Container not starting after adding "lxc.aa_profile"

F

finlaydag33k

Active Member
Apr 16, 2015
45
1
28
Hii There,

So I'm switching my VMs to Containers (as containers seem to be the better choice at the moment).
However, one of my containers needs to mount a CIFS share (I know NFS is probably the better choice, but it's just for a Plex Media Server).
However, Apparmor denied mounting (which took me a while to figure out on it's own).
So, I edited the file
Code: 
/etc/apparmor.d/lxc/lxc-default-with-mounting
and added
Code: 
mount fstype=cifs,
And, ofcourse, reloaded the lxc configs with
Code: 
apparmor_parser -r /etc/apparmor.d/lxc-containers
Then I told the container to use profile
Code: 
lxc-default-with-mounting
by adding the following line to my container's config:
Code: 
lxc.aa_profile: lxc-default-with-mounting
And now the container won't start at all...

Code: 
lxc-start: lxc_start.c: main: 344 The container failed to start.
lxc-start: lxc_start.c: main: 346 To get more details, run the container in foreground mode.
lxc-start: lxc_start.c: main: 348 Additional information can be obtained by setting the --logfile and --logpriority options.
TASK ERROR: command 'lxc-start -n 106' failed: exit code 1


This is the config file for the container:
Code: 
arch: amd64
cpulimit: 1
cpuunits: 1024
hostname: plexyglass
memory: 512
net0: bridge=vmbr0,hwaddr=36:34:63:36:61:35,ip=dhcp,ip6=dhcp,name=eth0,type=veth
ostype: debian
rootfs: NAS:106/vm-106-disk-1.raw,size=10G
swap: 1024
lxc.aa_profile: lxc-default-with-mounting


and the apparmor profile:
Code: 
# Do not load this file.  Rather, load /etc/apparmor.d/lxc-containers, which
# will source all profiles under /etc/apparmor.d/lxc

profile lxc-container-default-with-mounting flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/lxc/container-base>

# allow standard blockdevtypes.
# The concern here is in-kernel superblock parsers bringing down the
# host with bad data.  However, we continue to disallow proc, sys, securityfs,
# etc to nonstandard locations.
  mount fstype=ext*,
  mount fstype=xfs,
  mount fstype=btrfs,
  mount fstype=cifs,
}



Anybody who has a clue on how to fix it?

Cheers :)
 
lxc-default-with-mounting is based on lxc-default, but our containers need lxc-default-cgns.
I recommend duplicating the lxc-default-cgns into a new file (don't forget to change the profile name inside the file) and adding the extra options in there.
 
where can I find the `lxc-default-cgns`?
I've looked in /etc/apparmor.d/lxc, but it doesn't exist there.
 
maybe you have an outdated version of lxc-pve? what does "pveversion -v" say?
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back