pveversion is at the bottom to save time for people looking only for the fix.
Generally I do not use apparmor on my containers and I find them suitably secure as they are.
But recently I experienced a situation where I had to get apparmor working, if not just temporarily.
During the installation of i2p on Debian, one of its dependencies is a working apparmor installation requirement.
You will receive this error at the end of following the instructions for installation of i2p from their website.
And then if you check the apparmor status, you will see this error:
*NOTE* This is the same error regardless if it is a privileged or unprivileged container.
The fix for unprivileged containers:
Stop your container, add this entry to the bottom of your lxc machine config and start it again.
That's it.
The fix for privileged containers:
Do the same fix from the unprivileged container as well as add these lines as well to lxc machine config.
Please note there is some nuance to these settings and may affect security. This is the configuration that works for me in the time I have availiable to research.
On both privileged/unprivileged container configs I have enabled all other options and do not know if they are needed for this to succeed.
After applying the fixes and rebooting, then reinstall i2p
apt install i2p
Should complete without errors.
Bonus points:
After installing i2p successfully, if you read the file
It mentions to run
in which you can disable the dependency for apparmor, and once reconfiguring it, you can disable apparmor if you do not need it.
Unfortunately, if you try and run this command before i2p installation is marked as properly installed, it will not work.
There may be a way but I do not know this knowledge.
I consider apparmor being a forced requirement on install a bug of i2p. It should install properly then bring up the configuration to enable/disable apparmor requirements. Oh well.
------------------------------
Generally I do not use apparmor on my containers and I find them suitably secure as they are.
But recently I experienced a situation where I had to get apparmor working, if not just temporarily.
During the installation of i2p on Debian, one of its dependencies is a working apparmor installation requirement.
You will receive this error at the end of following the instructions for installation of i2p from their website.
apt install i2p
Bash:
Job for i2p.service failed because the control process exited with error code.
See "systemctl status i2p.service" and "journalctl -xeu i2p.service" for details.
invoke-rc.d: initscript i2p, action "start" failed.
× i2p.service - load-balanced unspoofable packet switching network
Loaded: loaded (/lib/systemd/system/i2p.service; disabled; preset: enabled)
Active: failed (Result: exit-code) since Mon 2024-05-13 10:57:28 UTC; 20ms ago
Process: 2654 ExecStartPre=/bin/mkdir -p /tmp/i2p-daemon (code=exited, status=0/SUCCESS)
Process: 2655 ExecStartPre=/bin/mkdir -p /var/log/i2p (code=exited, status=0/SUCCESS)
Process: 2656 ExecStartPre=/bin/chown -R ${I2PUSER}:${I2PUSER} /var/log/i2p /run/i2p /tmp/i2p-daemon (code=exited, status=0/SUCCESS)
Process: 2657 ExecStartPre=/bin/chmod 750 /var/log/i2p (code=exited, status=0/SUCCESS)
Process: 2658 ExecStart=/usr/sbin/wrapper $I2P_ARGS (code=exited, status=231/APPARMOR)
Process: 2659 ExecStopPost=/bin/rm -rf /run/i2p (code=exited, status=0/SUCCESS)
CPU: 19ms
May 13 10:57:28 ARR systemd[1]: Starting i2p.service - load-balanced unspoofable packet switching network...
May 13 10:57:28 ARR (wrapper)[2658]: i2p.service: Failed to prepare AppArmor profile change to system_i2p: No such file or directory
May 13 10:57:28 ARR (wrapper)[2658]: i2p.service: Failed at step APPARMOR spawning /usr/sbin/wrapper: No such file or directory
May 13 10:57:28 ARR systemd[1]: i2p.service: Control process exited, code=exited, status=231/APPARMOR
May 13 10:57:28 ARR systemd[1]: i2p.service: Failed with result 'exit-code'.
May 13 10:57:28 ARR systemd[1]: Failed to start i2p.service - load-balanced unspoofable packet switching network.
dpkg: error processing package i2p (--configure):
installed i2p package post-installation script subprocess returned error exit status 1
Errors were encountered while processing:
i2p
E: Sub-process /usr/bin/dpkg returned an error code (1)
And then if you check the apparmor status, you will see this error:
*NOTE* This is the same error regardless if it is a privileged or unprivileged container.
Bash:
service apparmor status
○ apparmor.service - Load AppArmor profiles
Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; preset: enabled)
Active: inactive (dead)
Assert: start assertion failed at Mon 2024-05-13 10:13:05 UTC; 28s ago
AssertPathIsReadWrite=/sys/kernel/security/apparmor/.load was not met
Docs: man:apparmor(7)
https://gitlab.com/apparmor/apparmor/wikis/home/
May 13 10:13:05 ARR systemd[1]: apparmor.service: Starting requested but asserts failed.
May 13 10:13:05 ARR systemd[1]: Assertion failed for apparmor.service - Load AppArmor profiles.
The fix for unprivileged containers:
Stop your container, add this entry to the bottom of your lxc machine config and start it again.
Code:
lxc.mount.entry: /sys/kernel/security sys/kernel/security none bind,optional 0 0
That's it.
The fix for privileged containers:
Do the same fix from the unprivileged container as well as add these lines as well to lxc machine config.
Code:
lxc.apparmor.profile: unconfined
lxc.cap.drop:
Please note there is some nuance to these settings and may affect security. This is the configuration that works for me in the time I have availiable to research.
On both privileged/unprivileged container configs I have enabled all other options and do not know if they are needed for this to succeed.
Code:
features: fuse=1,mknod=1,mount=nfs;cifs,nesting=1
After applying the fixes and rebooting, then reinstall i2p
apt install i2p
Should complete without errors.
Bonus points:
After installing i2p successfully, if you read the file
/etc/default/i2p
It mentions to run
Code:
dpkg-reconfigure -plow i2p
in which you can disable the dependency for apparmor, and once reconfiguring it, you can disable apparmor if you do not need it.
Code:
systemctl disable apparmor.service
Unfortunately, if you try and run this command before i2p installation is marked as properly installed, it will not work.
There may be a way but I do not know this knowledge.
I consider apparmor being a forced requirement on install a bug of i2p. It should install properly then bring up the configuration to enable/disable apparmor requirements. Oh well.
------------------------------
Code:
pveversion -v
proxmox-ve: 8.2.0 (running kernel: 6.8.4-3-pve)
pve-manager: 8.2.2 (running version: 8.2.2/9355359cd7afbae4)
proxmox-kernel-helper: 8.1.0
proxmox-kernel-6.8: 6.8.4-3
proxmox-kernel-6.8.4-3-pve-signed: 6.8.4-3
proxmox-kernel-6.5.13-5-pve-signed: 6.5.13-5
proxmox-kernel-6.5: 6.5.13-5
ceph-fuse: 16.2.11+ds-2
corosync: 3.1.7-pve3
criu: 3.17.1-2
glusterfs-client: 10.3-5
ifupdown2: 3.2.0-1+pmx8
intel-microcode: 3.20231114.1~deb12u1
ksm-control-daemon: 1.5-1
libjs-extjs: 7.0.0-4
libknet1: 1.28-pve1
libproxmox-acme-perl: 1.5.1
libproxmox-backup-qemu0: 1.4.1
libproxmox-rs-perl: 0.3.3
libpve-access-control: 8.1.4
libpve-apiclient-perl: 3.3.2
libpve-cluster-api-perl: 8.0.6
libpve-cluster-perl: 8.0.6
libpve-common-perl: 8.2.1
libpve-guest-common-perl: 5.1.1
libpve-http-server-perl: 5.1.0
libpve-network-perl: 0.9.8
libpve-rs-perl: 0.8.8
libpve-storage-perl: 8.2.1
libspice-server1: 0.15.1-1
lvm2: 2.03.16-2
lxc-pve: 6.0.0-1
lxcfs: 6.0.0-pve2
novnc-pve: 1.4.0-3
proxmox-backup-client: 3.2.2-1
proxmox-backup-file-restore: 3.2.2-1
proxmox-kernel-helper: 8.1.0
proxmox-mail-forward: 0.2.3
proxmox-mini-journalreader: 1.4.0
proxmox-offline-mirror-helper: 0.6.6
proxmox-widget-toolkit: 4.2.3
pve-cluster: 8.0.6
pve-container: 5.1.10
pve-docs: 8.2.2
pve-edk2-firmware: 4.2023.08-4
pve-esxi-import-tools: 0.7.0
pve-firewall: 5.0.7
pve-firmware: 3.11-1
pve-ha-manager: 4.0.4
pve-i18n: 3.2.2
pve-qemu-kvm: 8.1.5-6
pve-xtermjs: 5.3.0-3
qemu-server: 8.2.1
smartmontools: 7.3-pve1
spiceterm: 3.3.0
swtpm: 0.8.0+pve1
vncterm: 1.8.0
zfsutils-linux: 2.2.3-pve2
Last edited: