Apparmor permission issues after switching from unprivileged to privileged LXC

[maeries]

I was running an unprivileged LXC and converted it to a privileged one (backed it up and then restored with it set to privileged) and now I have issues with Apparmor. My main problem is starting a Docker container

~/pihole$ docker-compose up
Creating network "pihole_default" with the default driver
Creating pihole ... error

ERROR: for pihole  Cannot start service pihole: AppArmor enabled on system but the docker-default profile could not be loaded: running `/sbin/apparmor_parser apparmor_parser -Kr /var/lib/docker/tmp/docker-default867319686` failed with output: apparmor_parser: Unable to replace "docker-default".  Permission denied; attempted to load a profile while confined?

error: exit status 243

ERROR: for pihole  Cannot start service pihole: AppArmor enabled on system but the docker-default profile could not be loaded: running `/sbin/apparmor_parser apparmor_parser -Kr /var/lib/docker/tmp/docker-default867319686` failed with output: apparmor_parser: Unable to replace "docker-default".  Permission denied; attempted to load a profile while confined?

error: exit status 243
ERROR: Encountered errors while bringing up the project.

But apparmor in general does not seem to work right

$ sudo systemctl status apparmor.service
* apparmor.service - Load AppArmor profiles
     Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled)
     Active: failed (Result: exit-code) since Mon 2020-11-02 18:22:00 UTC; 8s ago
       Docs: man:apparmor(7)
             https://gitlab.com/apparmor/apparmor/wikis/home/
    Process: 12106 ExecStart=/lib/apparmor/apparmor.systemd reload (code=exited, status=1/FAILURE)
   Main PID: 12106 (code=exited, status=1/FAILURE)

Nov 02 18:22:00 Docker apparmor.systemd[12111]: /sbin/apparmor_parser: Unable to replace "lsb_release".  Permission denied; attempted to load a profile while confined?
Nov 02 18:22:00 Docker apparmor.systemd[12112]: /sbin/apparmor_parser: Unable to replace "kmod".  Permission denied; attempted to load a profile while confined?
Nov 02 18:22:00 Docker apparmor.systemd[12112]: /sbin/apparmor_parser: Unable to replace "nvidia_modprobe".  Permission denied; attempted to load a profile while confined?
Nov 02 18:22:00 Docker apparmor.systemd[12132]: /sbin/apparmor_parser: Unable to replace "lsb_release".  Permission denied; attempted to load a profile while confined?
Nov 02 18:22:00 Docker apparmor.systemd[12133]: /sbin/apparmor_parser: Unable to replace "kmod".  Permission denied; attempted to load a profile while confined?
Nov 02 18:22:00 Docker apparmor.systemd[12133]: /sbin/apparmor_parser: Unable to replace "nvidia_modprobe".  Permission denied; attempted to load a profile while confined?
Nov 02 18:22:00 Docker apparmor.systemd[12106]: Error: At least one profile failed to load
Nov 02 18:22:00 Docker systemd[1]: apparmor.service: Main process exited, code=exited, status=1/FAILURE
Nov 02 18:22:00 Docker systemd[1]: apparmor.service: Failed with result 'exit-code'.
Nov 02 18:22:00 Docker systemd[1]: Failed to start Load AppArmor profiles.

I already tried to reinstall Apparmor, but that didn't help.

Has anyone an idea how to solve the issue?

 

[maeries]

lol, one more google search solved the problem. https://forum.proxmox.com/threads/5-3-and-lxc-nesting.49951/post-232938

 

[maeries]

Plot twist! The solution I posted above does NOT solve the problem. I now switched a second server from unprivileged to privileged by what I noticed that uninstalling apparmor inside the LXC solved the problem.

Now I don't really know what apparmor does, but I guess one wants to have it installed, so I'm looking for a solution again

 

[voarsh]

Wait, so your problem is resolved by uninstalling Apparmor, but you say you don't know what it is so it should be installed, so you're looking for a solution?
Do things not work without Apparmor?

 

[maeries]

Wait, so your problem is resolved by uninstalling Apparmor, but you say you don't know what it is so it should be installed, so you're looking for a solution?
Do things not work without Apparmor?

Everything works when Apparmor is not installed. But Apparmor is a security feature and I would like my server as secure as possible

 

[voarsh]

Everything works when Apparmor is not installed. But Apparmor is a security feature and I would like my server as secure as possible

Right.
And did you find a solution without removing Apparmor?

 

[maeries]

No. I guess the problem is that Apparmor does not have the right profile installed, but I have no idea where to get it and how to use it, if profiles are the problem at all

 

[mir]

Everything works when Apparmor is not installed. But Apparmor is a security feature and I would like my server as secure as possible

So you convert from unprivileged to a privileged container, sounds contradictory to me

 

[OnlyHardOfficial]

I was running an unprivileged LXC and converted it to a privileged one (backed it up and then restored with it set to privileged) and now I have issues with Apparmor. My main problem is starting a Docker container

~/pihole$ docker-compose up
Creating network "pihole_default" with the default driver
Creating pihole ... error

ERROR: for pihole  Cannot start service pihole: AppArmor enabled on system but the docker-default profile could not be loaded: running `/sbin/apparmor_parser apparmor_parser -Kr /var/lib/docker/tmp/docker-default867319686` failed with output: apparmor_parser: Unable to replace "docker-default".  Permission denied; attempted to load a profile while confined?

error: exit status 243

ERROR: for pihole  Cannot start service pihole: AppArmor enabled on system but the docker-default profile could not be loaded: running `/sbin/apparmor_parser apparmor_parser -Kr /var/lib/docker/tmp/docker-default867319686` failed with output: apparmor_parser: Unable to replace "docker-default".  Permission denied; attempted to load a profile while confined?

error: exit status 243
ERROR: Encountered errors while bringing up the project.

But apparmor in general does not seem to work right

$ sudo systemctl status apparmor.service
* apparmor.service - Load AppArmor profiles
     Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled)
     Active: failed (Result: exit-code) since Mon 2020-11-02 18:22:00 UTC; 8s ago
       Docs: man:apparmor(7)
             https://gitlab.com/apparmor/apparmor/wikis/home/
    Process: 12106 ExecStart=/lib/apparmor/apparmor.systemd reload (code=exited, status=1/FAILURE)
   Main PID: 12106 (code=exited, status=1/FAILURE)

Nov 02 18:22:00 Docker apparmor.systemd[12111]: /sbin/apparmor_parser: Unable to replace "lsb_release".  Permission denied; attempted to load a profile while confined?
Nov 02 18:22:00 Docker apparmor.systemd[12112]: /sbin/apparmor_parser: Unable to replace "kmod".  Permission denied; attempted to load a profile while confined?
Nov 02 18:22:00 Docker apparmor.systemd[12112]: /sbin/apparmor_parser: Unable to replace "nvidia_modprobe".  Permission denied; attempted to load a profile while confined?
Nov 02 18:22:00 Docker apparmor.systemd[12132]: /sbin/apparmor_parser: Unable to replace "lsb_release".  Permission denied; attempted to load a profile while confined?
Nov 02 18:22:00 Docker apparmor.systemd[12133]: /sbin/apparmor_parser: Unable to replace "kmod".  Permission denied; attempted to load a profile while confined?
Nov 02 18:22:00 Docker apparmor.systemd[12133]: /sbin/apparmor_parser: Unable to replace "nvidia_modprobe".  Permission denied; attempted to load a profile while confined?
Nov 02 18:22:00 Docker apparmor.systemd[12106]: Error: At least one profile failed to load
Nov 02 18:22:00 Docker systemd[1]: apparmor.service: Main process exited, code=exited, status=1/FAILURE
Nov 02 18:22:00 Docker systemd[1]: apparmor.service: Failed with result 'exit-code'.
Nov 02 18:22:00 Docker systemd[1]: Failed to start Load AppArmor profiles.

I already tried to reinstall Apparmor, but that didn't help.

Has anyone an idea how to solve the issue?

So you convert from unprivileged to a privileged container, sounds contradictory to me

I apologize in advance to everyone. But this situation also happened to me on my Proxmox VE "Virtual Environment 8.0.3"
4 x Intel(R) Core(TM) i5-3470 CPU @ 3.20GHz (1 Socket)
It's so frustrating to execute commands well and then out of nowhere, for no apparent reason, come up with strange and bizarre errors like these ... even if the code and bugfixes have been improved by today's date (28/07/2023"dd/mm/yyyy")
Simple and straightforward. The error is here "like below"
When we all go to run a Container Template based on LXD technology.



Please do not change this option below "Unplivliged container" (Do not deselect! Keep it selected)

Otherwise, all these errors and mistakes mentioned above will pop up like mushrooms!


I've had this error a few times, and it was quite frustrating not knowing where the error came from!

What does checking this checkbox mean:

"Unprivileged containers are when the container is created and run as a user as opposed to the root. This is the safest way to use a container, because if the container security gets compromised and the intruder breaks out of the container, they will find themselves as a nobody user with extremely limited privileges."​

More Info HERE


I hope I managed to be quite explanatory, and quite clear with my explanation! And also help all users proactively using Proxmox or not, and also all users coming from outside having this error.

Best Regards

 

[Ramalama]

I apologize in advance to everyone. But this situation also happened to me on my Proxmox VE "Virtual Environment 8.0.3"
4 x Intel(R) Core(TM) i5-3470 CPU @ 3.20GHz (1 Socket)
It's so frustrating to execute commands well and then out of nowhere, for no apparent reason, come up with strange and bizarre errors like these ... even if the code and bugfixes have been improved by today's date (28/07/2023"dd/mm/yyyy")
Simple and straightforward. The error is here "like below"
When we all go to run a Container Template based on LXD technology.

View attachment 53617

Please do not change this option below "Unplivliged container" (Do not deselect! Keep it selected)

Otherwise, all these errors and mistakes mentioned above will pop up like mushrooms!

View attachment 53618
I've had this error a few times, and it was quite frustrating not knowing where the error came from!

What does checking this checkbox mean:

"Unprivileged containers are when the container is created and run as a user as opposed to the root. This is the safest way to use a container, because if the container security gets compromised and the intruder breaks out of the container, they will find themselves as a nobody user with extremely limited privileges."​

More Info HERE


I hope I managed to be quite explanatory, and quite clear with my explanation! And also help all users proactively using Proxmox or not, and also all users coming from outside having this error.

Best Regards

Hi, i don't understand what you want to ask tbh, but let's try:

1. "What does checking this checkbox mean:"
-- Means simply, that an Unprivileged container maps the user and group to an id+100000 on the Proxmox host itself.
For example the root user inside the lxc container has the group id of 0 and user id of 0, while on the Proxmox host itself that user has an group id of 100000 and user id of 100000.

If you create an custom user inside the lxc container with a user if of 285 and group id of 245, that same user will have on the Proxmox host an user id of 100285 and group id of 100245.

Means that the root user of your lxc container or the custom user of your lxc container, doesn't have access on the host to anything if he breach out of the container.

---
On a privileged lxc container the root user has the user id and group of 0, same as on unprivileged lxc container.
But on the Proxmox host there won't be any user mapping, means there is no +100000.
This means that this root user inside the privileged lxc container with the id of 0, is the root user on the Proxmox host itself with the id of 0.

This means also, if the root user breach out of the privileged lxc container, he will be the root user on the Proxmox host itself, with access to everything on the Proxmox host.


2. It's a known issue that on priviliged debian and ubuntu lxc containers, apparmor isn't working.
On an priviliged Archlinux container it is working for example.
On unprivileged debian/ubuntu containers apparmor is working fine!

I don't know the reason, probably apparmor profile issues or whatever.
However on priviliged containers, apparmor has anyway little benefit. It would be nice if it would work actually, but the best thing you can do, is simply removing apparmor.
Uninstall it on every priviliged container and you're good.


Hopefully i understood your question?

Cheers!

 

[OnlyHardOfficial]

Hi, i don't understand what you want to ask tbh, but let's try:

1. "What does checking this checkbox mean:"
-- Means simply, that an Unprivileged container maps the user and group to an id+100000 on the Proxmox host itself.
For example the root user inside the lxc container has the group id of 0 and user id of 0, while on the Proxmox host itself that user has an group id of 100000 and user id of 100000.

If you create an custom user inside the lxc container with a user if of 285 and group id of 245, that same user will have on the Proxmox host an user id of 100285 and group id of 100245.

Means that the root user of your lxc container or the custom user of your lxc container, doesn't have access on the host to anything if he breach out of the container.

---
On a privileged lxc container the root user has the user id and group of 0, same as on unprivileged lxc container.
But on the Proxmox host there won't be any user mapping, means there is no +100000.
This means that this root user inside the privileged lxc container with the id of 0, is the root user on the Proxmox host itself with the id of 0.

This means also, if the root user breach out of the privileged lxc container, he will be the root user on the Proxmox host itself, with access to everything on the Proxmox host.


2. It's a known issue that on priviliged debian and ubuntu lxc containers, apparmor isn't working.
On an priviliged Archlinux container it is working for example.
On unprivileged debian/ubuntu containers apparmor is working fine!

I don't know the reason, probably apparmor profile issues or whatever.
However on priviliged containers, apparmor has anyway little benefit. It would be nice if it would work actually, but the best thing you can do, is simply removing apparmor.
Uninstall it on every priviliged container and you're good.


Hopefully i understood your question?

Cheers!

Yes, I found your answer to be the best on the whole internet I have searched so far!

 

[bizzarrone]

Plot twist! The solution I posted above does NOT solve the problem. I now switched a second server from unprivileged to privileged by what I noticed that uninstalling apparmor inside the LXC solved the problem.

Now I don't really know what apparmor does, but I guess one wants to have it installed, so I'm looking for a solution again

I confirm. I solved removing apparmor. ubuntu 24.04

 

[jeefyang]

I confirm. I solved removing apparmor. ubuntu 24.04

thank you ,i solved!!!