Hi
I have been using the openSUSE 15.3 container template for a while now and it has been working great, but after upgrade to 7.2x the apparmor do not work in the containers, old as new ones, it seems to work in the Ubuntu 20.04 container i also have running.
i tried to create a new container but it gets the same issue right out of the box, tried with unprivileged and privileged mode, the one set as privileged do not work at all, it is running but cannot be accessed in console, get no prompt so i cannot check services there.
Below is all the info that i collected based on reading a lot of post, but if there is something i missed i will look it up.
The container logs are attached as a text file since a couldn't post all of it in one post...
Container template: opensuse-15.3-default_20210925_amd64
Errors inside the containers:
AppArmor service
sys-kernel-config.mount service
sys-kernel-debug.mount service
Proxmox Host
apparmor_parser --version
pveversion -v
Privileged conatiner
pct config 119
cat /var/lib/lxc/119/config
Unprivileged conatiner
pct config 120
/var/lib/lxc/120/config
I have been using the openSUSE 15.3 container template for a while now and it has been working great, but after upgrade to 7.2x the apparmor do not work in the containers, old as new ones, it seems to work in the Ubuntu 20.04 container i also have running.
i tried to create a new container but it gets the same issue right out of the box, tried with unprivileged and privileged mode, the one set as privileged do not work at all, it is running but cannot be accessed in console, get no prompt so i cannot check services there.
Below is all the info that i collected based on reading a lot of post, but if there is something i missed i will look it up.
The container logs are attached as a text file since a couldn't post all of it in one post...
Container template: opensuse-15.3-default_20210925_amd64
Errors inside the containers:
AppArmor service
Code:
Aug 21 10:39:50 lxcu systemd[1]: Starting Load AppArmor profiles...
Aug 21 10:39:50 lxcu apparmor.systemd[543]: grep: /etc/fstab: No such file or directory
Aug 21 10:39:50 lxcu apparmor.systemd[541]: Mounting securityfs on /sys/kernel/security
Aug 21 10:39:50 lxcu apparmor.systemd[548]: mount: /sys/kernel/security: permission denied.
Aug 21 10:39:50 lxcu apparmor.systemd[541]: Error: Loading AppArmor profiles - failed, Do you have the correct privileges?
Aug 21 10:39:50 lxcu systemd[1]: apparmor.service: Main process exited, code=exited, status=4/NOPERMISSION
Aug 21 10:39:50 lxcu systemd[1]: apparmor.service: Failed with result 'exit-code'.
Aug 21 10:39:50 lxcu systemd[1]: Failed to start Load AppArmor profiles.
sys-kernel-config.mount service
Code:
Aug 21 10:48:42 lxcu systemd[1]: Mounting Kernel Configuration File System...
Aug 21 10:48:42 lxcu mount[560]: mount: /sys/kernel/config: permission denied.
Aug 21 10:48:42 lxcu systemd[1]: sys-kernel-config.mount: Mount process exited, code=exited, status=32/n/a
Aug 21 10:48:42 lxcu systemd[1]: sys-kernel-config.mount: Failed with result 'exit-code'.
Aug 21 10:48:42 lxcu systemd[1]: Failed to mount Kernel Configuration File System.
sys-kernel-debug.mount service
Code:
Aug 21 10:48:42 lxcu systemd[1]: Mounting Kernel Configuration File System...
Aug 21 10:48:42 lxcu mount[560]: mount: /sys/kernel/config: permission denied.
Aug 21 10:48:42 lxcu systemd[1]: sys-kernel-config.mount: Mount process exited, code=exited, status=32/n/a
Aug 21 10:48:42 lxcu systemd[1]: sys-kernel-config.mount: Failed with result 'exit-code'.
Aug 21 10:48:42 lxcu systemd[1]: Failed to mount Kernel Configuration File System.
Proxmox Host
apparmor_parser --version
Code:
AppArmor parser version 2.13.6
Copyright (C) 1999-2008 Novell Inc.
Copyright 2009-2018 Canonical Ltd.
pveversion -v
Code:
proxmox-ve: 7.2-1 (running kernel: 5.15.39-3-pve)
pve-manager: 7.2-7 (running version: 7.2-7/d0dd0e85)
pve-kernel-5.15: 7.2-8
pve-kernel-helper: 7.2-8
pve-kernel-5.13: 7.1-9
pve-kernel-5.15.39-3-pve: 5.15.39-3
pve-kernel-5.15.35-3-pve: 5.15.35-6
pve-kernel-5.15.35-1-pve: 5.15.35-3
pve-kernel-5.13.19-6-pve: 5.13.19-15
pve-kernel-5.13.19-2-pve: 5.13.19-4
ceph-fuse: 15.2.15-pve1
corosync: 3.1.5-pve2
criu: 3.15-1+pve-1
glusterfs-client: 9.2-1
ifupdown2: 3.1.0-1+pmx3
ksm-control-daemon: 1.4-1
libjs-extjs: 7.0.0-1
libknet1: 1.24-pve1
libproxmox-acme-perl: 1.4.2
libproxmox-backup-qemu0: 1.3.1-1
libpve-access-control: 7.2-4
libpve-apiclient-perl: 3.2-1
libpve-common-perl: 7.2-2
libpve-guest-common-perl: 4.1-2
libpve-http-server-perl: 4.1-3
libpve-storage-perl: 7.2-7
libspice-server1: 0.14.3-2.1
lvm2: 2.03.11-2.1
lxc-pve: 5.0.0-3
lxcfs: 4.0.12-pve1
novnc-pve: 1.3.0-3
proxmox-backup-client: 2.2.5-1
proxmox-backup-file-restore: 2.2.5-1
proxmox-mini-journalreader: 1.3-1
proxmox-widget-toolkit: 3.5.1
pve-cluster: 7.2-2
pve-container: 4.2-2
pve-docs: 7.2-2
pve-edk2-firmware: 3.20210831-2
pve-firewall: 4.2-5
pve-firmware: 3.5-1
pve-ha-manager: 3.4.0
pve-i18n: 2.7-2
pve-qemu-kvm: 6.2.0-11
pve-xtermjs: 4.16.0-1
qemu-server: 7.2-3
smartmontools: 7.2-pve3
spiceterm: 3.2-2
swtpm: 0.7.1~bpo11+1
vncterm: 1.7-1
zfsutils-linux: 2.1.5-pve1
Privileged conatiner
pct config 119
Code:
arch: amd64
cores: 1
hostname: lxcp
memory: 1024
nameserver: xxx
net0: name=eth0,bridge=vmbr0,firewall=1,gw=xxx,hwaddr=62:0C:DF:56:1E:2B,ip=xxx/24,tag=1,type=veth
ostype: opensuse
rootfs: zfsdata:subvol-119-disk-0,size=8G
searchdomain: xxx
swap: 1024
cat /var/lib/lxc/119/config
Code:
lxc.cgroup.relative = 0
lxc.cgroup.dir.monitor = lxc.monitor/119
lxc.cgroup.dir.container = lxc/119
lxc.cgroup.dir.container.inner = ns
lxc.arch = amd64
lxc.include = /usr/share/lxc/config/opensuse.common.conf
lxc.apparmor.profile = generated
lxc.apparmor.raw = deny mount -> /proc/,
lxc.apparmor.raw = deny mount -> /sys/,
lxc.monitor.unshare = 1
lxc.tty.max = 2
lxc.environment = TERM=linux
lxc.uts.name = lxcp
lxc.cgroup2.memory.max = 1073741824
lxc.cgroup2.memory.swap.max = 1073741824
lxc.rootfs.path = /var/lib/lxc/119/rootfs
lxc.net.0.type = veth
lxc.net.0.veth.pair = veth119i0
lxc.net.0.hwaddr = 62:0C:DF:56:1E:2B
lxc.net.0.name = eth0
lxc.net.0.script.up = /usr/share/lxc/lxcnetaddbr
lxc.cgroup2.cpuset.cpus = 7
Unprivileged conatiner
pct config 120
Code:
rch: amd64
cores: 1
features: nesting=1
hostname: lxcu
memory: 1024
nameserver: xxx
net0: name=eth0,bridge=vmbr0,firewall=1,gw=xxx,hwaddr=A2:90:3E:F3:A2:93,ip=xxx/24,tag=1,type=veth
ostype: opensuse
rootfs: zfsdata:subvol-120-disk-0,size=8G
searchdomain: xxx
swap: 1024
unprivileged: 1
/var/lib/lxc/120/config
Code:
lxc.cgroup.relative = 0
lxc.cgroup.dir.monitor = lxc.monitor/120
lxc.cgroup.dir.container = lxc/120
lxc.cgroup.dir.container.inner = ns
lxc.arch = amd64
lxc.include = /usr/share/lxc/config/opensuse.common.conf
lxc.include = /usr/share/lxc/config/opensuse.userns.conf
lxc.seccomp.profile = /var/lib/lxc/120/rules.seccomp
lxc.apparmor.profile = generated
lxc.apparmor.allow_nesting = 1
lxc.mount.auto = sys:mixed
lxc.monitor.unshare = 1
lxc.idmap = u 0 100000 65536
lxc.idmap = g 0 100000 65536
lxc.tty.max = 2
lxc.environment = TERM=linux
lxc.uts.name = lxcu
lxc.cgroup2.memory.max = 1073741824
lxc.cgroup2.memory.swap.max = 1073741824
lxc.rootfs.path = /var/lib/lxc/120/rootfs
lxc.net.0.type = veth
lxc.net.0.veth.pair = veth120i0
lxc.net.0.hwaddr = A2:90:3E:F3:A2:93
lxc.net.0.name = eth0
lxc.net.0.script.up = /usr/share/lxc/lxcnetaddbr
lxc.cgroup2.cpuset.cpus = 3
Attachments
Last edited: