Failed to load AppArmor profile + initialise LSM error when starting containers

flaneur · Feb 15, 2023

I run Proxmox on an ASUS mini PC. I upgraded the RAM and booted the device.
I get the following error message when booting 3 of my LXC containers (running NextCloudPi, Ubuntu running Docker). The rest of my LXC containers are functioning just fine.

load_apparmor_profile: 979 Invalid argument - Failed to mmap old profile from /var/lib/lxc/104/apparmor/lxc-104_<-var-lib-lxc>
apparmor_prepare: 1086 Failed to load generated AppArmor profile
lxc_init: 876 Failed to initialize LSM
__lxc_start: 2027 Failed to initialize container "104"
TASK ERROR: startup for container '104' failed

Could someone help me troubleshoot this issue?
Thank you

Moayad · Feb 15, 2023

Hi,

Please provide us with the output of the log of the container debug for the 104 CT as attach, by issuing the lxc-start -n 104 -lDEBUG --logfile /tmp/lxc-104.log command. And the output of pveversion -v and the container config as well pct config 104

flaneur · Feb 15, 2023

root@pve:~# lxc-start -n 104 -lDEBUG --logfile /tmp/lxc-104.log

lxc-start: 104: ../src/lxc/lxccontainer.c: wait_on_daemonized_start: 870 No such file or directory - Failed to receive the container state
lxc-start: 104: ../src/lxc/tools/lxc_start.c: main: 306 The container failed to start
lxc-start: 104: ../src/lxc/tools/lxc_start.c: main: 309 To get more details, run the container in foreground mode
lxc-start: 104: ../src/lxc/tools/lxc_start.c: main: 311 Additional information can be obtained by setting the --logfile and --logpriority options

root@pve:~# pveversion -v

proxmox-ve: 7.3-1 (running kernel: 5.15.85-1-pve)
pve-manager: 7.3-6 (running version: 7.3-6/723bb6ec)
pve-kernel-helper: 7.3-3
pve-kernel-5.15: 7.3-2
pve-kernel-5.15.85-1-pve: 5.15.85-1
pve-kernel-5.15.83-1-pve: 5.15.83-1
pve-kernel-5.15.74-1-pve: 5.15.74-1
ceph-fuse: 15.2.17-pve1
corosync: 3.1.7-pve1
criu: 3.15-1+pve-1
glusterfs-client: 9.2-1
ifupdown2: 3.1.0-1+pmx3
ksm-control-daemon: 1.4-1
libjs-extjs: 7.0.0-1
libknet1: 1.24-pve2
libproxmox-acme-perl: 1.4.3
libproxmox-backup-qemu0: 1.3.1-1
libpve-access-control: 7.3-1
libpve-apiclient-perl: 3.2-1
libpve-common-perl: 7.3-2
libpve-guest-common-perl: 4.2-3
libpve-http-server-perl: 4.1-5
libpve-storage-perl: 7.3-2
libspice-server1: 0.14.3-2.1
lvm2: 2.03.11-2.1
lxc-pve: 5.0.2-1
lxcfs: 5.0.3-pve1
novnc-pve: 1.3.0-3
proxmox-backup-client: 2.3.2-1
proxmox-backup-file-restore: 2.3.2-1
proxmox-mail-forward: 0.1.1-1
proxmox-mini-journalreader: 1.3-1
proxmox-widget-toolkit: 3.5.5
pve-cluster: 7.3-2
pve-container: 4.4-2
pve-docs: 7.3-1
pve-edk2-firmware: 3.20220526-1
pve-firewall: 4.2-7
pve-firmware: 3.6-3
pve-ha-manager: 3.5.1
pve-i18n: 2.8-2
pve-qemu-kvm: 7.1.0-4
pve-xtermjs: 4.16.0-1
qemu-server: 7.3-3
smartmontools: 7.2-pve3
spiceterm: 3.2-2
swtpm: 0.8.0~bpo11+2
vncterm: 1.7-1
zfsutils-linux: 2.1.9-pve1

root@pve:~# pct config 104

arch: amd64
cores: 3
description:
features: keyctl=1,nesting=1
hostname: docker
memory: 4096
net0: name=eth0,bridge=vmbr0,gw=172.27.72.1,hwaddr=66:00:77:73:**:**,ip=172.27.72.1**/24,ip6=dhcp,type=veth
onboot: 1
ostype: debian
rootfs: local-lvm:vm-104-disk-0,size=50G
swap: 4096
unprivileged: 1
lxc.cgroup2.devices.allow: c 10:200 rwm
lxc.mount.entry: /dev/net/tun dev/net/tun none bind,create=file

Moayad · Feb 16, 2023

Thank you for the output!

Can you attach the /tmp/lxc-104.log file as well?

gulbalee · Feb 22, 2023

I'm getting the same issue. log file is provided below;

lxc-start 100 20230222091015.809 INFO confile - ../src/lxc/confile.c:set_config_idmaps:2273 - Read uid map: type u nsid 0 hostid 100000 range 65536
lxc-start 100 20230222091015.809 INFO confile - ../src/lxc/confile.c:set_config_idmaps:2273 - Read uid map: type g nsid 0 hostid 100000 range 65536
lxc-start 100 20230222091015.810 INFO lxccontainer - ../src/lxc/lxccontainer.c:do_lxcapi_start:998 - Set process title to [lxc monitor] /var/lib/lxc 100
lxc-start 100 20230222091015.810 DEBUG lxccontainer - ../src/lxc/lxccontainer.c:wait_on_daemonized_start:859 - First child 56830 exited
lxc-start 100 20230222091015.810 INFO lsm - ../src/lxc/lsm/lsm.c:lsm_init_static:38 - Initialized LSM security driver AppArmor
lxc-start 100 20230222091015.810 INFO conf - ../src/lxc/conf.c:run_script_argv:338 - Executing script "/usr/share/lxc/hooks/lxc-pve-prestart-hook" for container "100", config section "lxc"
lxc-start 100 20230222091016.609 INFO cgfsng - ../src/lxc/cgroups/cgfsng.c:unpriv_systemd_create_scope:1227 - Running privileged, not using a systemd unit
lxc-start 100 20230222091016.610 DEBUG seccomp - ../src/lxc/seccomp.carse_config_v2:656 - Host native arch is [3221225534]
lxc-start 100 20230222091016.610 INFO seccomp - ../src/lxc/seccomp.carse_config_v2:807 - Processing "reject_force_umount # comment this to allow umount -f; not recommended"
lxc-start 100 20230222091016.610 INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:524 - Set seccomp rule to reject force umounts
lxc-start 100 20230222091016.610 INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:524 - Set seccomp rule to reject force umounts
lxc-start 100 20230222091016.610 INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:524 - Set seccomp rule to reject force umounts
lxc-start 100 20230222091016.610 INFO seccomp - ../src/lxc/seccomp.carse_config_v2:807 - Processing "[all]"
lxc-start 100 20230222091016.610 INFO seccomp - ../src/lxc/seccomp.carse_config_v2:807 - Processing "kexec_load errno 1"
lxc-start 100 20230222091016.610 INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:564 - Adding native rule for syscall[246:kexec_load] action[327681:errno] arch[0]
lxc-start 100 20230222091016.610 INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[246:kexec_load] action[327681:errno] arch[1073741827]
lxc-start 100 20230222091016.610 INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[246:kexec_load] action[327681:errno] arch[1073741886]
lxc-start 100 20230222091016.610 INFO seccomp - ../src/lxc/seccomp.carse_config_v2:807 - Processing "open_by_handle_at errno 1"
lxc-start 100 20230222091016.610 INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:564 - Adding native rule for syscall[304pen_by_handle_at] action[327681:errno] arch[0]
lxc-start 100 20230222091016.610 INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[304pen_by_handle_at] action[327681:errno] arch[1073741827]
lxc-start 100 20230222091016.610 INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[304pen_by_handle_at] action[327681:errno] arch[1073741886]
lxc-start 100 20230222091016.610 INFO seccomp - ../src/lxc/seccomp.carse_config_v2:807 - Processing "init_module errno 1"
lxc-start 100 20230222091016.610 INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:564 - Adding native rule for syscall[175:init_module] action[327681:errno] arch[0]
lxc-start 100 20230222091016.610 INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[175:init_module] action[327681:errno] arch[1073741827]
lxc-start 100 20230222091016.610 INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[175:init_module] action[327681:errno] arch[1073741886]
lxc-start 100 20230222091016.610 INFO seccomp - ../src/lxc/seccomp.carse_config_v2:807 - Processing "finit_module errno 1"
lxc-start 100 20230222091016.610 INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:564 - Adding native rule for syscall[313:finit_module] action[327681:errno] arch[0]
lxc-start 100 20230222091016.610 INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[313:finit_module] action[327681:errno] arch[1073741827]
lxc-start 100 20230222091016.610 INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[313:finit_module] action[327681:errno] arch[1073741886]
lxc-start 100 20230222091016.610 INFO seccomp - ../src/lxc/seccomp.carse_config_v2:807 - Processing "delete_module errno 1"
lxc-start 100 20230222091016.610 INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:564 - Adding native rule for syscall[176:delete_module] action[327681:errno] arch[0]
lxc-start 100 20230222091016.610 INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[176:delete_module] action[327681:errno] arch[1073741827]
lxc-start 100 20230222091016.610 INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[176:delete_module] action[327681:errno] arch[1073741886]
lxc-start 100 20230222091016.610 INFO seccomp - ../src/lxc/seccomp.carse_config_v2:807 - Processing "ioctl errno 1 [1,0x9400,SCMP_CMP_MASKED_EQ,0xff00]"
lxc-start 100 20230222091016.610 INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:547 - arg_cmp[0]: SCMP_CMP(1, 7, 65280, 37888)
lxc-start 100 20230222091016.610 INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:564 - Adding native rule for syscall[16:ioctl] action[327681:errno] arch[0]
lxc-start 100 20230222091016.610 INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:547 - arg_cmp[0]: SCMP_CMP(1, 7, 65280, 37888)
lxc-start 100 20230222091016.610 INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[16:ioctl] action[327681:errno] arch[1073741827]
lxc-start 100 20230222091016.610 INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:547 - arg_cmp[0]: SCMP_CMP(1, 7, 65280, 37888)
lxc-start 100 20230222091016.610 INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[16:ioctl] action[327681:errno] arch[1073741886]
lxc-start 100 20230222091016.610 INFO seccomp - ../src/lxc/seccomp.carse_config_v2:1017 - Merging compat seccomp contexts into main context
lxc-start 100 20230222091016.613 ERROR apparmor - ../src/lxc/lsm/apparmor.c:load_apparmor_profile:979 - Invalid argument - Failed to mmap old profile from /var/lib/lxc/100/apparmor/lxc-100_<-var-lib-lxc>
lxc-start 100 20230222091016.613 ERROR apparmor - ../src/lxc/lsm/apparmor.c:apparmor_prepare:1086 - Failed to load generated AppArmor profile
lxc-start 100 20230222091016.613 ERROR start - ../src/lxc/start.c:lxc_init:876 - Failed to initialize LSM
lxc-start 100 20230222091016.613 ERROR start - ../src/lxc/start.c:__lxc_start:2027 - Failed to initialize container "100"
lxc-start 100 20230222091016.613 WARN cgfsng - ../src/lxc/cgroups/cgfsng.c:cgfsng_payload_destroy:555 - Uninitialized limit cgroup
lxc-start 100 20230222091016.613 WARN cgfsng - ../src/lxc/cgroups/cgfsng.c:cgfsng_monitor_destroy:881 - Uninitialized monitor cgroup
lxc-start 100 20230222091016.613 INFO conf - ../src/lxc/conf.c:run_script_argv:338 - Executing script "/usr/share/lxcfs/lxc.reboot.hook" for container "100", config section "lxc"
lxc-start 100 20230222091017.116 INFO conf - ../src/lxc/conf.c:run_script_argv:338 - Executing script "/usr/share/lxc/hooks/lxc-pve-poststop-hook" for container "100", config section "lxc"
lxc-start 100 20230222091017.835 DEBUG conf - ../src/lxc/conf.c:run_buffer:311 - Script exec /usr/share/lxc/hooks/lxc-pve-poststop-hook 100 lxc post-stop produced output: umount: /var/lib/lxc/.pve-staged-mounts/mp0: not mounted.

lxc-start 100 20230222091017.835 DEBUG conf - ../src/lxc/conf.c:run_buffer:311 - Script exec /usr/share/lxc/hooks/lxc-pve-poststop-hook 100 lxc post-stop produced output: command 'umount -- /var/lib/lxc/.pve-staged-mounts/mp0' failed: exit code 32

lxc-start 100 20230222091017.866 ERROR lxccontainer - ../src/lxc/lxccontainer.c:wait_on_daemonized_start:870 - No such file or directory - Failed to receive the container state
lxc-start 100 20230222091017.866 ERROR lxc_start - ../src/lxc/tools/lxc_start.c:main:306 - The container failed to start
lxc-start 100 20230222091017.866 ERROR lxc_start - ../src/lxc/tools/lxc_start.c:main:309 - To get more details, run the container in foreground mode
lxc-start 100 20230222091017.866 ERROR lxc_start - ../src/lxc/tools/lxc_start.c:main:311 - Additional information can be obtained by setting the --logfile and --logpriority options

prox-tba · Feb 25, 2023

I'm having the same issue. Getting this error starting my lxc container:

load_apparmor_profile: 979 Invalid argument - Failed to mmap old profile from /var/lib/lxc/120/apparmor/lxc-120_<-var-lib-lxc>
apparmor_prepare: 1086 Failed to load generated AppArmor profile
lxc_init: 876 Failed to initialize LSM
__lxc_start: 2027 Failed to initialize container "120"
TASK ERROR: startup for container '120' failed

Does anyone have allready a solution? Thanks for any help.

Zecke007 · Feb 27, 2023

I'm having the same issue.


load_apparmor_profile: 979 Invalid argument - Failed to mmap old profile from /var/lib/lxc/206/apparmor/lxc-206_<-var-lib-lxc>
apparmor_prepare: 1086 Failed to load generated AppArmor profile
lxc_init: 876 Failed to initialize LSM
__lxc_start: 2027 Failed to initialize container "206"
TASK ERROR: startup for container '206' failed

prox-tba · Feb 27, 2023

I did a clone of the LXC-Container and now the container working again. But it's realy strange, hope that this is happen not to often...

wbumiller · Feb 27, 2023

Do you still have the broken container? Can you check the file it mentions? (/var/lib/lxc/206/apparmor/lxc-206_<-var-lib-lxc>).
I suspect that it might be empty, if that's the you can remove it and see if it starts then. Also, if that's the case, I wonder how it happened and we probably need to handle this in lxc.

Zecke007 · Feb 27, 2023

prox-tba said:
I did a clone of the LXC-Container and now the container working again. But it's realy strange, hope that this is happen not to often...

It works, thx

olepinguin · Apr 5, 2023

Hi,

I did a clone and it worked for a while - after 2 days the error came back, on the cloned LXC.
Is there a stable solution - workaround is only short term solution.


load_apparmor_profile: 979 Invalid argument - Failed to mmap old profile from /var/lib/lxc/100/apparmor/lxc-100_<-var-lib-lxc>
apparmor_prepare: 1086 Failed to load generated AppArmor profile
lxc_init: 876 Failed to initialize LSM
__lxc_start: 2027 Failed to initialize container "100"
TASK ERROR: startup for container '100' failed

olepinguin · Apr 8, 2023

olepinguin said:
Hi,

I did a clone and it worked for a while - after 2 days the error came back, on the cloned LXC.
Is there a stable solution - workaround is only short term solution.

load_apparmor_profile: 979 Invalid argument - Failed to mmap old profile from /var/lib/lxc/100/apparmor/lxc-100_<-var-lib-lxc> apparmor_prepare: 1086 Failed to load generated AppArmor profile lxc_init: 876 Failed to initialize LSM __lxc_start: 2027 Failed to initialize container "100" TASK ERROR: startup for container '100' failed

what also seem to work is to delete the old file in

/var/lib/lxc/100/apparmor/

olepinguin · Apr 14, 2023

prox-tba said:
I did a clone of the LXC-Container and now the container working again. But it's realy strange, hope that this is happen not to often...

Hey,
does it still work for you - here the problem comes back again after rebooting the host.
I need to delete the folder again day by day...

Any ideas how to fix it sustainably ?

fiona · Apr 14, 2023

Hi,
@olepinguin can you share the output of pveversion -v? AFAIU, the issue should be fixed in pve-lxc >= 5.0.2-2 with this commit.

olepinguin · Apr 17, 2023

fiona said:
Hi,
@olepinguin can you share the output of pveversion -v? AFAIU, the issue should be fixed in pve-lxc >= 5.0.2-2 with this commit.

proxmox-ve: 7.3-1 (running kernel: 5.15.85-1-pve)
pve-manager: 7.3-6 (running version: 7.3-6/723bb6ec)
pve-kernel-helper: 7.3-4
pve-kernel-5.15: 7.3-2
pve-kernel-5.13: 7.1-9
pve-kernel-5.15.85-1-pve: 5.15.85-1
pve-kernel-5.15.83-1-pve: 5.15.83-1
pve-kernel-5.15.64-1-pve: 5.15.64-1
pve-kernel-5.15.53-1-pve: 5.15.53-1
pve-kernel-5.15.39-2-pve: 5.15.39-2
pve-kernel-5.15.35-3-pve: 5.15.35-6
pve-kernel-5.15.35-1-pve: 5.15.35-3
pve-kernel-5.13.19-6-pve: 5.13.19-15
pve-kernel-5.13.19-2-pve: 5.13.19-4
ceph-fuse: 15.2.15-pve1
corosync: 3.1.7-pve1
criu: 3.15-1+pve-1
glusterfs-client: 9.2-1
ifupdown2: 3.1.0-1+pmx3
ksm-control-daemon: 1.4-1
libjs-extjs: 7.0.0-1
libknet1: 1.24-pve2
libproxmox-acme-perl: 1.4.3
libproxmox-backup-qemu0: 1.3.1-1
libpve-access-control: 7.3-1
libpve-apiclient-perl: 3.2-1
libpve-common-perl: 7.3-2
libpve-guest-common-perl: 4.2-3
libpve-http-server-perl: 4.1-5
libpve-storage-perl: 7.3-2
libspice-server1: 0.14.3-2.1
lvm2: 2.03.11-2.1
lxc-pve: 5.0.2-1
lxcfs: 5.0.3-pve1
novnc-pve: 1.3.0-3
proxmox-backup-client: 2.3.3-1
proxmox-backup-file-restore: 2.3.3-1
proxmox-mail-forward: 0.1.1-1
proxmox-mini-journalreader: 1.3-1
proxmox-offline-mirror-helper: 0.5.1-1
proxmox-widget-toolkit: 3.5.5
pve-cluster: 7.3-2
pve-container: 4.4-2
pve-docs: 7.3-1
pve-edk2-firmware: 3.20220526-1
pve-firewall: 4.2-7
pve-firmware: 3.6-3
pve-ha-manager: 3.5.1
pve-i18n: 2.8-2
pve-qemu-kvm: 7.1.0-4
pve-xtermjs: 4.16.0-1
qemu-server: 7.3-3
smartmontools: 7.2-pve3
spiceterm: 3.2-2
swtpm: 0.8.0~bpo11+2
vncterm: 1.7-1
zfsutils-linux: 2.1.9-pve1

fiona · Apr 17, 2023

olepinguin said:
lxc-pve: 5.0.2-1

fiona said:
Hi,
@olepinguin can you share the output of pveversion -v? AFAIU, the issue should be fixed in pve-lxc >= 5.0.2-2 with this commit.

Your version does not include the fix yet.

olepinguin · Apr 17, 2023

fiona said:
Your version does not include the fix yet.

Thanks,
we will see if lxc-pve: 5.0.2-2 does the job ;-)

olepinguin · Apr 18, 2023

olepinguin said:
Thanks,
we will see if lxc-pve: 5.0.2-2 does the job ;-)

it does !

Search

Search

Failed to load AppArmor profile + initialise LSM error when starting containers

flaneur

New Member

Moayad

Proxmox Staff Member

flaneur

New Member

Moayad

Proxmox Staff Member

gulbalee

New Member

prox-tba

New Member

Zecke007

Member

prox-tba

New Member

wbumiller

Proxmox Staff Member

Zecke007

Member

olepinguin

Member

olepinguin

Member

olepinguin

Member

fiona

Proxmox Staff Member

olepinguin

Member

fiona

Proxmox Staff Member

olepinguin

Member

olepinguin

Member

We value your privacy