Container not starting after adding "lxc.aa_profile"

[finlaydag33k]

Hii There,

So I'm switching my VMs to Containers (as containers seem to be the better choice at the moment).
However, one of my containers needs to mount a CIFS share (I know NFS is probably the better choice, but it's just for a Plex Media Server).
However, Apparmor denied mounting (which took me a while to figure out on it's own).
So, I edited the file

/etc/apparmor.d/lxc/lxc-default-with-mounting

and added

mount fstype=cifs,

And, ofcourse, reloaded the lxc configs with

apparmor_parser -r /etc/apparmor.d/lxc-containers

Then I told the container to use profile

lxc-default-with-mounting

by adding the following line to my container's config:

lxc.aa_profile: lxc-default-with-mounting

And now the container won't start at all...

lxc-start: lxc_start.c: main: 344 The container failed to start.
lxc-start: lxc_start.c: main: 346 To get more details, run the container in foreground mode.
lxc-start: lxc_start.c: main: 348 Additional information can be obtained by setting the --logfile and --logpriority options.
TASK ERROR: command 'lxc-start -n 106' failed: exit code 1

This is the config file for the container:

arch: amd64
cpulimit: 1
cpuunits: 1024
hostname: plexyglass
memory: 512
net0: bridge=vmbr0,hwaddr=36:34:63:36:61:35,ip=dhcp,ip6=dhcp,name=eth0,type=veth
ostype: debian
rootfs: NAS:106/vm-106-disk-1.raw,size=10G
swap: 1024
lxc.aa_profile: lxc-default-with-mounting

and the apparmor profile:

# Do not load this file.  Rather, load /etc/apparmor.d/lxc-containers, which
# will source all profiles under /etc/apparmor.d/lxc

profile lxc-container-default-with-mounting flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/lxc/container-base>

# allow standard blockdevtypes.
# The concern here is in-kernel superblock parsers bringing down the
# host with bad data.  However, we continue to disallow proc, sys, securityfs,
# etc to nonstandard locations.
  mount fstype=ext*,
  mount fstype=xfs,
  mount fstype=btrfs,
  mount fstype=cifs,
}

Anybody who has a clue on how to fix it?

Cheers

 

[wbumiller]

lxc-default-with-mounting is based on lxc-default, but our containers need lxc-default-cgns.
I recommend duplicating the lxc-default-cgns into a new file (don't forget to change the profile name inside the file) and adding the extra options in there.

 

[finlaydag33k]

where can I find the `lxc-default-cgns`?
I've looked in /etc/apparmor.d/lxc, but it doesn't exist there.

 

[fabian]

maybe you have an outdated version of lxc-pve? what does "pveversion -v" say?