AppArmor problem in containers based on openSUSE template

RealSoulskater

New Member
Aug 21, 2022
5
0
1
Hi

I have been using the openSUSE 15.3 container template for a while now and it has been working great, but after upgrade to 7.2x the apparmor do not work in the containers, old as new ones, it seems to work in the Ubuntu 20.04 container i also have running.

i tried to create a new container but it gets the same issue right out of the box, tried with unprivileged and privileged mode, the one set as privileged do not work at all, it is running but cannot be accessed in console, get no prompt so i cannot check services there.

Below is all the info that i collected based on reading a lot of post, but if there is something i missed i will look it up.

The container logs are attached as a text file since a couldn't post all of it in one post...

Container template: opensuse-15.3-default_20210925_amd64

Errors inside the containers:

AppArmor service
Code:
Aug 21 10:39:50 lxcu systemd[1]: Starting Load AppArmor profiles...
Aug 21 10:39:50 lxcu apparmor.systemd[543]: grep: /etc/fstab: No such file or directory
Aug 21 10:39:50 lxcu apparmor.systemd[541]: Mounting securityfs on /sys/kernel/security
Aug 21 10:39:50 lxcu apparmor.systemd[548]: mount: /sys/kernel/security: permission denied.
Aug 21 10:39:50 lxcu apparmor.systemd[541]: Error: Loading AppArmor profiles - failed, Do you have the correct privileges?
Aug 21 10:39:50 lxcu systemd[1]: apparmor.service: Main process exited, code=exited, status=4/NOPERMISSION
Aug 21 10:39:50 lxcu systemd[1]: apparmor.service: Failed with result 'exit-code'.
Aug 21 10:39:50 lxcu systemd[1]: Failed to start Load AppArmor profiles.

sys-kernel-config.mount service
Code:
Aug 21 10:48:42 lxcu systemd[1]: Mounting Kernel Configuration File System...
Aug 21 10:48:42 lxcu mount[560]: mount: /sys/kernel/config: permission denied.
Aug 21 10:48:42 lxcu systemd[1]: sys-kernel-config.mount: Mount process exited, code=exited, status=32/n/a
Aug 21 10:48:42 lxcu systemd[1]: sys-kernel-config.mount: Failed with result 'exit-code'.
Aug 21 10:48:42 lxcu systemd[1]: Failed to mount Kernel Configuration File System.

sys-kernel-debug.mount service
Code:
Aug 21 10:48:42 lxcu systemd[1]: Mounting Kernel Configuration File System...
Aug 21 10:48:42 lxcu mount[560]: mount: /sys/kernel/config: permission denied.
Aug 21 10:48:42 lxcu systemd[1]: sys-kernel-config.mount: Mount process exited, code=exited, status=32/n/a
Aug 21 10:48:42 lxcu systemd[1]: sys-kernel-config.mount: Failed with result 'exit-code'.
Aug 21 10:48:42 lxcu systemd[1]: Failed to mount Kernel Configuration File System.

Proxmox Host

apparmor_parser --version
Code:
AppArmor parser version 2.13.6
Copyright (C) 1999-2008 Novell Inc.
Copyright 2009-2018 Canonical Ltd.

pveversion -v
Code:
proxmox-ve: 7.2-1 (running kernel: 5.15.39-3-pve)
pve-manager: 7.2-7 (running version: 7.2-7/d0dd0e85)
pve-kernel-5.15: 7.2-8
pve-kernel-helper: 7.2-8
pve-kernel-5.13: 7.1-9
pve-kernel-5.15.39-3-pve: 5.15.39-3
pve-kernel-5.15.35-3-pve: 5.15.35-6
pve-kernel-5.15.35-1-pve: 5.15.35-3
pve-kernel-5.13.19-6-pve: 5.13.19-15
pve-kernel-5.13.19-2-pve: 5.13.19-4
ceph-fuse: 15.2.15-pve1
corosync: 3.1.5-pve2
criu: 3.15-1+pve-1
glusterfs-client: 9.2-1
ifupdown2: 3.1.0-1+pmx3
ksm-control-daemon: 1.4-1
libjs-extjs: 7.0.0-1
libknet1: 1.24-pve1
libproxmox-acme-perl: 1.4.2
libproxmox-backup-qemu0: 1.3.1-1
libpve-access-control: 7.2-4
libpve-apiclient-perl: 3.2-1
libpve-common-perl: 7.2-2
libpve-guest-common-perl: 4.1-2
libpve-http-server-perl: 4.1-3
libpve-storage-perl: 7.2-7
libspice-server1: 0.14.3-2.1
lvm2: 2.03.11-2.1
lxc-pve: 5.0.0-3
lxcfs: 4.0.12-pve1
novnc-pve: 1.3.0-3
proxmox-backup-client: 2.2.5-1
proxmox-backup-file-restore: 2.2.5-1
proxmox-mini-journalreader: 1.3-1
proxmox-widget-toolkit: 3.5.1
pve-cluster: 7.2-2
pve-container: 4.2-2
pve-docs: 7.2-2
pve-edk2-firmware: 3.20210831-2
pve-firewall: 4.2-5
pve-firmware: 3.5-1
pve-ha-manager: 3.4.0
pve-i18n: 2.7-2
pve-qemu-kvm: 6.2.0-11
pve-xtermjs: 4.16.0-1
qemu-server: 7.2-3
smartmontools: 7.2-pve3
spiceterm: 3.2-2
swtpm: 0.7.1~bpo11+1
vncterm: 1.7-1
zfsutils-linux: 2.1.5-pve1

Privileged conatiner

pct config 119
Code:
arch: amd64
cores: 1
hostname: lxcp
memory: 1024
nameserver: xxx
net0: name=eth0,bridge=vmbr0,firewall=1,gw=xxx,hwaddr=62:0C:DF:56:1E:2B,ip=xxx/24,tag=1,type=veth
ostype: opensuse
rootfs: zfsdata:subvol-119-disk-0,size=8G
searchdomain: xxx
swap: 1024

cat /var/lib/lxc/119/config
Code:
lxc.cgroup.relative = 0
lxc.cgroup.dir.monitor = lxc.monitor/119
lxc.cgroup.dir.container = lxc/119
lxc.cgroup.dir.container.inner = ns
lxc.arch = amd64
lxc.include = /usr/share/lxc/config/opensuse.common.conf
lxc.apparmor.profile = generated
lxc.apparmor.raw = deny mount -> /proc/,
lxc.apparmor.raw = deny mount -> /sys/,
lxc.monitor.unshare = 1
lxc.tty.max = 2
lxc.environment = TERM=linux
lxc.uts.name = lxcp
lxc.cgroup2.memory.max = 1073741824
lxc.cgroup2.memory.swap.max = 1073741824
lxc.rootfs.path = /var/lib/lxc/119/rootfs
lxc.net.0.type = veth
lxc.net.0.veth.pair = veth119i0
lxc.net.0.hwaddr = 62:0C:DF:56:1E:2B
lxc.net.0.name = eth0
lxc.net.0.script.up = /usr/share/lxc/lxcnetaddbr
lxc.cgroup2.cpuset.cpus = 7

Unprivileged conatiner

pct config 120
Code:
rch: amd64
cores: 1
features: nesting=1
hostname: lxcu
memory: 1024
nameserver: xxx
net0: name=eth0,bridge=vmbr0,firewall=1,gw=xxx,hwaddr=A2:90:3E:F3:A2:93,ip=xxx/24,tag=1,type=veth
ostype: opensuse
rootfs: zfsdata:subvol-120-disk-0,size=8G
searchdomain: xxx
swap: 1024
unprivileged: 1

/var/lib/lxc/120/config
Code:
lxc.cgroup.relative = 0
lxc.cgroup.dir.monitor = lxc.monitor/120
lxc.cgroup.dir.container = lxc/120
lxc.cgroup.dir.container.inner = ns
lxc.arch = amd64
lxc.include = /usr/share/lxc/config/opensuse.common.conf
lxc.include = /usr/share/lxc/config/opensuse.userns.conf
lxc.seccomp.profile = /var/lib/lxc/120/rules.seccomp
lxc.apparmor.profile = generated
lxc.apparmor.allow_nesting = 1
lxc.mount.auto = sys:mixed
lxc.monitor.unshare = 1
lxc.idmap = u 0 100000 65536
lxc.idmap = g 0 100000 65536
lxc.tty.max = 2
lxc.environment = TERM=linux
lxc.uts.name = lxcu
lxc.cgroup2.memory.max = 1073741824
lxc.cgroup2.memory.swap.max = 1073741824
lxc.rootfs.path = /var/lib/lxc/120/rootfs
lxc.net.0.type = veth
lxc.net.0.veth.pair = veth120i0
lxc.net.0.hwaddr = A2:90:3E:F3:A2:93
lxc.net.0.name = eth0
lxc.net.0.script.up = /usr/share/lxc/lxcnetaddbr
lxc.cgroup2.cpuset.cpus = 3
 

Attachments

  • ContainerLogs.txt
    30.1 KB · Views: 1
Last edited:
Was looking at the permission under /sys/kernel and security folder do not have same security as the other folders, this might be the problem?

/Marcus

Code:
drwxr-xr-x   2 65534 65534    0 Aug 23 07:00 boot_params
drwxr-xr-x   2 65534 65534    0 Aug 23 07:00 btf
drwxr-xr-x   2 65534 65534    0 Aug 23 07:00 cgroup
dr-xr-xr-x   2 65534 65534    0 Aug 23 07:00 config
dr-xr-xr-x   2 65534 65534    0 Aug 23 07:00 debug
-r--r--r--   1 65534 65534 4.0K Aug 23 07:00 fscaps
drwxr-xr-x  14 65534 65534    0 Aug 23 07:00 iommu_groups
drwxr-xr-x  84 65534 65534    0 Aug 23 07:00 irq
-r--r--r--   1 65534 65534 4.0K Aug 23 07:00 kexec_crash_loaded
-rw-r--r--   1 65534 65534 4.0K Aug 23 07:00 kexec_crash_size
-r--r--r--   1 65534 65534 4.0K Aug 23 07:00 kexec_loaded
drwxr-xr-x   2 65534 65534    0 Aug 23 07:00 livepatch
drwxr-xr-x   8 65534 65534    0 Aug 23 07:00 mm
-r--r--r--   1 65534 65534  516 Aug 23 07:00 notes
-rw-r--r--   1 65534 65534 4.0K Aug 23 07:00 profiling
-rw-r--r--   1 65534 65534 4.0K Aug 23 07:00 rcu_expedited
-rw-r--r--   1 65534 65534 4.0K Aug 23 07:00 rcu_normal
drwxr-xr-x   2 65534 65534    0 Aug 23 07:00 reboot
dr-xr-xr-x   2 65534 65534    0 Aug 23 07:00 security
drwxr-xr-x 222 65534 65534    0 Aug 23 07:00 slab
drwxr-xr-x   2 65534 65534    0 Aug 23 07:00 software_nodes
drwxr-xr-x   4 65534 65534    0 Aug 23 07:00 sunrpc
dr-xr-xr-x   2 65534 65534    0 Aug 23 07:00 tracing
-rw-r--r--   1 65534 65534 4.0K Aug 19 09:53 uevent_helper
-r--r--r--   1 65534 65534 4.0K Aug 23 07:00 uevent_seqnum
-r--r--r--   1 65534 65534 4.0K Aug 23 07:00 vmcoreinfo
 
Updated to newer kernel today, same result.

pveversion -v
Code:
proxmox-ve: 7.2-1 (running kernel: 5.15.39-4-pve)
pve-manager: 7.2-7 (running version: 7.2-7/d0dd0e85)
pve-kernel-5.15: 7.2-9
pve-kernel-helper: 7.2-9
pve-kernel-5.13: 7.1-9
pve-kernel-5.15.39-4-pve: 5.15.39-4
pve-kernel-5.15.39-3-pve: 5.15.39-3
pve-kernel-5.15.35-3-pve: 5.15.35-6
pve-kernel-5.15.35-1-pve: 5.15.35-3
pve-kernel-5.13.19-6-pve: 5.13.19-15
pve-kernel-5.13.19-2-pve: 5.13.19-4
ceph-fuse: 15.2.15-pve1
corosync: 3.1.5-pve2
criu: 3.15-1+pve-1
glusterfs-client: 9.2-1
ifupdown2: 3.1.0-1+pmx3
ksm-control-daemon: 1.4-1
libjs-extjs: 7.0.0-1
libknet1: 1.24-pve1
libproxmox-acme-perl: 1.4.2
libproxmox-backup-qemu0: 1.3.1-1
libpve-access-control: 7.2-4
libpve-apiclient-perl: 3.2-1
libpve-common-perl: 7.2-2
libpve-guest-common-perl: 4.1-2
libpve-http-server-perl: 4.1-3
libpve-storage-perl: 7.2-8
libspice-server1: 0.14.3-2.1
lvm2: 2.03.11-2.1
lxc-pve: 5.0.0-3
lxcfs: 4.0.12-pve1
novnc-pve: 1.3.0-3
proxmox-backup-client: 2.2.5-1
proxmox-backup-file-restore: 2.2.5-1
proxmox-mini-journalreader: 1.3-1
proxmox-widget-toolkit: 3.5.1
pve-cluster: 7.2-2
pve-container: 4.2-2
pve-docs: 7.2-2
pve-edk2-firmware: 3.20220526-1
pve-firewall: 4.2-5
pve-firmware: 3.5-1
pve-ha-manager: 3.4.0
pve-i18n: 2.7-2
pve-qemu-kvm: 7.0.0-2
pve-xtermjs: 4.16.0-1
qemu-server: 7.2-4
smartmontools: 7.2-pve3
spiceterm: 3.2-2
swtpm: 0.7.1~bpo11+1
vncterm: 1.7-1
zfsutils-linux: 2.1.5-pve1
 
Still an issue with newer ProxMox patches, even tried a newer openSUSE image from linuxcontainers.org, same issue.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!