Apparmor permission issues after switching from unprivileged to privileged LXC

M

maeries

Active Member
Jul 10, 2015
28
1
41
I was running an unprivileged LXC and converted it to a privileged one (backed it up and then restored with it set to privileged) and now I have issues with Apparmor. My main problem is starting a Docker container

Code: 
~/pihole$ docker-compose up
Creating network "pihole_default" with the default driver
Creating pihole ... error

ERROR: for pihole  Cannot start service pihole: AppArmor enabled on system but the docker-default profile could not be loaded: running `/sbin/apparmor_parser apparmor_parser -Kr /var/lib/docker/tmp/docker-default867319686` failed with output: apparmor_parser: Unable to replace "docker-default".  Permission denied; attempted to load a profile while confined?

error: exit status 243

ERROR: for pihole  Cannot start service pihole: AppArmor enabled on system but the docker-default profile could not be loaded: running `/sbin/apparmor_parser apparmor_parser -Kr /var/lib/docker/tmp/docker-default867319686` failed with output: apparmor_parser: Unable to replace "docker-default".  Permission denied; attempted to load a profile while confined?

error: exit status 243
ERROR: Encountered errors while bringing up the project.

But apparmor in general does not seem to work right

Code: 
$ sudo systemctl status apparmor.service
* apparmor.service - Load AppArmor profiles
     Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled)
     Active: failed (Result: exit-code) since Mon 2020-11-02 18:22:00 UTC; 8s ago
       Docs: man:apparmor(7)
             https://gitlab.com/apparmor/apparmor/wikis/home/
    Process: 12106 ExecStart=/lib/apparmor/apparmor.systemd reload (code=exited, status=1/FAILURE)
   Main PID: 12106 (code=exited, status=1/FAILURE)

Nov 02 18:22:00 Docker apparmor.systemd[12111]: /sbin/apparmor_parser: Unable to replace "lsb_release".  Permission denied; attempted to load a profile while confined?
Nov 02 18:22:00 Docker apparmor.systemd[12112]: /sbin/apparmor_parser: Unable to replace "kmod".  Permission denied; attempted to load a profile while confined?
Nov 02 18:22:00 Docker apparmor.systemd[12112]: /sbin/apparmor_parser: Unable to replace "nvidia_modprobe".  Permission denied; attempted to load a profile while confined?
Nov 02 18:22:00 Docker apparmor.systemd[12132]: /sbin/apparmor_parser: Unable to replace "lsb_release".  Permission denied; attempted to load a profile while confined?
Nov 02 18:22:00 Docker apparmor.systemd[12133]: /sbin/apparmor_parser: Unable to replace "kmod".  Permission denied; attempted to load a profile while confined?
Nov 02 18:22:00 Docker apparmor.systemd[12133]: /sbin/apparmor_parser: Unable to replace "nvidia_modprobe".  Permission denied; attempted to load a profile while confined?
Nov 02 18:22:00 Docker apparmor.systemd[12106]: Error: At least one profile failed to load
Nov 02 18:22:00 Docker systemd[1]: apparmor.service: Main process exited, code=exited, status=1/FAILURE
Nov 02 18:22:00 Docker systemd[1]: apparmor.service: Failed with result 'exit-code'.
Nov 02 18:22:00 Docker systemd[1]: Failed to start Load AppArmor profiles.

I already tried to reinstall Apparmor, but that didn't help.

Has anyone an idea how to solve the issue?
 
Last edited:
Plot twist! The solution I posted above does NOT solve the problem. I now switched a second server from unprivileged to privileged by what I noticed that uninstalling apparmor inside the LXC solved the problem.

Now I don't really know what apparmor does, but I guess one wants to have it installed, so I'm looking for a solution again
 
Wait, so your problem is resolved by uninstalling Apparmor, but you say you don't know what it is so it should be installed, so you're looking for a solution?
Do things not work without Apparmor?
 
voarsh said:
Wait, so your problem is resolved by uninstalling Apparmor, but you say you don't know what it is so it should be installed, so you're looking for a solution?
Do things not work without Apparmor?
Click to expand...
Everything works when Apparmor is not installed. But Apparmor is a security feature and I would like my server as secure as possible
 
  • Like
Reactions: OnlyHardOfficial
No. I guess the problem is that Apparmor does not have the right profile installed, but I have no idea where to get it and how to use it, if profiles are the problem at all
 
maeries said:
I was running an unprivileged LXC and converted it to a privileged one (backed it up and then restored with it set to privileged) and now I have issues with Apparmor. My main problem is starting a Docker container

Code: 
~/pihole$ docker-compose up
Creating network "pihole_default" with the default driver
Creating pihole ... error

ERROR: for pihole  Cannot start service pihole: AppArmor enabled on system but the docker-default profile could not be loaded: running `/sbin/apparmor_parser apparmor_parser -Kr /var/lib/docker/tmp/docker-default867319686` failed with output: apparmor_parser: Unable to replace "docker-default".  Permission denied; attempted to load a profile while confined?

error: exit status 243

ERROR: for pihole  Cannot start service pihole: AppArmor enabled on system but the docker-default profile could not be loaded: running `/sbin/apparmor_parser apparmor_parser -Kr /var/lib/docker/tmp/docker-default867319686` failed with output: apparmor_parser: Unable to replace "docker-default".  Permission denied; attempted to load a profile while confined?

error: exit status 243
ERROR: Encountered errors while bringing up the project.

But apparmor in general does not seem to work right

Code: 
$ sudo systemctl status apparmor.service
* apparmor.service - Load AppArmor profiles
     Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled)
     Active: failed (Result: exit-code) since Mon 2020-11-02 18:22:00 UTC; 8s ago
       Docs: man:apparmor(7)
             https://gitlab.com/apparmor/apparmor/wikis/home/
    Process: 12106 ExecStart=/lib/apparmor/apparmor.systemd reload (code=exited, status=1/FAILURE)
   Main PID: 12106 (code=exited, status=1/FAILURE)

Nov 02 18:22:00 Docker apparmor.systemd[12111]: /sbin/apparmor_parser: Unable to replace "lsb_release".  Permission denied; attempted to load a profile while confined?
Nov 02 18:22:00 Docker apparmor.systemd[12112]: /sbin/apparmor_parser: Unable to replace "kmod".  Permission denied; attempted to load a profile while confined?
Nov 02 18:22:00 Docker apparmor.systemd[12112]: /sbin/apparmor_parser: Unable to replace "nvidia_modprobe".  Permission denied; attempted to load a profile while confined?
Nov 02 18:22:00 Docker apparmor.systemd[12132]: /sbin/apparmor_parser: Unable to replace "lsb_release".  Permission denied; attempted to load a profile while confined?
Nov 02 18:22:00 Docker apparmor.systemd[12133]: /sbin/apparmor_parser: Unable to replace "kmod".  Permission denied; attempted to load a profile while confined?
Nov 02 18:22:00 Docker apparmor.systemd[12133]: /sbin/apparmor_parser: Unable to replace "nvidia_modprobe".  Permission denied; attempted to load a profile while confined?
Nov 02 18:22:00 Docker apparmor.systemd[12106]: Error: At least one profile failed to load
Nov 02 18:22:00 Docker systemd[1]: apparmor.service: Main process exited, code=exited, status=1/FAILURE
Nov 02 18:22:00 Docker systemd[1]: apparmor.service: Failed with result 'exit-code'.
Nov 02 18:22:00 Docker systemd[1]: Failed to start Load AppArmor profiles.

I already tried to reinstall Apparmor, but that didn't help.

Has anyone an idea how to solve the issue?
Click to expand...
mir said:
So you convert from unprivileged to a privileged container, sounds contradictory to me:rolleyes:
Click to expand...
I apologize in advance to everyone. But this situation also happened to me on my Proxmox VE "Virtual Environment 8.0.3"
4 x Intel(R) Core(TM) i5-3470 CPU @ 3.20GHz (1 Socket)
It's so frustrating to execute commands well and then out of nowhere, for no apparent reason, come up with strange and bizarre errors like these ... even if the code and bugfixes have been improved by today's date (28/07/2023"dd/mm/yyyy")
Simple and straightforward. The error is here "like below"
When we all go to run a Container Template based on LXD technology.

1690573297085.png

Please do not change this option below "Unplivliged container" (Do not deselect! Keep it selected)

Otherwise, all these errors and mistakes mentioned above will pop up like mushrooms!

1690573411791.png
I've had this error a few times, and it was quite frustrating not knowing where the error came from!

What does checking this checkbox mean:
"Unprivileged containers are when the container is created and run as a user as opposed to the root. This is the safest way to use a container, because if the container security gets compromised and the intruder breaks out of the container, they will find themselves as a nobody user with extremely limited privileges."​
More Info HERE


I hope I managed to be quite explanatory, and quite clear with my explanation! And also help all users proactively using Proxmox or not, and also all users coming from outside having this error.

Best Regards
 
OnlyHard said:
I apologize in advance to everyone. But this situation also happened to me on my Proxmox VE "Virtual Environment 8.0.3"
4 x Intel(R) Core(TM) i5-3470 CPU @ 3.20GHz (1 Socket)
It's so frustrating to execute commands well and then out of nowhere, for no apparent reason, come up with strange and bizarre errors like these ... even if the code and bugfixes have been improved by today's date (28/07/2023"dd/mm/yyyy")
Simple and straightforward. The error is here "like below"
When we all go to run a Container Template based on LXD technology.

View attachment 53617

Please do not change this option below "Unplivliged container" (Do not deselect! Keep it selected)

Otherwise, all these errors and mistakes mentioned above will pop up like mushrooms!

View attachment 53618
I've had this error a few times, and it was quite frustrating not knowing where the error came from!

What does checking this checkbox mean:
"Unprivileged containers are when the container is created and run as a user as opposed to the root. This is the safest way to use a container, because if the container security gets compromised and the intruder breaks out of the container, they will find themselves as a nobody user with extremely limited privileges."​
More Info HERE


I hope I managed to be quite explanatory, and quite clear with my explanation! And also help all users proactively using Proxmox or not, and also all users coming from outside having this error.

Best Regards
Click to expand...
Hi, i don't understand what you want to ask tbh, but let's try:

1. "What does checking this checkbox mean:"
-- Means simply, that an Unprivileged container maps the user and group to an id+100000 on the Proxmox host itself.
For example the root user inside the lxc container has the group id of 0 and user id of 0, while on the Proxmox host itself that user has an group id of 100000 and user id of 100000.

If you create an custom user inside the lxc container with a user if of 285 and group id of 245, that same user will have on the Proxmox host an user id of 100285 and group id of 100245.

Means that the root user of your lxc container or the custom user of your lxc container, doesn't have access on the host to anything if he breach out of the container.

---
On a privileged lxc container the root user has the user id and group of 0, same as on unprivileged lxc container.
But on the Proxmox host there won't be any user mapping, means there is no +100000.
This means that this root user inside the privileged lxc container with the id of 0, is the root user on the Proxmox host itself with the id of 0.

This means also, if the root user breach out of the privileged lxc container, he will be the root user on the Proxmox host itself, with access to everything on the Proxmox host.


2. It's a known issue that on priviliged debian and ubuntu lxc containers, apparmor isn't working.
On an priviliged Archlinux container it is working for example.
On unprivileged debian/ubuntu containers apparmor is working fine!

I don't know the reason, probably apparmor profile issues or whatever.
However on priviliged containers, apparmor has anyway little benefit. It would be nice if it would work actually, but the best thing you can do, is simply removing apparmor.
Uninstall it on every priviliged container and you're good.


Hopefully i understood your question?

Cheers!
 
  • Like
Reactions: ventureaaron, MikeDeez, jalle8 and 1 other person
Ramalama said:
Hi, i don't understand what you want to ask tbh, but let's try:

1. "What does checking this checkbox mean:"
-- Means simply, that an Unprivileged container maps the user and group to an id+100000 on the Proxmox host itself.
For example the root user inside the lxc container has the group id of 0 and user id of 0, while on the Proxmox host itself that user has an group id of 100000 and user id of 100000.

If you create an custom user inside the lxc container with a user if of 285 and group id of 245, that same user will have on the Proxmox host an user id of 100285 and group id of 100245.

Means that the root user of your lxc container or the custom user of your lxc container, doesn't have access on the host to anything if he breach out of the container.

---
On a privileged lxc container the root user has the user id and group of 0, same as on unprivileged lxc container.
But on the Proxmox host there won't be any user mapping, means there is no +100000.
This means that this root user inside the privileged lxc container with the id of 0, is the root user on the Proxmox host itself with the id of 0.

This means also, if the root user breach out of the privileged lxc container, he will be the root user on the Proxmox host itself, with access to everything on the Proxmox host.


2. It's a known issue that on priviliged debian and ubuntu lxc containers, apparmor isn't working.
On an priviliged Archlinux container it is working for example.
On unprivileged debian/ubuntu containers apparmor is working fine!

I don't know the reason, probably apparmor profile issues or whatever.
However on priviliged containers, apparmor has anyway little benefit. It would be nice if it would work actually, but the best thing you can do, is simply removing apparmor.
Uninstall it on every priviliged container and you're good.


Hopefully i understood your question?

Cheers!
Click to expand...
Yes, I found your answer to be the best on the whole internet I have searched so far!
 
  • Like
Reactions: MikeDeez and Ramalama
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back