 'proxmox-ve' would be removed, please verify
W: (pve-apt-hook) - your APT repository settings
W: (pve-apt-hook) - that you are using 'apt full-upgrade' to upgrade your system

Thanks for the next advice.

 

[fiona]

Hi,

Hello, After trying your suggestion got this warning, as its trying to remove all PVE:

Thanks for the next advice.

I'm guessing the commands needed to be run inside the container. But this is an old thread, please open a new one and describe the issue you are facing in detail while including the output of pveversion -v.