dmesg apparmor issue

[Rikard]

Hi,

I'm a bit worried as I looked in dmesg and got this:
282316.641808] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[282316.642871] fwbr102i0: port 2(veth102i0) entered blocking state
[282316.643784] fwbr102i0: port 2(veth102i0) entered forwarding state
[282316.645844] audit: type=1400 audit(1598994079.025:262): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-102_</var/lib/lxc>" name="/run/systemd/unit-root/" pid=31111 comm="(resolved)" srcname="/" flags="rw, rbind"
[282316.724247] audit: type=1400 audit(1598994079.105:263): apparmor="STATUS" operation="profile_replace" info="not policy admin" error=-13 label="lxc-102_</var/lib/lxc>//&:lxc-102_<-var-lib-lxc>:unconfined" pid=31053 comm="apparmor_parser"
[282316.798525] audit: type=1400 audit(1598994079.181:264): apparmor="STATUS" operation="profile_replace" info="not policy admin" error=-13 label="lxc-102_</var/lib/lxc>//&:lxc-102_<-var-lib-lxc>:unconfined" pid=30981 comm="apparmor_parser"
[282316.873708] audit: type=1400 audit(1598994079.253:265): apparmor="STATUS" operation="profile_replace" info="not policy admin" error=-13 label="lxc-102_</var/lib/lxc>//&:lxc-102_<-var-lib-lxc>:unconfined" pid=31479 comm="apparmor_parser"
[282316.884778] audit: type=1400 audit(1598994079.265:266): apparmor="STATUS" operation="profile_replace" info="not policy admin" error=-13 label="lxc-102_</var/lib/lxc>//&:lxc-102_<-var-lib-lxc>:unconfined" pid=31481 comm="apparmor_parser"
[283132.304116] fwbr102i0: port 2(veth102i0) entered disabled state
[283132.319490] device veth102i0 left promiscuous mode
[283132.320521] fwbr102i0: port 2(veth102i0) entered disabled state
[283132.575581] kauditd_printk_skb: 5 callbacks suppressed
[283132.575582] audit: type=1400 audit(1598994894.929:272): apparmor="STATUS" operation="profile_remove" profile="/usr/bin/lxc-start" name="lxc-102_</var/lib/lxc>" pid=32332 comm="apparmor_parser"
[283133.869125] fwbr102i0: port 1(fwln102i0) entered disabled state
[283133.870122] vmbr0: port 4(fwpr102p0) entered disabled state
[283133.885305] device fwln102i0 left promiscuous mode
[283133.886323] fwbr102i0: port 1(fwln102i0) entered disabled state
[283133.922571] device fwpr102p0 left promiscuous mode
[283133.923656] vmbr0: port 4(fwpr102p0) entered disabled state
[283134.522127] EXT4-fs (loop1): Mount option "noacl" will be removed by 3.5
Contact linux-ext4@vger.kernel.org if you think we should keep it.

[283134.573694] EXT4-fs (loop1): mounted filesystem with ordered data mode. Opts: noacl
[283134.884442] audit: type=1400 audit(1598994897.237:273): apparmor="STATUS" operation="profile_load" profile="/usr/bin/lxc-start" name="lxc-102_</var/lib/lxc>" pid=6622 comm="apparmor_parser"
[283135.224005] fwbr102i0: port 1(fwln102i0) entered blocking state
[283135.225050] fwbr102i0: port 1(fwln102i0) entered disabled state
[283135.227080] device fwln102i0 entered promiscuous mode
[283135.228040] fwbr102i0: port 1(fwln102i0) entered blocking state
[283135.228955] fwbr102i0: port 1(fwln102i0) entered forwarding state
[283135.234529] vmbr0: port 4(fwpr102p0) entered blocking state
[283135.235422] vmbr0: port 4(fwpr102p0) entered disabled state
[283135.236324] device fwpr102p0 entered promiscuous mode
[283135.237144] vmbr0: port 4(fwpr102p0) entered blocking state
[283135.237916] vmbr0: port 4(fwpr102p0) entered forwarding state
[283135.243716] fwbr102i0: port 2(veth102i0) entered blocking state
[283135.244520] fwbr102i0: port 2(veth102i0) entered disabled state
[283135.245379] device veth102i0 entered promiscuous mode
[283135.272735] eth0: renamed from vethqnihU5
[283137.612362] audit: type=1400 audit(1598994899.964:274): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-102_</var/lib/lxc>" name="/run/systemd/unit-root/" pid=11643 comm="(networkd)" srcname="/" flags="rw, rbind"
[283137.792527] audit: type=1400 audit(1598994900.144:275): apparmor="STATUS" operation="profile_replace" info="not policy admin" error=-13 label="lxc-102_</var/lib/lxc>//&:lxc-102_<-var-lib-lxc>:unconfined" pid=11873 comm="apparmor_parser"
[283137.803365] audit: type=1400 audit(1598994900.156:276): apparmor="STATUS" operation="profile_replace" info="not policy admin" error=-13 label="lxc-102_</var/lib/lxc>//&:lxc-102_<-var-lib-lxc>:unconfined" pid=11869 comm="apparmor_parser"
[283137.826997] audit: type=1400 audit(1598994900.180:277): apparmor="STATUS" operation="profile_replace" info="not policy admin" error=-13 label="lxc-102_</var/lib/lxc>//&:lxc-102_<-var-lib-lxc>:unconfined" pid=11905 comm="apparmor_parser"
[283137.828156] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[283137.829145] audit: type=1400 audit(1598994900.180:278): apparmor="STATUS" operation="profile_replace" info="not policy admin" error=-13 label="lxc-102_</var/lib/lxc>//&:lxc-102_<-var-lib-lxc>:unconfined" pid=11905 comm="apparmor_parser"
[283137.829986] fwbr102i0: port 2(veth102i0) entered blocking state
[283137.832966] fwbr102i0: port 2(veth102i0) entered forwarding state
[283137.836621] audit: type=1400 audit(1598994900.188:279): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-102_</var/lib/lxc>" name="/run/systemd/unit-root/" pid=12043 comm="(resolved)" srcname="/" flags="rw, rbind"
[283137.927333] audit: type=1400 audit(1598994900.280:280): apparmor="STATUS" operation="profile_replace" info="not policy admin" error=-13 label="lxc-102_</var/lib/lxc>//&:lxc-102_<-var-lib-lxc>:unconfined" pid=11878 comm="apparmor_parser"
[283137.929943] audit: type=1400 audit(1598994900.280:281): apparmor="STATUS" operation="profile_replace" info="not policy admin" error=-13 label="lxc-102_</var/lib/lxc>//&:lxc-102_<-var-lib-lxc>:unconfined" pid=11992 comm="apparmor_parser"
[283138.045394] audit: type=1400 audit(1598994900.396:282): apparmor="STATUS" operation="profile_replace" info="not policy admin" error=-13 label="lxc-102_</var/lib/lxc>//&:lxc-102_<-var-lib-lxc>:unconfined" pid=12337 comm="apparmor_parser"
[283138.048922] audit: type=1400 audit(1598994900.396:283): apparmor="STATUS" operation="profile_replace" info="not policy admin" error=-13 label="lxc-102_</var/lib/lxc>//&:lxc-102_<-var-lib-lxc>:unconfined" pid=12337 comm="apparmor_parser"
[283591.692403] fwbr102i0: port 2(veth102i0) entered disabled state
[283591.707712] device veth102i0 left promiscuous mode
[283591.708928] fwbr102i0: port 2(veth102i0) entered disabled state
[283591.961972] kauditd_printk_skb: 5 callbacks suppressed
[283591.961974] audit: type=1400 audit(1598995354.301:289): apparmor="STATUS" operation="profile_remove" profile="/usr/bin/lxc-start" name="lxc-102_</var/lib/lxc>" pid=1090 comm="apparmor_parser"
[283593.242151] fwbr102i0: port 1(fwln102i0) entered disabled state
[283593.243176] vmbr0: port 4(fwpr102p0) entered disabled state
[283593.258401] device fwln102i0 left promiscuous mode
[283593.259247] fwbr102i0: port 1(fwln102i0) entered disabled state
[283593.298111] device fwpr102p0 left promiscuous mode
[283593.298963] vmbr0: port 4(fwpr102p0) entered disabled state
[285906.930583] audit: type=1400 audit(1598997669.191:290): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-100_</var/lib/lxc>" name="/run/systemd/unit-root/" pid=15384 comm="(ogrotate)" srcname="/" flags="rw, rbind"
[372249.771516] audit: type=1400 audit(1599084009.194:291): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-100_</var/lib/lxc>" name="/run/systemd/unit-root/" pid=24077 comm="(ogrotate)" srcname="/" flags="rw, rbind"

As you can see there's a lot of what I believe are errors. I have looked up the nic interfaces going up and down which seems normal when LXC's are starting up, but the apparmor stuff that are associated with privileged container lxc-100 is worrying. I have to run it privileged as I need full bidirectional RW access between host and LXC in combination with a tricky FUSE-unionfs setup. There were no other way to do this than making it privileged.
My question is: how can I find out the problematic service, and why is this service creating this issue?
I'm running the latest PVE on an intel system with the latest updates.

 

[Moayad]

Hi,

Please post your network configuration and LXC Container config

 

[Rikard]

/etc/pve/lxc# more 100.conf
arch: amd64
cores: 4
hostname: qbit
memory: 16000
mp0: /mnt/virtualb,mp=mnt/unionb,ro=0
mp1: /mnt/virtualf,mp=mnt/unionf,ro=0
mp2: /mnt/virtuald,mp=mnt/uniond,ro=0
mp3: /mnt/virtualhv,mp=mnt/unionhv,ro=0
mp4: /mnt/virtualm,mp=mnt/unionm,ro=0
mp5: /mnt/virtualp,mp=mnt/unionp,ro=0
mp6: /mnt/virtualsf,mp=mnt/unionsf,ro=0
mp7: /mnt/virtualstv,mp=mnt/unionstv,ro=0
mp8: /mnt/virtualtv,mp=mnt/uniontv,ro=0
mp9: /mnt/pve/scratch/nzb,mp=/mnt/scratch,ro=0
nameserver: 1.1.1.1
net0: name=eth0,bridge=vmbr0,firewall=1,gw=192.168.88.1,hwaddr=A2:0E:1C:8C:96:7A,ip=1
92.168.88.197/24,ip6=dhcp,type=veth
ostype: ubuntu
rootfs: scratch:100/vm-100-disk-0.raw,mountoptions=noatime,size=100G
swap: 512

ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master vmbr0 state UP group default qlen 1000
link/ether 00:25:90:5e:b7:d8 brd ff:ff:ff:ff:ff:ff
3: eno2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 00:25:90:5e:b7:d9 brd ff:ff:ff:ff:ff:ff
4: enp216s0f4: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 00:07:43:3d:de:80 brd ff:ff:ff:ff:ff:ff
5: enp216s0f4d1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 00:07:43:3d:de:88 brd ff:ff:ff:ff:ff:ff
6: vmbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 00:25:90:5e:b7:d8 brd ff:ff:ff:ff:ff:ff
inet 192.168.88.199/24 brd 192.168.88.255 scope global vmbr0
valid_lft forever preferred_lft forever
inet6 fe80::225:90ff:fe5e:b7d8/64 scope link
valid_lft forever preferred_lft forever
23: veth101i0@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master fwbr101i0 state UP group default qlen 1000
link/ether fe:76:0b:ef:92:e7 brd ff:ff:ff:ff:ff:ff link-netnsid 0
24: fwbr101i0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 5e:aa:3b:04:54:77 brd ff:ff:ff:ff:ff:ff
25: fwpr101p0@fwln101i0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master vmbr0 state UP group default qlen 1000
link/ether 3e:e1:81:21:73:16 brd ff:ff:ff:ff:ff:ff
26: fwln101i0@fwpr101p0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master fwbr101i0 state UP group default qlen 1000
link/ether 5e:aa:3b:04:54:77 brd ff:ff:ff:ff:ff:ff
87: veth102i0@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master fwbr102i0 state UP group default qlen 1000
link/ether fe:10:e6:31:46:78 brd ff:ff:ff:ff:ff:ff link-netnsid 1
88: fwbr102i0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 9e:b1:6e:c1:4b:28 brd ff:ff:ff:ff:ff:ff
89: fwpr102p0@fwln102i0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master vmbr0 state UP group default qlen 1000
link/ether 4a:e0:24:4a:8f:c3 brd ff:ff:ff:ff:ff:ff
90: fwln102i0@fwpr102p0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master fwbr102i0 state UP group default qlen 1000
link/ether 9e:b1:6e:c1:4b:28 brd ff:ff:ff:ff:ff:ff

 

[Moayad]

Please post output of pveversion -v

 

[Rikard]

Thanks for your response.

pveversion -v
proxmox-ve: 6.2-1 (running kernel: 5.4.55-1-pve)
pve-manager: 6.2-11 (running version: 6.2-11/22fb4983)
pve-kernel-5.4: 6.2-5
pve-kernel-helper: 6.2-5
pve-kernel-5.3: 6.1-6
pve-kernel-5.0: 6.0-11
pve-kernel-5.4.55-1-pve: 5.4.55-1
pve-kernel-5.4.44-2-pve: 5.4.44-2
pve-kernel-5.3.18-3-pve: 5.3.18-3
pve-kernel-5.3.18-2-pve: 5.3.18-2
pve-kernel-5.3.13-1-pve: 5.3.13-1
pve-kernel-5.0.21-5-pve: 5.0.21-10
pve-kernel-5.0.21-2-pve: 5.0.21-7
pve-kernel-5.0.15-1-pve: 5.0.15-1
ceph-fuse: 12.2.11+dfsg1-2.1+b1
corosync: 3.0.4-pve1
criu: 3.11-3
glusterfs-client: 5.5-3
ifupdown: 0.8.35+pve1
ksm-control-daemon: 1.3-1
libjs-extjs: 6.0.1-10
libknet1: 1.16-pve1
libproxmox-acme-perl: 1.0.4
libpve-access-control: 6.1-2
libpve-apiclient-perl: 3.0-3
libpve-common-perl: 6.1-5
libpve-guest-common-perl: 3.1-2
libpve-http-server-perl: 3.0-6
libpve-storage-perl: 6.2-6
libqb0: 1.0.5-1
libspice-server1: 0.14.2-4~pve6+1
lvm2: 2.03.02-pve4
lxc-pve: 4.0.3-1
lxcfs: 4.0.3-pve3
novnc-pve: 1.1.0-1
proxmox-mini-journalreader: 1.1-1
proxmox-widget-toolkit: 2.2-10
pve-cluster: 6.1-8
pve-container: 3.1-12
pve-docs: 6.2-5
pve-edk2-firmware: 2.20200531-1
pve-firewall: 4.1-2
pve-firmware: 3.1-2
pve-ha-manager: 3.0-9
pve-i18n: 2.1-3
pve-qemu-kvm: 5.0.0-12
pve-xtermjs: 4.7.0-2
qemu-server: 6.2-11
smartmontools: 7.1-pve2
spiceterm: 3.1-1
vncterm: 1.6-2
zfsutils-linux: 0.8.4-pve

 

[Moayad]

hi again,

please start the container with command lxc-start -n ID -F -l DEBUG -o /tmp/lxc-ID.log and share the content of logs for Container as attachment.

 

[Rikard]

Hi there,
here are some results:

From the screen log:
[FAILED] Failed to start Load AppArmor profiles.
See 'systemctl status apparmor.service' for details.

# systemctl status apparmor.service
* apparmor.service - Load AppArmor profiles
Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Tue 2020-09-08 22:01:21 CEST; 54s ago
Docs: man:apparmor(7)
https://gitlab.com/apparmor/apparmor/wikis/home/
Process: 79 ExecStart=/lib/apparmor/apparmor.systemd reload (code=exited, status=1/FAILURE)
Main PID: 79 (code=exited, status=1/FAILURE)

Sep 08 22:01:21 qbit apparmor.systemd[79]: /sbin/apparmor_parser: Unable to replace "nvidia_modprobe". Permission denied; attempted to load a profile while confined?
Sep 08 22:01:21 qbit apparmor.systemd[79]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd
Sep 08 22:01:21 qbit apparmor.systemd[79]: /sbin/apparmor_parser: Unable to replace "/usr/sbin/ippusbxd". Permission denied; attempted to load a profile while confined?
Sep 08 22:01:21 qbit apparmor.systemd[79]: /sbin/apparmor_parser: Unable to replace "/usr/bin/man". Permission denied; attempted to load a profile while confined?
Sep 08 22:01:21 qbit apparmor.systemd[79]: /sbin/apparmor_parser: Unable to replace "/sbin/dhclient". Permission denied; attempted to load a profile while confined?
Sep 08 22:01:21 qbit apparmor.systemd[79]: /sbin/apparmor_parser: Unable to replace "/usr/sbin/tcpdump". Permission denied; attempted to load a profile while confined?
Sep 08 22:01:21 qbit apparmor.systemd[79]: Error: At least one profile failed to load
Sep 08 22:01:21 qbit systemd[1]: apparmor.service: Main process exited, code=exited, status=1/FAILURE
Sep 08 22:01:21 qbit systemd[1]: apparmor.service: Failed with result 'exit-code'.
Sep 08 22:01:21 qbit systemd[1]: Failed to start Load AppArmor profiles.

 

[Moayad]

hi,

thanks for the information

may you try reinstall apparmor again then see systemctl status again?

- apt --reinstall install apparmor
- systemctl status apparmor.service

 

[Rikard]

Hi Moayad,

The reinstall should be done on the PVE host, not the problematic LXC, right?

 

[Moayad]

The reinstall should be done on the PVE host, not the problematic LXC, right?

Yes - on PVE host

 

[Rikard]

# systemctl status apparmor.service
● apparmor.service - Load AppArmor profiles
Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enab
Active: active (exited) since Mon 2020-10-12 20:49:15 CEST; 59min ago
Docs: man:apparmor(7)
https://gitlab.com/apparmor/apparmor/wikis/home/
Main PID: 8217 (code=exited, status=0/SUCCESS)
Tasks: 0 (limit: 4915)
Memory: 0B
CGroup: /system.slice/apparmor.service

Oct 12 20:49:15 host systemd[1]: Starting Load AppArmor profiles...
Oct 12 20:49:15 host apparmor.systemd[8217]: Restarting AppArmor
Oct 12 20:49:15 host apparmor.systemd[8217]: Reloading AppArmor profiles
Oct 12 20:49:15 host systemd[1]: Started Load AppArmor profiles.

 

[Rikard]

It's a bit strange, but I still seem to be getting the issues:

[61428.467478] audit: type=1400 audit(1602596045.400:75): apparmor="STATUS" operation="profile_replace" info="not policy admin" error=-13 label="lxc-102_</var/lib/lxc>//&:lxc-102_<-var-lib-lxc>:unconfined" pid=21559 comm="apparmor_parser"
[61428.469188] audit: type=1400 audit(1602596045.400:76): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-102_</var/lib/lxc>" name="/run/systemd/unit-root/" pid=21563 comm="(resolved)" srcname="/" flags="rw, rbind"
[61428.474426] audit: type=1400 audit(1602596045.404:77): apparmor="STATUS" operation="profile_replace" info="not policy admin" error=-13 label="lxc-102_</var/lib/lxc>//&:lxc-102_<-var-lib-lxc>:unconfined" pid=21556 comm="apparmor_parser"
[61428.476201] audit: type=1400 audit(1602596045.404:78): apparmor="STATUS" operation="profile_replace" info="not policy admin" error=-13 label="lxc-102_</var/lib/lxc>//&:lxc-102_<-var-lib-lxc>:unconfined" pid=21556 comm="apparmor_parser"
[61428.505973] audit: type=1400 audit(1602596045.436:79): apparmor="STATUS" operation="profile_replace" info="not policy admin" error=-13 label="lxc-102_</var/lib/lxc>//&:lxc-102_<-var-lib-lxc>:unconfined" pid=21554 comm="apparmor_parser"
[61428.548297] audit: type=1400 audit(1602596045.480:80): apparmor="STATUS" operation="profile_replace" info="not policy admin" error=-13 label="lxc-102_</var/lib/lxc>//&:lxc-102_<-var-lib-lxc>:unconfined" pid=21558 comm="apparmor_parser"
[61428.626351] audit: type=1400 audit(1602596045.556:81): apparmor="STATUS" operation="profile_replace" info="not policy admin" error=-13 label="lxc-102_</var/lib/lxc>//&:lxc-102_<-var-lib-lxc>:unconfined" pid=21557 comm="apparmor_parser"
[61428.689917] audit: type=1400 audit(1602596045.620:82): apparmor="STATUS" operation="profile_replace" info="not policy admin" error=-13 label="lxc-102_</var/lib/lxc>//&:lxc-102_<-var-lib-lxc>:unconfined" pid=21588 comm="apparmor_parser"
[61726.931678] kauditd_printk_skb: 6 callbacks suppressed
[61726.931679] audit: type=1400 audit(1602596343.848:89): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-100_</var/lib/lxc>" name="/run/systemd/unit-root/" pid=2435 comm="(ionclean)" srcname="/" flags="rw, rbind"
[63527.207289] audit: type=1400 audit(1602598144.047:90): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-100_</var/lib/lxc>" name="/run/systemd/unit-root/" pid=14764 comm="(ionclean)" srcname="/" flags="rw, rbind"
[65327.468512] audit: type=1400 audit(1602599944.230:91): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-100_</var/lib/lxc>" name="/run/systemd/unit-root/" pid=21101 comm="(ionclean)" srcname="/" flags="rw, rbind"
[67127.739199] audit: type=1400 audit(1602601744.429:92): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-100_</var/lib/lxc>" name="/run/systemd/unit-root/" pid=29655 comm="(ionclean)" srcname="/" flags="rw, rbind"
[68923.563816] audit: type=1400 audit(1602603540.171:93): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-100_</var/lib/lxc>" name="/run/systemd/unit-root/" pid=1949 comm="(ionclean)" srcname="/" flags="rw, rbind"
[70727.929313] audit: type=1400 audit(1602605344.458:94): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-100_</var/lib/lxc>" name="/run/systemd/unit-root/" pid=14326 comm="(ionclean)" srcname="/" flags="rw, rbind"
[72528.545817] audit: type=1400 audit(1602607145.001:95): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-100_</var/lib/lxc>" name="/run/systemd/unit-root/" pid=5812 comm="(ionclean)" srcname="/" flags="rw, rbind"
[73769.638496] perf: interrupt took too long (3142 > 3141), lowering kernel.perf_event_max_sample_rate to 63500
[74328.816551] audit: type=1400 audit(1602608945.191:96): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-100_</var/lib/lxc>" name="/run/systemd/unit-root/" pid=17533 comm="(ionclean)" srcname="/" flags="rw, rbind"
[75694.901600] perf: interrupt took too long (3928 > 3927), lowering kernel.perf_event_max_sample_rate to 50750
[76129.088563] audit: type=1400 audit(1602610745.386:97): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-100_</var/lib/lxc>" name="/run/systemd/unit-root/" pid=10380 comm="(ionclean)" srcname="/" flags="rw, rbind"
[77927.974458] audit: type=1400 audit(1602612544.205:98): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-100_</var/lib/lxc>" name="/run/systemd/unit-root/" pid=27253 comm="(ionclean)" srcname="/" flags="rw, rbind"

 

[Rikard]

@Moyanof you can close this ticket.

The problem was never apparmor. It was simply a container that misbehaved due to ionice. (PHP cleanup session) Once I disabled that service, the problem vanished and there have not been any further apparmor issues.

 

[mfreudenberg]

Hi,

i just stumbled apon this thread, as i'm facing the same issue with two of my container. Could you elaborate, what service exactly did you disabled? On the host or in the guest system?

Thanks

 

[Rikard]

@mfreudenberg The error still persists on our system but it became better. The advice was to do a complete reinstall which we didn't want to do. We can live with the error as it doesn't seem to harm anything.
We are not sure it's related but we have seen a process called ionclean misbehaved in a container. We altered the ionclean process like this:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=869182