AppArmor problem in containers based on openSUSE template

[RealSoulskater]

Hi

I have been using the openSUSE 15.3 container template for a while now and it has been working great, but after upgrade to 7.2x the apparmor do not work in the containers, old as new ones, it seems to work in the Ubuntu 20.04 container i also have running.

i tried to create a new container but it gets the same issue right out of the box, tried with unprivileged and privileged mode, the one set as privileged do not work at all, it is running but cannot be accessed in console, get no prompt so i cannot check services there.

Below is all the info that i collected based on reading a lot of post, but if there is something i missed i will look it up.

The container logs are attached as a text file since a couldn't post all of it in one post...

Container template: opensuse-15.3-default_20210925_amd64

Errors inside the containers:

AppArmor service

Aug 21 10:39:50 lxcu systemd[1]: Starting Load AppArmor profiles...
Aug 21 10:39:50 lxcu apparmor.systemd[543]: grep: /etc/fstab: No such file or directory
Aug 21 10:39:50 lxcu apparmor.systemd[541]: Mounting securityfs on /sys/kernel/security
Aug 21 10:39:50 lxcu apparmor.systemd[548]: mount: /sys/kernel/security: permission denied.
Aug 21 10:39:50 lxcu apparmor.systemd[541]: Error: Loading AppArmor profiles - failed, Do you have the correct privileges?
Aug 21 10:39:50 lxcu systemd[1]: apparmor.service: Main process exited, code=exited, status=4/NOPERMISSION
Aug 21 10:39:50 lxcu systemd[1]: apparmor.service: Failed with result 'exit-code'.
Aug 21 10:39:50 lxcu systemd[1]: Failed to start Load AppArmor profiles.

sys-kernel-config.mount service

Aug 21 10:48:42 lxcu systemd[1]: Mounting Kernel Configuration File System...
Aug 21 10:48:42 lxcu mount[560]: mount: /sys/kernel/config: permission denied.
Aug 21 10:48:42 lxcu systemd[1]: sys-kernel-config.mount: Mount process exited, code=exited, status=32/n/a
Aug 21 10:48:42 lxcu systemd[1]: sys-kernel-config.mount: Failed with result 'exit-code'.
Aug 21 10:48:42 lxcu systemd[1]: Failed to mount Kernel Configuration File System.

sys-kernel-debug.mount service

Aug 21 10:48:42 lxcu systemd[1]: Mounting Kernel Configuration File System...
Aug 21 10:48:42 lxcu mount[560]: mount: /sys/kernel/config: permission denied.
Aug 21 10:48:42 lxcu systemd[1]: sys-kernel-config.mount: Mount process exited, code=exited, status=32/n/a
Aug 21 10:48:42 lxcu systemd[1]: sys-kernel-config.mount: Failed with result 'exit-code'.
Aug 21 10:48:42 lxcu systemd[1]: Failed to mount Kernel Configuration File System.

Proxmox Host

apparmor_parser --version

AppArmor parser version 2.13.6
Copyright (C) 1999-2008 Novell Inc.
Copyright 2009-2018 Canonical Ltd.

pveversion -v

proxmox-ve: 7.2-1 (running kernel: 5.15.39-3-pve)
pve-manager: 7.2-7 (running version: 7.2-7/d0dd0e85)
pve-kernel-5.15: 7.2-8
pve-kernel-helper: 7.2-8
pve-kernel-5.13: 7.1-9
pve-kernel-5.15.39-3-pve: 5.15.39-3
pve-kernel-5.15.35-3-pve: 5.15.35-6
pve-kernel-5.15.35-1-pve: 5.15.35-3
pve-kernel-5.13.19-6-pve: 5.13.19-15
pve-kernel-5.13.19-2-pve: 5.13.19-4
ceph-fuse: 15.2.15-pve1
corosync: 3.1.5-pve2
criu: 3.15-1+pve-1
glusterfs-client: 9.2-1
ifupdown2: 3.1.0-1+pmx3
ksm-control-daemon: 1.4-1
libjs-extjs: 7.0.0-1
libknet1: 1.24-pve1
libproxmox-acme-perl: 1.4.2
libproxmox-backup-qemu0: 1.3.1-1
libpve-access-control: 7.2-4
libpve-apiclient-perl: 3.2-1
libpve-common-perl: 7.2-2
libpve-guest-common-perl: 4.1-2
libpve-http-server-perl: 4.1-3
libpve-storage-perl: 7.2-7
libspice-server1: 0.14.3-2.1
lvm2: 2.03.11-2.1
lxc-pve: 5.0.0-3
lxcfs: 4.0.12-pve1
novnc-pve: 1.3.0-3
proxmox-backup-client: 2.2.5-1
proxmox-backup-file-restore: 2.2.5-1
proxmox-mini-journalreader: 1.3-1
proxmox-widget-toolkit: 3.5.1
pve-cluster: 7.2-2
pve-container: 4.2-2
pve-docs: 7.2-2
pve-edk2-firmware: 3.20210831-2
pve-firewall: 4.2-5
pve-firmware: 3.5-1
pve-ha-manager: 3.4.0
pve-i18n: 2.7-2
pve-qemu-kvm: 6.2.0-11
pve-xtermjs: 4.16.0-1
qemu-server: 7.2-3
smartmontools: 7.2-pve3
spiceterm: 3.2-2
swtpm: 0.7.1~bpo11+1
vncterm: 1.7-1
zfsutils-linux: 2.1.5-pve1

Privileged conatiner

pct config 119

arch: amd64
cores: 1
hostname: lxcp
memory: 1024
nameserver: xxx
net0: name=eth0,bridge=vmbr0,firewall=1,gw=xxx,hwaddr=62:0C:DF:56:1E:2B,ip=xxx/24,tag=1,type=veth
ostype: opensuse
rootfs: zfsdata:subvol-119-disk-0,size=8G
searchdomain: xxx
swap: 1024

cat /var/lib/lxc/119/config

lxc.cgroup.relative = 0
lxc.cgroup.dir.monitor = lxc.monitor/119
lxc.cgroup.dir.container = lxc/119
lxc.cgroup.dir.container.inner = ns
lxc.arch = amd64
lxc.include = /usr/share/lxc/config/opensuse.common.conf
lxc.apparmor.profile = generated
lxc.apparmor.raw = deny mount -> /proc/,
lxc.apparmor.raw = deny mount -> /sys/,
lxc.monitor.unshare = 1
lxc.tty.max = 2
lxc.environment = TERM=linux
lxc.uts.name = lxcp
lxc.cgroup2.memory.max = 1073741824
lxc.cgroup2.memory.swap.max = 1073741824
lxc.rootfs.path = /var/lib/lxc/119/rootfs
lxc.net.0.type = veth
lxc.net.0.veth.pair = veth119i0
lxc.net.0.hwaddr = 62:0C:DF:56:1E:2B
lxc.net.0.name = eth0
lxc.net.0.script.up = /usr/share/lxc/lxcnetaddbr
lxc.cgroup2.cpuset.cpus = 7

Unprivileged conatiner

pct config 120

rch: amd64
cores: 1
features: nesting=1
hostname: lxcu
memory: 1024
nameserver: xxx
net0: name=eth0,bridge=vmbr0,firewall=1,gw=xxx,hwaddr=A2:90:3E:F3:A2:93,ip=xxx/24,tag=1,type=veth
ostype: opensuse
rootfs: zfsdata:subvol-120-disk-0,size=8G
searchdomain: xxx
swap: 1024
unprivileged: 1

/var/lib/lxc/120/config

lxc.cgroup.relative = 0
lxc.cgroup.dir.monitor = lxc.monitor/120
lxc.cgroup.dir.container = lxc/120
lxc.cgroup.dir.container.inner = ns
lxc.arch = amd64
lxc.include = /usr/share/lxc/config/opensuse.common.conf
lxc.include = /usr/share/lxc/config/opensuse.userns.conf
lxc.seccomp.profile = /var/lib/lxc/120/rules.seccomp
lxc.apparmor.profile = generated
lxc.apparmor.allow_nesting = 1
lxc.mount.auto = sys:mixed
lxc.monitor.unshare = 1
lxc.idmap = u 0 100000 65536
lxc.idmap = g 0 100000 65536
lxc.tty.max = 2
lxc.environment = TERM=linux
lxc.uts.name = lxcu
lxc.cgroup2.memory.max = 1073741824
lxc.cgroup2.memory.swap.max = 1073741824
lxc.rootfs.path = /var/lib/lxc/120/rootfs
lxc.net.0.type = veth
lxc.net.0.veth.pair = veth120i0
lxc.net.0.hwaddr = A2:90:3E:F3:A2:93
lxc.net.0.name = eth0
lxc.net.0.script.up = /usr/share/lxc/lxcnetaddbr
lxc.cgroup2.cpuset.cpus = 3

 

[RealSoulskater]

Was looking at the permission under /sys/kernel and security folder do not have same security as the other folders, this might be the problem?

/Marcus

drwxr-xr-x   2 65534 65534    0 Aug 23 07:00 boot_params
drwxr-xr-x   2 65534 65534    0 Aug 23 07:00 btf
drwxr-xr-x   2 65534 65534    0 Aug 23 07:00 cgroup
dr-xr-xr-x   2 65534 65534    0 Aug 23 07:00 config
dr-xr-xr-x   2 65534 65534    0 Aug 23 07:00 debug
-r--r--r--   1 65534 65534 4.0K Aug 23 07:00 fscaps
drwxr-xr-x  14 65534 65534    0 Aug 23 07:00 iommu_groups
drwxr-xr-x  84 65534 65534    0 Aug 23 07:00 irq
-r--r--r--   1 65534 65534 4.0K Aug 23 07:00 kexec_crash_loaded
-rw-r--r--   1 65534 65534 4.0K Aug 23 07:00 kexec_crash_size
-r--r--r--   1 65534 65534 4.0K Aug 23 07:00 kexec_loaded
drwxr-xr-x   2 65534 65534    0 Aug 23 07:00 livepatch
drwxr-xr-x   8 65534 65534    0 Aug 23 07:00 mm
-r--r--r--   1 65534 65534  516 Aug 23 07:00 notes
-rw-r--r--   1 65534 65534 4.0K Aug 23 07:00 profiling
-rw-r--r--   1 65534 65534 4.0K Aug 23 07:00 rcu_expedited
-rw-r--r--   1 65534 65534 4.0K Aug 23 07:00 rcu_normal
drwxr-xr-x   2 65534 65534    0 Aug 23 07:00 reboot
dr-xr-xr-x   2 65534 65534    0 Aug 23 07:00 security
drwxr-xr-x 222 65534 65534    0 Aug 23 07:00 slab
drwxr-xr-x   2 65534 65534    0 Aug 23 07:00 software_nodes
drwxr-xr-x   4 65534 65534    0 Aug 23 07:00 sunrpc
dr-xr-xr-x   2 65534 65534    0 Aug 23 07:00 tracing
-rw-r--r--   1 65534 65534 4.0K Aug 19 09:53 uevent_helper
-r--r--r--   1 65534 65534 4.0K Aug 23 07:00 uevent_seqnum
-r--r--r--   1 65534 65534 4.0K Aug 23 07:00 vmcoreinfo

 

[RealSoulskater]

Updated to newer kernel today, same result.

pveversion -v

proxmox-ve: 7.2-1 (running kernel: 5.15.39-4-pve)
pve-manager: 7.2-7 (running version: 7.2-7/d0dd0e85)
pve-kernel-5.15: 7.2-9
pve-kernel-helper: 7.2-9
pve-kernel-5.13: 7.1-9
pve-kernel-5.15.39-4-pve: 5.15.39-4
pve-kernel-5.15.39-3-pve: 5.15.39-3
pve-kernel-5.15.35-3-pve: 5.15.35-6
pve-kernel-5.15.35-1-pve: 5.15.35-3
pve-kernel-5.13.19-6-pve: 5.13.19-15
pve-kernel-5.13.19-2-pve: 5.13.19-4
ceph-fuse: 15.2.15-pve1
corosync: 3.1.5-pve2
criu: 3.15-1+pve-1
glusterfs-client: 9.2-1
ifupdown2: 3.1.0-1+pmx3
ksm-control-daemon: 1.4-1
libjs-extjs: 7.0.0-1
libknet1: 1.24-pve1
libproxmox-acme-perl: 1.4.2
libproxmox-backup-qemu0: 1.3.1-1
libpve-access-control: 7.2-4
libpve-apiclient-perl: 3.2-1
libpve-common-perl: 7.2-2
libpve-guest-common-perl: 4.1-2
libpve-http-server-perl: 4.1-3
libpve-storage-perl: 7.2-8
libspice-server1: 0.14.3-2.1
lvm2: 2.03.11-2.1
lxc-pve: 5.0.0-3
lxcfs: 4.0.12-pve1
novnc-pve: 1.3.0-3
proxmox-backup-client: 2.2.5-1
proxmox-backup-file-restore: 2.2.5-1
proxmox-mini-journalreader: 1.3-1
proxmox-widget-toolkit: 3.5.1
pve-cluster: 7.2-2
pve-container: 4.2-2
pve-docs: 7.2-2
pve-edk2-firmware: 3.20220526-1
pve-firewall: 4.2-5
pve-firmware: 3.5-1
pve-ha-manager: 3.4.0
pve-i18n: 2.7-2
pve-qemu-kvm: 7.0.0-2
pve-xtermjs: 4.16.0-1
qemu-server: 7.2-4
smartmontools: 7.2-pve3
spiceterm: 3.2-2
swtpm: 0.7.1~bpo11+1
vncterm: 1.7-1
zfsutils-linux: 2.1.5-pve1

 

[RealSoulskater]

Over a week since posting and no one has a clue or idea on how to fix this?

 

[RealSoulskater]

Still an issue with newer ProxMox patches, even tried a newer openSUSE image from linuxcontainers.org, same issue.