Failed to initialize container

winbackgo · Jul 18, 2022

Hello. Please help, containers won't start. Error related to AppArmor .

Code:

:~# pct start 103 --debug   
run_apparmor_parser: 915 Failed to run apparmor_parser on "/var/lib/lxc/103/apparmor/lxc-103_<-var-lib-lxc>": Cache read/write disabled: interface file missing. (Kernel needs AppArmor 2.4 compatibility patch.)
remove_apparmor_namespace: 883 No such file or directory - Error removing AppArmor namespace
apparmor_prepare: 1085 Failed to load generated AppArmor profile
lxc_init: 879 Failed to initialize LSM
__lxc_start: 2008 Failed to initialize container "103"
BUG    seccomp - ../src/lxc/seccomp.c:parse_config_v2:656 - Host native arch is [3221225534]
INFO     seccomp - ../src/lxc/seccomp.c:parse_config_v2:807 - Processing "reject_force_umount  # comment this to allow umount -f;  not recommended"
INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:524 - Set seccomp rule to reject force umounts
INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:524 - Set seccomp rule to reject force umounts
INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:524 - Set seccomp rule to reject force umounts
INFO     seccomp - ../src/lxc/seccomp.c:parse_config_v2:807 - Processing "[all]"
INFO     seccomp - ../src/lxc/seccomp.c:parse_config_v2:807 - Processing "kexec_load errno 1"
INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:564 - Adding native rule for syscall[246:kexec_load] action[327681:errno] arch[0]
INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[246:kexec_load] action[327681:errno] arch[1073741827]
INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[246:kexec_load] action[327681:errno] arch[1073741886]
INFO     seccomp - ../src/lxc/seccomp.c:parse_config_v2:807 - Processing "open_by_handle_at errno 1"
INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:564 - Adding native rule for syscall[304:open_by_handle_at] action[327681:errno] arch[0]
INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[304:open_by_handle_at] action[327681:errno] arch[1073741827]
INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[304:open_by_handle_at] action[327681:errno] arch[1073741886]
INFO     seccomp - ../src/lxc/seccomp.c:parse_config_v2:807 - Processing "init_module errno 1"
INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:564 - Adding native rule for syscall[175:init_module] action[327681:errno] arch[0]
INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[175:init_module] action[327681:errno] arch[1073741827]
INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[175:init_module] action[327681:errno] arch[1073741886]
INFO     seccomp - ../src/lxc/seccomp.c:parse_config_v2:807 - Processing "finit_module errno 1"
INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:564 - Adding native rule for syscall[313:finit_module] action[327681:errno] arch[0]
INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[313:finit_module] action[327681:errno] arch[1073741827]
INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[313:finit_module] action[327681:errno] arch[1073741886]
INFO     seccomp - ../src/lxc/seccomp.c:parse_config_v2:807 - Processing "delete_module errno 1"
INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:564 - Adding native rule for syscall[176:delete_module] action[327681:errno] arch[0]
INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[176:delete_module] action[327681:errno] arch[1073741827]
INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[176:delete_module] action[327681:errno] arch[1073741886]
INFO     seccomp - ../src/lxc/seccomp.c:parse_config_v2:807 - Processing "ioctl errno 1 [1,0x9400,SCMP_CMP_MASKED_EQ,0xff00]"
INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:547 - arg_cmp[0]: SCMP_CMP(1, 7, 65280, 37888)
INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:564 - Adding native rule for syscall[16:ioctl] action[327681:errno] arch[0]
INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:547 - arg_cmp[0]: SCMP_CMP(1, 7, 65280, 37888)
INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[16:ioctl] action[327681:errno] arch[1073741827]
INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:547 - arg_cmp[0]: SCMP_CMP(1, 7, 65280, 37888)
INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[16:ioctl] action[327681:errno] arch[1073741886]
INFO     seccomp - ../src/lxc/seccomp.c:parse_config_v2:807 - Processing "keyctl errno 38"
INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:564 - Adding native rule for syscall[250:keyctl] action[327718:errno] arch[0]
INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[250:keyctl] action[327718:errno] arch[1073741827]
INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[250:keyctl] action[327718:errno] arch[1073741886]
INFO     seccomp - ../src/lxc/seccomp.c:parse_config_v2:1017 - Merging compat seccomp contexts into main context
ERROR    apparmor - ../src/lxc/lsm/apparmor.c:run_apparmor_parser:915 - Failed to run apparmor_parser on "/var/lib/lxc/103/apparmor/lxc-103_<-var-lib-lxc>": Cache read/write disabled: interface file missing. (Kernel needs AppArmor 2.4 compatibility patch.)
ERROR    apparmor - ../src/lxc/lsm/apparmor.c:remove_apparmor_namespace:883 - No such file or directory - Error removing AppArmor namespace
ERROR    apparmor - ../src/lxc/lsm/apparmor.c:apparmor_prepare:1085 - Failed to load generated AppArmor profile
ERROR    start - ../src/lxc/start.c:lxc_init:879 - Failed to initialize LSM
ERROR    start - ../src/lxc/start.c:__lxc_start:2008 - Failed to initialize container "103"
WARN     cgfsng - ../src/lxc/cgroups/cgfsng.c:cgfsng_payload_destroy:548 - Uninitialized limit cgroup
WARN     cgfsng - ../src/lxc/cgroups/cgfsng.c:cgfsng_monitor_destroy:869 - Uninitialized monitor cgroup
INFO     conf - ../src/lxc/conf.c:run_script_argv:337 - Executing script "/usr/share/lxc/hooks/lxc-pve-poststop-hook" for container "103", config section "lxc"
startup for container '103' failed

Code:

:~# apparmor_parser --version
AppArmor parser version 2.13.6
Copyright (C) 1999-2008 Novell Inc.
Copyright 2009-2018 Canonical Ltd.

Code:

:~# pct config 103
arch: amd64
cores: 4
features: nesting=1
hostname: storage
memory: 16384
net0: name=eth0,bridge=vmbr1,firewall=1,gw=192.168.0.1,hwaddr=2E:E8:40:F2:C5:01,ip=192.168.0.3/24,type=veth
ostype: centos
rootfs: local-zfs:subvol-103-disk-0,size=72G
swap: 512
unprivileged: 1

Code:

# pveversion -v       
proxmox-ve: 7.2-1 (running kernel: 5.15.39-1-pve)
pve-manager: 7.2-7 (running version: 7.2-7/d0dd0e85)
pve-kernel-5.15: 7.2-6
pve-kernel-helper: 7.2-6
pve-kernel-5.15.39-1-pve: 5.15.39-1
pve-kernel-5.15.30-2-pve: 5.15.30-3
ceph-fuse: 15.2.16-pve1
corosync: 3.1.5-pve2
criu: 3.15-1+pve-1
glusterfs-client: 9.2-1
ifupdown2: 3.1.0-1+pmx3
ksm-control-daemon: 1.4-1
libjs-extjs: 7.0.0-1
libknet1: 1.24-pve1
libproxmox-acme-perl: 1.4.2
libproxmox-backup-qemu0: 1.3.1-1
libpve-access-control: 7.2-3
libpve-apiclient-perl: 3.2-1
libpve-common-perl: 7.2-2
libpve-guest-common-perl: 4.1-2
libpve-http-server-perl: 4.1-3
libpve-storage-perl: 7.2-5
libspice-server1: 0.14.3-2.1
lvm2: 2.03.11-2.1
lxc-pve: 5.0.0-3
lxcfs: 4.0.12-pve1
novnc-pve: 1.3.0-3
proxmox-backup-client: 2.2.3-1
proxmox-backup-file-restore: 2.2.3-1
proxmox-mini-journalreader: 1.3-1
proxmox-widget-toolkit: 3.5.1
pve-cluster: 7.2-1
pve-container: 4.2-1
pve-docs: 7.2-2
pve-edk2-firmware: 3.20210831-2
pve-firewall: 4.2-5
pve-firmware: 3.4-2
pve-ha-manager: 3.3-4
pve-i18n: 2.7-2
pve-qemu-kvm: 6.2.0-11
pve-xtermjs: 4.16.0-1
qemu-server: 7.2-3
smartmontools: 7.2-pve3
spiceterm: 3.2-2
swtpm: 0.7.1~bpo11+1
vncterm: 1.7-1
zfsutils-linux: 2.1.4-pve1

fabian · Jul 18, 2022

what does aa-status say?

winbackgo · Jul 18, 2022

Code:

:~# aa-status
apparmor module is loaded.
apparmor filesystem is not mounted.

fabian · Jul 18, 2022

and systemctl status apparmor as well as journalctl -b | grep -i -e apparmor -e aa_ | head -n 15?

winbackgo · Jul 18, 2022

Code:

:~# systemctl reload apparmor
:~# aa-status                 
apparmor module is loaded.
16 profiles are loaded.
16 profiles are in enforce mode.
   /usr/bin/lxc-start
   /usr/bin/man
   /usr/sbin/chronyd
   lsb_release
   lxc-100_</var/lib/lxc>
   lxc-101_</var/lib/lxc>
   lxc-102_</var/lib/lxc>
   lxc-container-default
   lxc-container-default-cgns
   lxc-container-default-with-mounting
   lxc-container-default-with-nesting
   man_filter
   man_groff
   nvidia_modprobe
   nvidia_modprobe//kmod
   tcpdump
0 profiles are in complain mode.
40 processes have profiles defined.
40 processes are in enforce mode.
   /usr/bin/lxc-start (2793)
   /usr/bin/lxc-start (67003)
   /usr/sbin/chronyd (2331)
   /usr/sbin/chronyd (2333)
   /usr/lib/systemd/systemd (2873) lxc-100_</var/lib/lxc>//&:lxc-100_<-var-lib-lxc>:unconfined
   /usr/lib/systemd/systemd-journald (3007) lxc-100_</var/lib/lxc>//&:lxc-100_<-var-lib-lxc>:unconfined
   /usr/lib/systemd/systemd-logind (3015) lxc-100_</var/lib/lxc>//&:lxc-100_<-var-lib-lxc>:unconfined
   /usr/bin/dbus-daemon (3016) lxc-100_</var/lib/lxc>//&:lxc-100_<-var-lib-lxc>:unconfined
   /usr/sbin/NetworkManager (3019) lxc-100_</var/lib/lxc>//&:lxc-100_<-var-lib-lxc>:unconfined
   /usr/sbin/sshd (3033) lxc-100_</var/lib/lxc>//&:lxc-100_<-var-lib-lxc>:unconfined
   /usr/sbin/crond (3036) lxc-100_</var/lib/lxc>//&:lxc-100_<-var-lib-lxc>:unconfined
   /usr/sbin/agetty (3037) lxc-100_</var/lib/lxc>//&:lxc-100_<-var-lib-lxc>:unconfined
   /usr/sbin/agetty (3038) lxc-100_</var/lib/lxc>//&:lxc-100_<-var-lib-lxc>:unconfined
   /usr/sbin/agetty (3044) lxc-100_</var/lib/lxc>//&:lxc-100_<-var-lib-lxc>:unconfined
   /usr/sbin/rsyslogd (3128) lxc-100_</var/lib/lxc>//&:lxc-100_<-var-lib-lxc>:unconfined
   /usr/sbin/mysqld (2046041) lxc-100_</var/lib/lxc>//&:lxc-100_<-var-lib-lxc>:unconfined
   /usr/sbin/sshd (3404300) lxc-100_</var/lib/lxc>//&:lxc-100_<-var-lib-lxc>:unconfined
   /usr/lib/systemd/systemd (3404310) lxc-100_</var/lib/lxc>//&:lxc-100_<-var-lib-lxc>:unconfined
   /usr/lib/systemd/systemd (3404311) lxc-100_</var/lib/lxc>//&:lxc-100_<-var-lib-lxc>:unconfined
   /usr/sbin/sshd (3404318) lxc-100_</var/lib/lxc>//&:lxc-100_<-var-lib-lxc>:unconfined
   /usr/bin/bash (3404320) lxc-100_</var/lib/lxc>//&:lxc-100_<-var-lib-lxc>:unconfined
   /usr/bin/top (3404569) lxc-100_</var/lib/lxc>//&:lxc-100_<-var-lib-lxc>:unconfined
   /usr/lib/systemd/systemd (67014) lxc-101_</var/lib/lxc>//&:lxc-101_<-var-lib-lxc>:unconfined
   /usr/lib/systemd/systemd-journald (deleted) (67730) lxc-101_</var/lib/lxc>//&:lxc-101_<-var-lib-lxc>:unconfined
   /usr/lib/systemd/systemd-logind (deleted) (67766) lxc-101_</var/lib/lxc>//&:lxc-101_<-var-lib-lxc>:unconfined
   /usr/bin/dbus-daemon (deleted) (67767) lxc-101_</var/lib/lxc>//&:lxc-101_<-var-lib-lxc>:unconfined
   /usr/sbin/agetty (68244) lxc-101_</var/lib/lxc>//&:lxc-101_<-var-lib-lxc>:unconfined
   /usr/bin/login (68245) lxc-101_</var/lib/lxc>//&:lxc-101_<-var-lib-lxc>:unconfined
   /usr/sbin/agetty (68249) lxc-101_</var/lib/lxc>//&:lxc-101_<-var-lib-lxc>:unconfined
   /usr/bin/bash (deleted) (68431) lxc-101_</var/lib/lxc>//&:lxc-101_<-var-lib-lxc>:unconfined
   /usr/sbin/rsyslogd (74019) lxc-101_</var/lib/lxc>//&:lxc-101_<-var-lib-lxc>:unconfined
   /usr/sbin/crond (74070) lxc-101_</var/lib/lxc>//&:lxc-101_<-var-lib-lxc>:unconfined
   /usr/sbin/sshd (78160) lxc-101_</var/lib/lxc>//&:lxc-101_<-var-lib-lxc>:unconfined
   /usr/sbin/nginx (174482) lxc-101_</var/lib/lxc>//&:lxc-101_<-var-lib-lxc>:unconfined
   /usr/sbin/nginx (1511973) lxc-101_</var/lib/lxc>//&:lxc-101_<-var-lib-lxc>:unconfined
   /usr/sbin/nginx (1511974) lxc-101_</var/lib/lxc>//&:lxc-101_<-var-lib-lxc>:unconfined
   /usr/sbin/nginx (1511975) lxc-101_</var/lib/lxc>//&:lxc-101_<-var-lib-lxc>:unconfined
   /usr/sbin/nginx (1511976) lxc-101_</var/lib/lxc>//&:lxc-101_<-var-lib-lxc>:unconfined
   /usr/sbin/nginx (1511977) lxc-101_</var/lib/lxc>//&:lxc-101_<-var-lib-lxc>:unconfined
   /usr/sbin/sshd (1807708) lxc-101_</var/lib/lxc>//&:lxc-101_<-var-lib-lxc>:unconfined
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
:~# pct start 103 --debug
run_buffer: 321 Script exited with status 1
lxc_setup: 4400 Failed to run mount hooks
do_start: 1275 Failed to setup container "103"
sync_wait: 34 An error occurred in another process (expected sequence number 4)
__lxc_start: 2074 Failed to spawn container "103"
tart 103 20220718094948.889 INFO     conf - ../src/lxc/conf.c:run_script_argv:337 - Executing script "/usr/share/lxc/hooks/lxc-pve-prestart-hook" for container "103", config section "lxc"
DEBUG    seccomp - ../src/lxc/seccomp.c:parse_config_v2:656 - Host native arch is [3221225534]
INFO     seccomp - ../src/lxc/seccomp.c:parse_config_v2:807 - Processing "reject_force_umount  # comment this to allow umount -f;  not recommended"
INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:524 - Set seccomp rule to reject force umounts
INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:524 - Set seccomp rule to reject force umounts
INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:524 - Set seccomp rule to reject force umounts
INFO     seccomp - ../src/lxc/seccomp.c:parse_config_v2:807 - Processing "[all]"
INFO     seccomp - ../src/lxc/seccomp.c:parse_config_v2:807 - Processing "kexec_load errno 1"
INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:564 - Adding native rule for syscall[246:kexec_load] action[327681:errno] arch[0]
INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[246:kexec_load] action[327681:errno] arch[1073741827]
INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[246:kexec_load] action[327681:errno] arch[1073741886]
INFO     seccomp - ../src/lxc/seccomp.c:parse_config_v2:807 - Processing "open_by_handle_at errno 1"
INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:564 - Adding native rule for syscall[304:open_by_handle_at] action[327681:errno] arch[0]
INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[304:open_by_handle_at] action[327681:errno] arch[1073741827]
INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[304:open_by_handle_at] action[327681:errno] arch[1073741886]
INFO     seccomp - ../src/lxc/seccomp.c:parse_config_v2:807 - Processing "init_module errno 1"
INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:564 - Adding native rule for syscall[175:init_module] action[327681:errno] arch[0]
INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[175:init_module] action[327681:errno] arch[1073741827]
INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[175:init_module] action[327681:errno] arch[1073741886]
INFO     seccomp - ../src/lxc/seccomp.c:parse_config_v2:807 - Processing "finit_module errno 1"
INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:564 - Adding native rule for syscall[313:finit_module] action[327681:errno] arch[0]
INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[313:finit_module] action[327681:errno] arch[1073741827]
INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[313:finit_module] action[327681:errno] arch[1073741886]
INFO     seccomp - ../src/lxc/seccomp.c:parse_config_v2:807 - Processing "delete_module errno 1"
INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:564 - Adding native rule for syscall[176:delete_module] action[327681:errno] arch[0]
INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[176:delete_module] action[327681:errno] arch[1073741827]
INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[176:delete_module] action[327681:errno] arch[1073741886]
INFO     seccomp - ../src/lxc/seccomp.c:parse_config_v2:807 - Processing "ioctl errno 1 [1,0x9400,SCMP_CMP_MASKED_EQ,0xff00]"
INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:547 - arg_cmp[0]: SCMP_CMP(1, 7, 65280, 37888)
INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:564 - Adding native rule for syscall[16:ioctl] action[327681:errno] arch[0]
INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:547 - arg_cmp[0]: SCMP_CMP(1, 7, 65280, 37888)
INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[16:ioctl] action[327681:errno] arch[1073741827]
INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:547 - arg_cmp[0]: SCMP_CMP(1, 7, 65280, 37888)
INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[16:ioctl] action[327681:errno] arch[1073741886]
INFO     seccomp - ../src/lxc/seccomp.c:parse_config_v2:807 - Processing "keyctl errno 38"
INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:564 - Adding native rule for syscall[250:keyctl] action[327718:errno] arch[0]
INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[250:keyctl] action[327718:errno] arch[1073741827]
INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[250:keyctl] action[327718:errno] arch[1073741886]
INFO     seccomp - ../src/lxc/seccomp.c:parse_config_v2:1017 - Merging compat seccomp contexts into main context
INFO     start - ../src/lxc/start.c:lxc_init:884 - Container "103" is initialized
INFO     cgfsng - ../src/lxc/cgroups/cgfsng.c:cgfsng_monitor_create:1029 - The monitor process uses "lxc.monitor/103" as cgroup
DEBUG    storage - ../src/lxc/storage/storage.c:storage_query:231 - Detected rootfs type "dir"
DEBUG    storage - ../src/lxc/storage/storage.c:storage_query:231 - Detected rootfs type "dir"
INFO     cgfsng - ../src/lxc/cgroups/cgfsng.c:cgfsng_payload_create:1137 - The container process uses "lxc/103/ns" as inner and "lxc/103" as limit cgroup
INFO     start - ../src/lxc/start.c:lxc_spawn:1765 - Cloned CLONE_NEWUSER
INFO     start - ../src/lxc/start.c:lxc_spawn:1765 - Cloned CLONE_NEWNS
INFO     start - ../src/lxc/start.c:lxc_spawn:1765 - Cloned CLONE_NEWPID
INFO     start - ../src/lxc/start.c:lxc_spawn:1765 - Cloned CLONE_NEWUTS
INFO     start - ../src/lxc/start.c:lxc_spawn:1765 - Cloned CLONE_NEWIPC
INFO     start - ../src/lxc/start.c:lxc_spawn:1765 - Cloned CLONE_NEWCGROUP
DEBUG    start - ../src/lxc/start.c:lxc_try_preserve_namespace:139 - Preserved user namespace via fd 17 and stashed path as user:/proc/1810321/fd/17
DEBUG    start - ../src/lxc/start.c:lxc_try_preserve_namespace:139 - Preserved mnt namespace via fd 18 and stashed path as mnt:/proc/1810321/fd/18
DEBUG    start - ../src/lxc/start.c:lxc_try_preserve_namespace:139 - Preserved pid namespace via fd 19 and stashed path as pid:/proc/1810321/fd/19
DEBUG    start - ../src/lxc/start.c:lxc_try_preserve_namespace:139 - Preserved uts namespace via fd 20 and stashed path as uts:/proc/1810321/fd/20
DEBUG    start - ../src/lxc/start.c:lxc_try_preserve_namespace:139 - Preserved ipc namespace via fd 21 and stashed path as ipc:/proc/1810321/fd/21
DEBUG    start - ../src/lxc/start.c:lxc_try_preserve_namespace:139 - Preserved cgroup namespace via fd 22 and stashed path as cgroup:/proc/1810321/fd/22
DEBUG    conf - ../src/lxc/conf.c:idmaptool_on_path_and_privileged:3520 - The binary "/usr/bin/newuidmap" does have the setuid bit set
DEBUG    conf - ../src/lxc/conf.c:idmaptool_on_path_and_privileged:3520 - The binary "/usr/bin/newgidmap" does have the setuid bit set
DEBUG    conf - ../src/lxc/conf.c:lxc_map_ids:3605 - Functional newuidmap and newgidmap binary found
INFO     cgfsng - ../src/lxc/cgroups/cgfsng.c:cgfsng_setup_limits:2863 - Limits for the unified cgroup hierarchy have been setup
DEBUG    conf - ../src/lxc/conf.c:idmaptool_on_path_and_privileged:3520 - The binary "/usr/bin/newuidmap" does have the setuid bit set
DEBUG    conf - ../src/lxc/conf.c:idmaptool_on_path_and_privileged:3520 - The binary "/usr/bin/newgidmap" does have the setuid bit set
INFO     conf - ../src/lxc/conf.c:lxc_map_ids:3603 - Caller maps host root. Writing mapping directly
NOTICE   utils - ../src/lxc/utils.c:lxc_drop_groups:1368 - Dropped supplimentary groups
INFO     start - ../src/lxc/start.c:do_start:1107 - Unshared CLONE_NEWNET
NOTICE   utils - ../src/lxc/utils.c:lxc_drop_groups:1368 - Dropped supplimentary groups
NOTICE   utils - ../src/lxc/utils.c:lxc_switch_uid_gid:1344 - Switched to gid 0
NOTICE   utils - ../src/lxc/utils.c:lxc_switch_uid_gid:1353 - Switched to uid 0
DEBUG    start - ../src/lxc/start.c:lxc_try_preserve_namespace:139 - Preserved net namespace via fd 5 and stashed path as net:/proc/1810321/fd/5
INFO     conf - ../src/lxc/conf.c:run_script_argv:337 - Executing script "/usr/share/lxc/lxcnetaddbr" for container "103", config section "net"
DEBUG    network - ../src/lxc/network.c:netdev_configure_server_veth:852 - Instantiated veth tunnel "veth103i0 <--> veth5eGAcv"
DEBUG    conf - ../src/lxc/conf.c:lxc_mount_rootfs:1436 - Mounted rootfs "/var/lib/lxc/103/rootfs" onto "/usr/lib/x86_64-linux-gnu/lxc/rootfs" with options "(null)"
INFO     conf - ../src/lxc/conf.c:setup_utsname:875 - Set hostname to "storage"
DEBUG    network - ../src/lxc/network.c:setup_hw_addr:3821 - Mac address "2E:E8:40:F2:C5:01" on "eth0" has been setup
DEBUG    network - ../src/lxc/network.c:lxc_network_setup_in_child_namespaces_common:3962 - Network device "eth0" has been setup
INFO     network - ../src/lxc/network.c:lxc_setup_network_in_child_namespaces:4019 - Finished setting up network devices with caller assigned names
INFO     conf - ../src/lxc/conf.c:mount_autodev:1219 - Preparing "/dev"
INFO     conf - ../src/lxc/conf.c:mount_autodev:1280 - Prepared "/dev"
DEBUG    conf - ../src/lxc/conf.c:lxc_mount_auto_mounts:735 - Invalid argument - Tried to ensure procfs is unmounted
DEBUG    conf - ../src/lxc/conf.c:lxc_mount_auto_mounts:758 - Invalid argument - Tried to ensure sysfs is unmounted
DEBUG    conf - ../src/lxc/conf.c:mount_entry:2416 - Remounting "/sys/fs/fuse/connections" on "/usr/lib/x86_64-linux-gnu/lxc/rootfs/sys/fs/fuse/connections" to respect bind or remount options
DEBUG    conf - ../src/lxc/conf.c:mount_entry:2435 - Flags for "/sys/fs/fuse/connections" were 4110, required extra flags are 14
DEBUG    conf - ../src/lxc/conf.c:mount_entry:2479 - Mounted "/sys/fs/fuse/connections" on "/usr/lib/x86_64-linux-gnu/lxc/rootfs/sys/fs/fuse/connections" with filesystem type "none"
DEBUG    conf - ../src/lxc/conf.c:mount_entry:2479 - Mounted "proc" on "/usr/lib/x86_64-linux-gnu/lxc/rootfs/dev/.lxc/proc" with filesystem type "proc"
DEBUG    conf - ../src/lxc/conf.c:mount_entry:2479 - Mounted "sys" on "/usr/lib/x86_64-linux-gnu/lxc/rootfs/dev/.lxc/sys" with filesystem type "sysfs"
DEBUG    cgfsng - ../src/lxc/cgroups/cgfsng.c:__cgroupfs_mount:1542 - Mounted cgroup filesystem cgroup2 onto 19((null))
INFO     conf - ../src/lxc/conf.c:run_script_argv:337 - Executing script "/usr/share/lxcfs/lxc.mount.hook" for container "103", config section "lxc"
DEBUG    conf - ../src/lxc/conf.c:run_buffer:310 - Script exec /usr/share/lxcfs/lxc.mount.hook 103 lxc mount produced output: missing /var/lib/lxcfs/proc/ - lxcfs not running?

ERROR    conf - ../src/lxc/conf.c:run_buffer:321 - Script exited with status 1
ERROR    conf - ../src/lxc/conf.c:lxc_setup:4400 - Failed to run mount hooks
ERROR    start - ../src/lxc/start.c:do_start:1275 - Failed to setup container "103"
ERROR    sync - ../src/lxc/sync.c:sync_wait:34 - An error occurred in another process (expected sequence number 4)
DEBUG    network - ../src/lxc/network.c:lxc_delete_network:4173 - Deleted network devices
ERROR    start - ../src/lxc/start.c:__lxc_start:2074 - Failed to spawn container "103"
WARN     start - ../src/lxc/start.c:lxc_abort:1039 - No such process - Failed to send SIGKILL via pidfd 16 for process 1810332
startup for container '103' failed

winbackgo · Jul 18, 2022

fabian said:
and systemctl status apparmor as well as journalctl -b | grep -i -e apparmor -e aa_ | head -n 15?

Code:

:~# systemctl status apparmor
● apparmor.service - Load AppArmor profiles
     Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled)
     Active: active (exited) since Sat 2022-07-16 17:05:13 MSK; 1 day 19h ago
       Docs: man:apparmor(7)
             https://gitlab.com/apparmor/apparmor/wikis/home/
    Process: 1809813 ExecReload=/lib/apparmor/apparmor.systemd reload (code=exited, status=0/SUCCESS)
   Main PID: 1955 (code=exited, status=0/SUCCESS)
        CPU: 41ms

Jul 16 17:05:13 server10 systemd[1]: Starting Load AppArmor profiles...
Jul 16 17:05:13 server10 apparmor.systemd[1955]: Restarting AppArmor
Jul 16 17:05:13 server10 apparmor.systemd[1955]: Reloading AppArmor profiles
Jul 16 17:05:13 server10 systemd[1]: Finished Load AppArmor profiles.
Jul 18 12:49:33 server10 systemd[1]: Reloading Load AppArmor profiles.
Jul 18 12:49:33 server10 apparmor.systemd[1809813]: Mounting securityfs on /sys/kernel/security
Jul 18 12:49:33 server10 apparmor.systemd[1809813]: Restarting AppArmor
Jul 18 12:49:33 server10 apparmor.systemd[1809813]: Reloading AppArmor profiles
Jul 18 12:49:33 server10 systemd[1]: Reloaded Load AppArmor profiles.

:~# journalctl -b | grep -i -e apparmor -e aa_ | head -n 15
Jul 16 17:05:11 server10 kernel: AppArmor: AppArmor initialized
Jul 16 17:05:11 server10 kernel: AppArmor: AppArmor Filesystem Enabled
Jul 16 17:05:11 server10 kernel: AppArmor: AppArmor sha1 policy hashing enabled
Jul 16 17:05:11 server10 kernel: evm: security.apparmor
Jul 16 17:05:11 server10 systemd[1]: systemd 247.3-7 running in system mode. (+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +ZSTD +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=unified)
Jul 16 17:05:13 server10 systemd[1]: Starting Load AppArmor profiles...
Jul 16 17:05:13 server10 apparmor.systemd[1955]: Restarting AppArmor
Jul 16 17:05:13 server10 apparmor.systemd[1955]: Reloading AppArmor profiles
Jul 16 17:05:13 server10 audit[1996]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/bin/lxc-start" pid=1996 comm="apparmor_parser"
Jul 16 17:05:13 server10 audit[1992]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="lsb_release" pid=1992 comm="apparmor_parser"
Jul 16 17:05:13 server10 kernel: audit: type=1400 audit(1657980313.433:2): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/bin/lxc-start" pid=1996 comm="apparmor_parser"
Jul 16 17:05:13 server10 kernel: audit: type=1400 audit(1657980313.433:3): apparmor="STATUS" operation="profile_load" profile="unconfined" name="lsb_release" pid=1992 comm="apparmor_parser"
Jul 16 17:05:13 server10 audit[1990]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="nvidia_modprobe" pid=1990 comm="apparmor_parser"
Jul 16 17:05:13 server10 audit[1990]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="nvidia_modprobe//kmod" pid=1990 comm="apparmor_parser"
Jul 16 17:05:13 server10 audit[1994]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/bin/man" pid=1994 comm="apparmor_parser"

fabian · Jul 18, 2022

journalctl -b -u lxcfs; systemctl status lxcfs?

although at this point, I'd rather reboot the whole node and check the status then - there seems to be quite a lot of stuff going wrong..

winbackgo · Jul 18, 2022

fabian said:
journalctl -b -u lxcfs; systemctl status lxcfs?

although at this point, I'd rather reboot the whole node and check the status then - there seems to be quite a lot of stuff going wrong..

Thanks, everything worked after a reboot.

Search

Search

Failed to initialize container

winbackgo

Active Member

fabian

Proxmox Staff Member

winbackgo

Active Member

fabian

Proxmox Staff Member

winbackgo

Active Member

winbackgo

Active Member

fabian

Proxmox Staff Member

winbackgo

Active Member