Failed to load AppArmor profile + initialise LSM error when starting containers

flaneur · Feb 15, 2023

I run Proxmox on an ASUS mini PC. I upgraded the RAM and booted the device.
I get the following error message when booting 3 of my LXC containers (running NextCloudPi, Ubuntu running Docker). The rest of my LXC containers are functioning just fine.

load_apparmor_profile: 979 Invalid argument - Failed to mmap old profile from /var/lib/lxc/104/apparmor/lxc-104_<-var-lib-lxc>
apparmor_prepare: 1086 Failed to load generated AppArmor profile
lxc_init: 876 Failed to initialize LSM
__lxc_start: 2027 Failed to initialize container "104"
TASK ERROR: startup for container '104' failed

Could someone help me troubleshoot this issue?
Thank you

Moayad · Feb 15, 2023

Hi,

Please provide us with the output of the log of the container debug for the 104 CT as attach, by issuing the lxc-start -n 104 -lDEBUG --logfile /tmp/lxc-104.log command. And the output of pveversion -v and the container config as well pct config 104

flaneur · Feb 15, 2023

root@pve:~# lxc-start -n 104 -lDEBUG --logfile /tmp/lxc-104.log

lxc-start: 104: ../src/lxc/lxccontainer.c: wait_on_daemonized_start: 870 No such file or directory - Failed to receive the container state
lxc-start: 104: ../src/lxc/tools/lxc_start.c: main: 306 The container failed to start
lxc-start: 104: ../src/lxc/tools/lxc_start.c: main: 309 To get more details, run the container in foreground mode
lxc-start: 104: ../src/lxc/tools/lxc_start.c: main: 311 Additional information can be obtained by setting the --logfile and --logpriority options

root@pve:~# pveversion -v

proxmox-ve: 7.3-1 (running kernel: 5.15.85-1-pve)
pve-manager: 7.3-6 (running version: 7.3-6/723bb6ec)
pve-kernel-helper: 7.3-3
pve-kernel-5.15: 7.3-2
pve-kernel-5.15.85-1-pve: 5.15.85-1
pve-kernel-5.15.83-1-pve: 5.15.83-1
pve-kernel-5.15.74-1-pve: 5.15.74-1
ceph-fuse: 15.2.17-pve1
corosync: 3.1.7-pve1
criu: 3.15-1+pve-1
glusterfs-client: 9.2-1
ifupdown2: 3.1.0-1+pmx3
ksm-control-daemon: 1.4-1
libjs-extjs: 7.0.0-1
libknet1: 1.24-pve2
libproxmox-acme-perl: 1.4.3
libproxmox-backup-qemu0: 1.3.1-1
libpve-access-control: 7.3-1
libpve-apiclient-perl: 3.2-1
libpve-common-perl: 7.3-2
libpve-guest-common-perl: 4.2-3
libpve-http-server-perl: 4.1-5
libpve-storage-perl: 7.3-2
libspice-server1: 0.14.3-2.1
lvm2: 2.03.11-2.1
lxc-pve: 5.0.2-1
lxcfs: 5.0.3-pve1
novnc-pve: 1.3.0-3
proxmox-backup-client: 2.3.2-1
proxmox-backup-file-restore: 2.3.2-1
proxmox-mail-forward: 0.1.1-1
proxmox-mini-journalreader: 1.3-1
proxmox-widget-toolkit: 3.5.5
pve-cluster: 7.3-2
pve-container: 4.4-2
pve-docs: 7.3-1
pve-edk2-firmware: 3.20220526-1
pve-firewall: 4.2-7
pve-firmware: 3.6-3
pve-ha-manager: 3.5.1
pve-i18n: 2.8-2
pve-qemu-kvm: 7.1.0-4
pve-xtermjs: 4.16.0-1
qemu-server: 7.3-3
smartmontools: 7.2-pve3
spiceterm: 3.2-2
swtpm: 0.8.0~bpo11+2
vncterm: 1.7-1
zfsutils-linux: 2.1.9-pve1

root@pve:~# pct config 104

arch: amd64
cores: 3
description:
features: keyctl=1,nesting=1
hostname: docker
memory: 4096
net0: name=eth0,bridge=vmbr0,gw=172.27.72.1,hwaddr=66:00:77:73:**:**,ip=172.27.72.1**/24,ip6=dhcp,type=veth
onboot: 1
ostype: debian
rootfs: local-lvm:vm-104-disk-0,size=50G
swap: 4096
unprivileged: 1
lxc.cgroup2.devices.allow: c 10:200 rwm
lxc.mount.entry: /dev/net/tun dev/net/tun none bind,create=file

Moayad · Feb 16, 2023

Thank you for the output!

Can you attach the /tmp/lxc-104.log file as well?

gulbalee · Feb 22, 2023

I'm getting the same issue. log file is provided below;

lxc-start 100 20230222091015.809 INFO confile - ../src/lxc/confile.c:set_config_idmaps:2273 - Read uid map: type u nsid 0 hostid 100000 range 65536
lxc-start 100 20230222091015.809 INFO confile - ../src/lxc/confile.c:set_config_idmaps:2273 - Read uid map: type g nsid 0 hostid 100000 range 65536
lxc-start 100 20230222091015.810 INFO lxccontainer - ../src/lxc/lxccontainer.c:do_lxcapi_start:998 - Set process title to [lxc monitor] /var/lib/lxc 100
lxc-start 100 20230222091015.810 DEBUG lxccontainer - ../src/lxc/lxccontainer.c:wait_on_daemonized_start:859 - First child 56830 exited
lxc-start 100 20230222091015.810 INFO lsm - ../src/lxc/lsm/lsm.c:lsm_init_static:38 - Initialized LSM security driver AppArmor
lxc-start 100 20230222091015.810 INFO conf - ../src/lxc/conf.c:run_script_argv:338 - Executing script "/usr/share/lxc/hooks/lxc-pve-prestart-hook" for container "100", config section "lxc"
lxc-start 100 20230222091016.609 INFO cgfsng - ../src/lxc/cgroups/cgfsng.c:unpriv_systemd_create_scope:1227 - Running privileged, not using a systemd unit
lxc-start 100 20230222091016.610 DEBUG seccomp - ../src/lxc/seccomp.carse_config_v2:656 - Host native arch is [3221225534]
lxc-start 100 20230222091016.610 INFO seccomp - ../src/lxc/seccomp.carse_config_v2:807 - Processing "reject_force_umount # comment this to allow umount -f; not recommended"
lxc-start 100 20230222091016.610 INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:524 - Set seccomp rule to reject force umounts
lxc-start 100 20230222091016.610 INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:524 - Set seccomp rule to reject force umounts
lxc-start 100 20230222091016.610 INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:524 - Set seccomp rule to reject force umounts
lxc-start 100 20230222091016.610 INFO seccomp - ../src/lxc/seccomp.carse_config_v2:807 - Processing "[all]"
lxc-start 100 20230222091016.610 INFO seccomp - ../src/lxc/seccomp.carse_config_v2:807 - Processing "kexec_load errno 1"
lxc-start 100 20230222091016.610 INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:564 - Adding native rule for syscall[246:kexec_load] action[327681:errno] arch[0]
lxc-start 100 20230222091016.610 INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[246:kexec_load] action[327681:errno] arch[1073741827]
lxc-start 100 20230222091016.610 INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[246:kexec_load] action[327681:errno] arch[1073741886]
lxc-start 100 20230222091016.610 INFO seccomp - ../src/lxc/seccomp.carse_config_v2:807 - Processing "open_by_handle_at errno 1"
lxc-start 100 20230222091016.610 INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:564 - Adding native rule for syscall[304pen_by_handle_at] action[327681:errno] arch[0]
lxc-start 100 20230222091016.610 INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[304pen_by_handle_at] action[327681:errno] arch[1073741827]
lxc-start 100 20230222091016.610 INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[304pen_by_handle_at] action[327681:errno] arch[1073741886]
lxc-start 100 20230222091016.610 INFO seccomp - ../src/lxc/seccomp.carse_config_v2:807 - Processing "init_module errno 1"
lxc-start 100 20230222091016.610 INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:564 - Adding native rule for syscall[175:init_module] action[327681:errno] arch[0]
lxc-start 100 20230222091016.610 INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[175:init_module] action[327681:errno] arch[1073741827]
lxc-start 100 20230222091016.610 INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[175:init_module] action[327681:errno] arch[1073741886]
lxc-start 100 20230222091016.610 INFO seccomp - ../src/lxc/seccomp.carse_config_v2:807 - Processing "finit_module errno 1"
lxc-start 100 20230222091016.610 INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:564 - Adding native rule for syscall[313:finit_module] action[327681:errno] arch[0]
lxc-start 100 20230222091016.610 INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[313:finit_module] action[327681:errno] arch[1073741827]
lxc-start 100 20230222091016.610 INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[313:finit_module] action[327681:errno] arch[1073741886]
lxc-start 100 20230222091016.610 INFO seccomp - ../src/lxc/seccomp.carse_config_v2:807 - Processing "delete_module errno 1"
lxc-start 100 20230222091016.610 INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:564 - Adding native rule for syscall[176:delete_module] action[327681:errno] arch[0]
lxc-start 100 20230222091016.610 INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[176:delete_module] action[327681:errno] arch[1073741827]
lxc-start 100 20230222091016.610 INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[176:delete_module] action[327681:errno] arch[1073741886]
lxc-start 100 20230222091016.610 INFO seccomp - ../src/lxc/seccomp.carse_config_v2:807 - Processing "ioctl errno 1 [1,0x9400,SCMP_CMP_MASKED_EQ,0xff00]"
lxc-start 100 20230222091016.610 INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:547 - arg_cmp[0]: SCMP_CMP(1, 7, 65280, 37888)
lxc-start 100 20230222091016.610 INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:564 - Adding native rule for syscall[16:ioctl] action[327681:errno] arch[0]
lxc-start 100 20230222091016.610 INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:547 - arg_cmp[0]: SCMP_CMP(1, 7, 65280, 37888)
lxc-start 100 20230222091016.610 INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[16:ioctl] action[327681:errno] arch[1073741827]
lxc-start 100 20230222091016.610 INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:547 - arg_cmp[0]: SCMP_CMP(1, 7, 65280, 37888)
lxc-start 100 20230222091016.610 INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[16:ioctl] action[327681:errno] arch[1073741886]
lxc-start 100 20230222091016.610 INFO seccomp - ../src/lxc/seccomp.carse_config_v2:1017 - Merging compat seccomp contexts into main context
lxc-start 100 20230222091016.613 ERROR apparmor - ../src/lxc/lsm/apparmor.c:load_apparmor_profile:979 - Invalid argument - Failed to mmap old profile from /var/lib/lxc/100/apparmor/lxc-100_<-var-lib-lxc>
lxc-start 100 20230222091016.613 ERROR apparmor - ../src/lxc/lsm/apparmor.c:apparmor_prepare:1086 - Failed to load generated AppArmor profile
lxc-start 100 20230222091016.613 ERROR start - ../src/lxc/start.c:lxc_init:876 - Failed to initialize LSM
lxc-start 100 20230222091016.613 ERROR start - ../src/lxc/start.c:__lxc_start:2027 - Failed to initialize container "100"
lxc-start 100 20230222091016.613 WARN cgfsng - ../src/lxc/cgroups/cgfsng.c:cgfsng_payload_destroy:555 - Uninitialized limit cgroup
lxc-start 100 20230222091016.613 WARN cgfsng - ../src/lxc/cgroups/cgfsng.c:cgfsng_monitor_destroy:881 - Uninitialized monitor cgroup
lxc-start 100 20230222091016.613 INFO conf - ../src/lxc/conf.c:run_script_argv:338 - Executing script "/usr/share/lxcfs/lxc.reboot.hook" for container "100", config section "lxc"
lxc-start 100 20230222091017.116 INFO conf - ../src/lxc/conf.c:run_script_argv:338 - Executing script "/usr/share/lxc/hooks/lxc-pve-poststop-hook" for container "100", config section "lxc"
lxc-start 100 20230222091017.835 DEBUG conf - ../src/lxc/conf.c:run_buffer:311 - Script exec /usr/share/lxc/hooks/lxc-pve-poststop-hook 100 lxc post-stop produced output: umount: /var/lib/lxc/.pve-staged-mounts/mp0: not mounted.

lxc-start 100 20230222091017.835 DEBUG conf - ../src/lxc/conf.c:run_buffer:311 - Script exec /usr/share/lxc/hooks/lxc-pve-poststop-hook 100 lxc post-stop produced output: command 'umount -- /var/lib/lxc/.pve-staged-mounts/mp0' failed: exit code 32

lxc-start 100 20230222091017.866 ERROR lxccontainer - ../src/lxc/lxccontainer.c:wait_on_daemonized_start:870 - No such file or directory - Failed to receive the container state
lxc-start 100 20230222091017.866 ERROR lxc_start - ../src/lxc/tools/lxc_start.c:main:306 - The container failed to start
lxc-start 100 20230222091017.866 ERROR lxc_start - ../src/lxc/tools/lxc_start.c:main:309 - To get more details, run the container in foreground mode
lxc-start 100 20230222091017.866 ERROR lxc_start - ../src/lxc/tools/lxc_start.c:main:311 - Additional information can be obtained by setting the --logfile and --logpriority options

prox-tba · Feb 25, 2023

I'm having the same issue. Getting this error starting my lxc container:

load_apparmor_profile: 979 Invalid argument - Failed to mmap old profile from /var/lib/lxc/120/apparmor/lxc-120_<-var-lib-lxc>
apparmor_prepare: 1086 Failed to load generated AppArmor profile
lxc_init: 876 Failed to initialize LSM
__lxc_start: 2027 Failed to initialize container "120"
TASK ERROR: startup for container '120' failed

Does anyone have allready a solution? Thanks for any help.

Zecke007 · Feb 27, 2023

I'm having the same issue.


load_apparmor_profile: 979 Invalid argument - Failed to mmap old profile from /var/lib/lxc/206/apparmor/lxc-206_<-var-lib-lxc>
apparmor_prepare: 1086 Failed to load generated AppArmor profile
lxc_init: 876 Failed to initialize LSM
__lxc_start: 2027 Failed to initialize container "206"
TASK ERROR: startup for container '206' failed

prox-tba · Feb 27, 2023

I did a clone of the LXC-Container and now the container working again. But it's realy strange, hope that this is happen not to often...

wbumiller · Feb 27, 2023

Do you still have the broken container? Can you check the file it mentions? (/var/lib/lxc/206/apparmor/lxc-206_<-var-lib-lxc>).
I suspect that it might be empty, if that's the you can remove it and see if it starts then. Also, if that's the case, I wonder how it happened and we probably need to handle this in lxc.

Zecke007 · Feb 27, 2023

prox-tba said:
I did a clone of the LXC-Container and now the container working again. But it's realy strange, hope that this is happen not to often...

It works, thx

olepinguin · Apr 5, 2023

Hi,

I did a clone and it worked for a while - after 2 days the error came back, on the cloned LXC.
Is there a stable solution - workaround is only short term solution.


load_apparmor_profile: 979 Invalid argument - Failed to mmap old profile from /var/lib/lxc/100/apparmor/lxc-100_<-var-lib-lxc>
apparmor_prepare: 1086 Failed to load generated AppArmor profile
lxc_init: 876 Failed to initialize LSM
__lxc_start: 2027 Failed to initialize container "100"
TASK ERROR: startup for container '100' failed

olepinguin · Apr 8, 2023

olepinguin said:
Hi,

I did a clone and it worked for a while - after 2 days the error came back, on the cloned LXC.
Is there a stable solution - workaround is only short term solution.

load_apparmor_profile: 979 Invalid argument - Failed to mmap old profile from /var/lib/lxc/100/apparmor/lxc-100_<-var-lib-lxc> apparmor_prepare: 1086 Failed to load generated AppArmor profile lxc_init: 876 Failed to initialize LSM __lxc_start: 2027 Failed to initialize container "100" TASK ERROR: startup for container '100' failed

what also seem to work is to delete the old file in

/var/lib/lxc/100/apparmor/

olepinguin · Apr 14, 2023

prox-tba said:
I did a clone of the LXC-Container and now the container working again. But it's realy strange, hope that this is happen not to often...

Hey,
does it still work for you - here the problem comes back again after rebooting the host.
I need to delete the folder again day by day...

Any ideas how to fix it sustainably ?

fiona · Apr 14, 2023

Hi,
@olepinguin can you share the output of pveversion -v? AFAIU, the issue should be fixed in pve-lxc >= 5.0.2-2 with this commit.

olepinguin · Apr 17, 2023

fiona said:
Hi,
@olepinguin can you share the output of pveversion -v? AFAIU, the issue should be fixed in pve-lxc >= 5.0.2-2 with this commit.

proxmox-ve: 7.3-1 (running kernel: 5.15.85-1-pve)
pve-manager: 7.3-6 (running version: 7.3-6/723bb6ec)
pve-kernel-helper: 7.3-4
pve-kernel-5.15: 7.3-2
pve-kernel-5.13: 7.1-9
pve-kernel-5.15.85-1-pve: 5.15.85-1
pve-kernel-5.15.83-1-pve: 5.15.83-1
pve-kernel-5.15.64-1-pve: 5.15.64-1
pve-kernel-5.15.53-1-pve: 5.15.53-1
pve-kernel-5.15.39-2-pve: 5.15.39-2
pve-kernel-5.15.35-3-pve: 5.15.35-6
pve-kernel-5.15.35-1-pve: 5.15.35-3
pve-kernel-5.13.19-6-pve: 5.13.19-15
pve-kernel-5.13.19-2-pve: 5.13.19-4
ceph-fuse: 15.2.15-pve1
corosync: 3.1.7-pve1
criu: 3.15-1+pve-1
glusterfs-client: 9.2-1
ifupdown2: 3.1.0-1+pmx3
ksm-control-daemon: 1.4-1
libjs-extjs: 7.0.0-1
libknet1: 1.24-pve2
libproxmox-acme-perl: 1.4.3
libproxmox-backup-qemu0: 1.3.1-1
libpve-access-control: 7.3-1
libpve-apiclient-perl: 3.2-1
libpve-common-perl: 7.3-2
libpve-guest-common-perl: 4.2-3
libpve-http-server-perl: 4.1-5
libpve-storage-perl: 7.3-2
libspice-server1: 0.14.3-2.1
lvm2: 2.03.11-2.1
lxc-pve: 5.0.2-1
lxcfs: 5.0.3-pve1
novnc-pve: 1.3.0-3
proxmox-backup-client: 2.3.3-1
proxmox-backup-file-restore: 2.3.3-1
proxmox-mail-forward: 0.1.1-1
proxmox-mini-journalreader: 1.3-1
proxmox-offline-mirror-helper: 0.5.1-1
proxmox-widget-toolkit: 3.5.5
pve-cluster: 7.3-2
pve-container: 4.4-2
pve-docs: 7.3-1
pve-edk2-firmware: 3.20220526-1
pve-firewall: 4.2-7
pve-firmware: 3.6-3
pve-ha-manager: 3.5.1
pve-i18n: 2.8-2
pve-qemu-kvm: 7.1.0-4
pve-xtermjs: 4.16.0-1
qemu-server: 7.3-3
smartmontools: 7.2-pve3
spiceterm: 3.2-2
swtpm: 0.8.0~bpo11+2
vncterm: 1.7-1
zfsutils-linux: 2.1.9-pve1

fiona · Apr 17, 2023

olepinguin said:
lxc-pve: 5.0.2-1

fiona said:
Hi,
@olepinguin can you share the output of pveversion -v? AFAIU, the issue should be fixed in pve-lxc >= 5.0.2-2 with this commit.

Your version does not include the fix yet.

olepinguin · Apr 17, 2023

fiona said:
Your version does not include the fix yet.

Thanks,
we will see if lxc-pve: 5.0.2-2 does the job ;-)

olepinguin · Apr 18, 2023

olepinguin said:
Thanks,
we will see if lxc-pve: 5.0.2-2 does the job ;-)

it does !

Search

Search

Failed to load AppArmor profile + initialise LSM error when starting containers

flaneur

New Member

Moayad

Proxmox Staff Member

flaneur

New Member

Moayad

Proxmox Staff Member

gulbalee

New Member

prox-tba

New Member

Zecke007

Member

prox-tba

New Member

wbumiller

Proxmox Staff Member

Zecke007

Member

olepinguin

Member

olepinguin

Member

olepinguin

Member

fiona

Proxmox Staff Member

olepinguin

Member

fiona

Proxmox Staff Member

olepinguin

Member

olepinguin

Member