[SOLVED] apparmor - error CT ubuntu 18.04 LTS

Raito00

Active Member
Sep 10, 2019
28
2
43
44
Hi!

how to fix this error?

Code:
apparmor="STATUS" operation="profile_replace" info="not policy admin" error=-13 label="lxc-172_</var/lib/lxc>//&:lxc-172_<-var-lib-lxc>:unconfined" pid=7120 comm="apparmor_parser"

Thanks!
 
Hi,
when and where does this message appear?
 
Hi!
Whe i start CT - ubuntu 18.04 LTS it freeze and not starting and then i can see in proxmox syslog:
Code:
apparmor="STATUS" operation="profile_replace" info="not policy admin" error=-13 label="lxc-172_</var/lib/lxc>//&:lxc-172_<-var-lib-lxc>:unconfined" pid=7120 comm="apparmor_parser"

Then after about 5 min ubuntu 18.04 LTS starting (unfreeze) and running
 
Could you post the configuration of your container in '/etc/pve/nodes/<node>/lxc/<id>.conf'?
 
Could you post the configuration of your container in '/etc/pve/nodes/<node>/lxc/<id>.conf'?

Code:
arch: amd64
cores: 6
hostname: Jauns-www.ubuntu
memory: 6000
net0: name=eth0,bridge=vmbr0,gw=10.10.0.1,hwaddr=XX:XX:XX:XX:XX:XX,ip=10.10.0.107/24,type=veth
onboot: 1
ostype: ubuntu
rootfs: local-lvm:vm-172-disk-1,size=100G
swap: 6000
 
I tried to replicate your situation and I get the same kind of message, but there is no freeze. Could the reason for the freeze be a timeout for network or some other resource?
What does 'dmesg' produce around the time you start the container? Which version of PVE are you running ('pveversion -v')?
 
#dmesg:
Code:
[ 2834.623661] audit: type=1400 audit(1568136139.508:51): apparmor="STATUS" operation="profile_replace" info="not policy admin" error=-13 label="lxc-172_</var/lib/lxc>//&:lxc-172_<-var-lib-lxc>:unconfined" pid=7133 comm="apparmor_parser"
[ 3014.184476] audit: type=1400 audit(1568136319.066:52): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-172_</var/lib/lxc>" name="/run/systemd/unit-root/" pid=9087 comm="(resolved)" srcname="/" flags="rw, rbind"

#pveversion -v
Code:
proxmox-ve: 5.4-2 (running kernel: 4.15.18-20-pve)
pve-manager: 5.4-13 (running version: 5.4-13/aee6f0ec)
pve-kernel-4.15: 5.4-8
pve-kernel-4.15.18-20-pve: 4.15.18-46
pve-kernel-4.15.18-13-pve: 4.15.18-37
pve-kernel-4.15.18-11-pve: 4.15.18-34
pve-kernel-4.15.18-9-pve: 4.15.18-30
pve-kernel-4.10.17-2-pve: 4.10.17-20
corosync: 2.4.4-pve1
criu: 2.11.1-1~bpo90
glusterfs-client: 3.8.8-1
ksm-control-daemon: 1.2-2
libjs-extjs: 6.0.1-2
libpve-access-control: 5.1-12
libpve-apiclient-perl: 2.0-5
libpve-common-perl: 5.0-54
libpve-guest-common-perl: 2.0-20
libpve-http-server-perl: 2.0-14
libpve-storage-perl: 5.0-44
libqb0: 1.0.3-1~bpo9
lvm2: 2.02.168-pve6
lxc-pve: 3.1.0-6
lxcfs: 3.0.3-pve1
novnc-pve: 1.0.0-3
proxmox-widget-toolkit: 1.0-28
pve-cluster: 5.0-38
pve-container: 2.0-40
pve-docs: 5.4-2
pve-edk2-firmware: 1.20190312-1
pve-firewall: 3.0-22
pve-firmware: 2.0-7
pve-ha-manager: 2.0-9
pve-i18n: 1.1-4
pve-libspice-server1: 0.14.1-2
pve-qemu-kvm: 3.0.1-4
pve-xtermjs: 3.12.0-1
qemu-server: 5.0-54
smartmontools: 6.5+svn4324-1
spiceterm: 3.0-5
vncterm: 1.5-3
zfsutils-linux: 0.7.13-pve1~bpo2
 
Could you run the following to start up the container
Code:
lxc-start -n ID -F -l DEBUG -o /tmp/lxc-ID.log
replacing 'ID' with the container id both times and post the contents of '/tmp/lxc-ID.log' afterwards?
 
My log file basically looks the same and I don't experience a freeze. It seems rather unlikely that the apparmor message is relevant for the freeze. Does any change you made before the problem appeared come to mind or is it a fresh container?
 
After this steps no more freeze!
Code:
apt remove apparmor --purge -y
rm -rf /etc/apparmor*
apt install apparmor -y
systemctl restart apparmor.service
systemctl status apparmor.service
 
It surprises me that apparmor was indeed the problem, since I got the same message without a freeze. Glad you were able to solve it yourself!
 
After this steps no more freeze!
Code:
apt remove apparmor --purge -y
rm -rf /etc/apparmor*
apt install apparmor -y
systemctl restart apparmor.service
systemctl status apparmor.service
Hello, After trying your suggestion got this warning, as its trying to remove all PVE:
W: (pve-apt-hook) !! WARNING !!
W: (pve-apt-hook) You are attempting to remove the meta-package 'proxmox-ve'!
W: (pve-apt-hook)
W: (pve-apt-hook) If you really want to permanently remove 'proxmox-ve' from your system, run the following command
W: (pve-apt-hook) touch '/please-remove-proxmox-ve'
W: (pve-apt-hook) run apt purge proxmox-ve to remove the meta-package
W: (pve-apt-hook) and repeat your apt invocation.
W: (pve-apt-hook)
W: (pve-apt-hook) If you are unsure why 'proxmox-ve' would be removed, please verify
W: (pve-apt-hook) - your APT repository settings
W: (pve-apt-hook) - that you are using 'apt full-upgrade' to upgrade your system


Thanks for the next advice.
 
Hi,
Hello, After trying your suggestion got this warning, as its trying to remove all PVE:

Thanks for the next advice.
I'm guessing the commands needed to be run inside the container. But this is an old thread, please open a new one and describe the issue you are facing in detail while including the output of pveversion -v.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!