How to apply default lxc.cap.drop to all lxc by os

[lva]

We are running LXC debian 12 based containers on our Proxmox Cluster (Version 8.0.4) and had the problem that some systemd related services where shown as failed.
We could resolve this by adding lxc.cap.drop: sys_rawio sys_module audit_read to our lxc config (/etc/pve/lxc/<VMID>.conf) and this works just fine (We found this useful Blog post).

But of course we don't want to add this line manually to all our containers. Instead we would like to make use of usr/share/lxc/config/debian.common.conf as mentioned here. Unfortunately, I was not able to make this work.
I added lxc.cap.drop = sys_rawio sys_module audit_read to the debian.common.conf file but it seemed to have no effect. I (on purpuose) messed the line up and it took effect (cotnainer console on proxmox showed parsing error). So I assume that in fact the config is in some way being applied. I tried different ways for the syntax of the line mentionend i.e. using lxc.cap.drop: sys_rawio sys_module audit_read, lxc.cap.drop = sys_rawio sys_module audit_read, lxc.cap.drop = "sys_rawio sys_module audit_read" all of which had no effect to my container. It does still not apply those setting and when using capsh --print inside the container I can confirm that my cap.drop had no effect, However, adding it to the container config directly as mentioned in my first sentence still works.

For reference the output of capsh --print.
When it does not work:

Bounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read,cap_perfmon,cap_bpf,cap_checkpoint_restore
Ambient set =
Current IAB:
Securebits: 00/0x0/1'b0
 secure-noroot: no (unlocked)
 secure-no-suid-fixup: no (unlocked)
 secure-keep-caps: no (unlocked)
 secure-no-ambient-raise: no (unlocked)
uid=0(root) euid=0(root)
gid=0(root)
groups=0(root)
Guessed mode: UNCERTAIN (0)

When it does work:

Current: =ep cap_sys_module,cap_sys_rawio,cap_audit_read-ep
Bounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_perfmon,cap_bpf,cap_checkpoint_restore
Ambient set =
Current IAB: !cap_sys_module,!cap_sys_rawio,!cap_audit_read
Securebits: 00/0x0/1'b0
 secure-noroot: no (unlocked)
 secure-no-suid-fixup: no (unlocked)
 secure-keep-caps: no (unlocked)
 secure-no-ambient-raise: no (unlocked)
uid=0(root) euid=0(root)
gid=0(root)
groups=0(root)
Guessed mode: UNCERTAIN (0)

I am not really sure wether this is an issue with proxmox or the whole lxc system itself but I would really appreciate if someone could help me debugging by pointing me to the right direction.

best regards,
Leonardo

 

[Machine Manager]

I upvote for this workaround while we don't have a better solution!

@lva , according to Stéphane Graber in the issue you had mentioned, the best approach would be "opening a bug against systemd and/or sending a PR which adds a container restriction on this unit so that it doesn't show up as failed on startup."

Have you done that already?

 

[lva]

I upvote for this workaround while we don't have a better solution!

@lva , according to Stéphane Graber in the issue you had mentioned, the best approach would be "opening a bug against systemd and/or sending a PR which adds a container restriction on this unit so that it doesn't show up as failed on startup."

Have you done that already?

Thank you for your upvote.
I did open an issue on the LXC project as the cap drop seemed like a good solution for the problem (We don't want that in an unprivileged container).
However, I think it may be a good idea to address the root cause at the systemd project. I'll take a look into this and link to the issue once I opened it.
If you open an issue yourself, feel free to share it here.

 

[oicfar]

I upgraded my LXC Ubuntu 22.04.x Container to Ubuntu 24.04. And with the new Ubuntu version I get same error:

# systemctl list-units --failed
  UNIT                    LOAD   ACTIVE SUB    DESCRIPTION
● sys-kernel-config.mount loaded failed failed Kernel Configuration File System


Legend: LOAD   → Reflects whether the unit definition was properly loaded.
        ACTIVE → The high-level unit activation state, i.e. generalization of SUB.
        SUB    → The low-level unit activation state, values depend on unit type.

With

Sep 01 14:44:12 pihole mount[70]: mount: /sys/kernel/config: permission denied.
Sep 01 14:44:12 pihole mount[70]:        dmesg(1) may have more information after failed mount system call.
Sep 01 14:44:12 pihole systemd[1]: sys-kernel-config.mount: Mount process exited, code=exited, status=32/n/a
Sep 01 14:44:12 pihole systemd[1]: sys-kernel-config.mount: Failed with result 'exit-code'.
Sep 01 14:44:12 pihole systemd[1]: Failed to mount sys-kernel-config.mount - Kernel Configuration File System.