[SOLVED] i2p on Debian containers Proxmox, aka. Apparmor is broken on Debian LXC Container for both privileged and unprivileged. Fix inside.

E

effgee

Renowned Member
Jul 29, 2013
45
15
73
pveversion is at the bottom to save time for people looking only for the fix.

Generally I do not use apparmor on my containers and I find them suitably secure as they are.
But recently I experienced a situation where I had to get apparmor working, if not just temporarily.

During the installation of i2p on Debian, one of its dependencies is a working apparmor installation requirement.
You will receive this error at the end of following the instructions for installation of i2p from their website.

apt install i2p

Bash: 
Job for i2p.service failed because the control process exited with error code.
See "systemctl status i2p.service" and "journalctl -xeu i2p.service" for details.
invoke-rc.d: initscript i2p, action "start" failed.
× i2p.service - load-balanced unspoofable packet switching network
     Loaded: loaded (/lib/systemd/system/i2p.service; disabled; preset: enabled)
     Active: failed (Result: exit-code) since Mon 2024-05-13 10:57:28 UTC; 20ms ago
    Process: 2654 ExecStartPre=/bin/mkdir -p /tmp/i2p-daemon (code=exited, status=0/SUCCESS)
    Process: 2655 ExecStartPre=/bin/mkdir -p /var/log/i2p (code=exited, status=0/SUCCESS)
    Process: 2656 ExecStartPre=/bin/chown -R ${I2PUSER}:${I2PUSER} /var/log/i2p /run/i2p /tmp/i2p-daemon (code=exited, status=0/SUCCESS)
    Process: 2657 ExecStartPre=/bin/chmod 750 /var/log/i2p (code=exited, status=0/SUCCESS)
    Process: 2658 ExecStart=/usr/sbin/wrapper $I2P_ARGS (code=exited, status=231/APPARMOR)
    Process: 2659 ExecStopPost=/bin/rm -rf /run/i2p (code=exited, status=0/SUCCESS)
        CPU: 19ms

May 13 10:57:28 ARR systemd[1]: Starting i2p.service - load-balanced unspoofable packet switching network...
May 13 10:57:28 ARR (wrapper)[2658]: i2p.service: Failed to prepare AppArmor profile change to system_i2p: No such file or directory
May 13 10:57:28 ARR (wrapper)[2658]: i2p.service: Failed at step APPARMOR spawning /usr/sbin/wrapper: No such file or directory
May 13 10:57:28 ARR systemd[1]: i2p.service: Control process exited, code=exited, status=231/APPARMOR
May 13 10:57:28 ARR systemd[1]: i2p.service: Failed with result 'exit-code'.
May 13 10:57:28 ARR systemd[1]: Failed to start i2p.service - load-balanced unspoofable packet switching network.
dpkg: error processing package i2p (--configure):
 installed i2p package post-installation script subprocess returned error exit status 1
Errors were encountered while processing:
 i2p
E: Sub-process /usr/bin/dpkg returned an error code (1)


And then if you check the apparmor status, you will see this error:
*NOTE* This is the same error regardless if it is a privileged or unprivileged container.


Bash: 
service apparmor status
○ apparmor.service - Load AppArmor profiles
     Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; preset: enabled)
     Active: inactive (dead)
     Assert: start assertion failed at Mon 2024-05-13 10:13:05 UTC; 28s ago
             AssertPathIsReadWrite=/sys/kernel/security/apparmor/.load was not met
       Docs: man:apparmor(7)
             https://gitlab.com/apparmor/apparmor/wikis/home/


May 13 10:13:05 ARR systemd[1]: apparmor.service: Starting requested but asserts failed.
May 13 10:13:05 ARR systemd[1]: Assertion failed for apparmor.service - Load AppArmor profiles.


The fix for unprivileged containers:

Stop your container, add this entry to the bottom of your lxc machine config and start it again.

Code: 
lxc.mount.entry: /sys/kernel/security sys/kernel/security none bind,optional 0 0

That's it.



The fix for privileged containers:

Do the same fix from the unprivileged container as well as add these lines as well to lxc machine config.

Code: 
lxc.apparmor.profile: unconfined
lxc.cap.drop:


Please note there is some nuance to these settings and may affect security. This is the configuration that works for me in the time I have availiable to research.

On both privileged/unprivileged container configs I have enabled all other options and do not know if they are needed for this to succeed.

Code: 
features: fuse=1,mknod=1,mount=nfs;cifs,nesting=1



After applying the fixes and rebooting, then reinstall i2p

apt install i2p

Should complete without errors.


Bonus points:

After installing i2p successfully, if you read the file

/etc/default/i2p

It mentions to run

Code: 
dpkg-reconfigure -plow i2p

in which you can disable the dependency for apparmor, and once reconfiguring it, you can disable apparmor if you do not need it.

Code: 
systemctl disable apparmor.service

Unfortunately, if you try and run this command before i2p installation is marked as properly installed, it will not work.
There may be a way but I do not know this knowledge.

I consider apparmor being a forced requirement on install a bug of i2p. It should install properly then bring up the configuration to enable/disable apparmor requirements. Oh well.



------------------------------
Code: 
pveversion -v
proxmox-ve: 8.2.0 (running kernel: 6.8.4-3-pve)
pve-manager: 8.2.2 (running version: 8.2.2/9355359cd7afbae4)
proxmox-kernel-helper: 8.1.0
proxmox-kernel-6.8: 6.8.4-3
proxmox-kernel-6.8.4-3-pve-signed: 6.8.4-3
proxmox-kernel-6.5.13-5-pve-signed: 6.5.13-5
proxmox-kernel-6.5: 6.5.13-5
ceph-fuse: 16.2.11+ds-2
corosync: 3.1.7-pve3
criu: 3.17.1-2
glusterfs-client: 10.3-5
ifupdown2: 3.2.0-1+pmx8
intel-microcode: 3.20231114.1~deb12u1
ksm-control-daemon: 1.5-1
libjs-extjs: 7.0.0-4
libknet1: 1.28-pve1
libproxmox-acme-perl: 1.5.1
libproxmox-backup-qemu0: 1.4.1
libproxmox-rs-perl: 0.3.3
libpve-access-control: 8.1.4
libpve-apiclient-perl: 3.3.2
libpve-cluster-api-perl: 8.0.6
libpve-cluster-perl: 8.0.6
libpve-common-perl: 8.2.1
libpve-guest-common-perl: 5.1.1
libpve-http-server-perl: 5.1.0
libpve-network-perl: 0.9.8
libpve-rs-perl: 0.8.8
libpve-storage-perl: 8.2.1
libspice-server1: 0.15.1-1
lvm2: 2.03.16-2
lxc-pve: 6.0.0-1
lxcfs: 6.0.0-pve2
novnc-pve: 1.4.0-3
proxmox-backup-client: 3.2.2-1
proxmox-backup-file-restore: 3.2.2-1
proxmox-kernel-helper: 8.1.0
proxmox-mail-forward: 0.2.3
proxmox-mini-journalreader: 1.4.0
proxmox-offline-mirror-helper: 0.6.6
proxmox-widget-toolkit: 4.2.3
pve-cluster: 8.0.6
pve-container: 5.1.10
pve-docs: 8.2.2
pve-edk2-firmware: 4.2023.08-4
pve-esxi-import-tools: 0.7.0
pve-firewall: 5.0.7
pve-firmware: 3.11-1
pve-ha-manager: 4.0.4
pve-i18n: 3.2.2
pve-qemu-kvm: 8.1.5-6
pve-xtermjs: 5.3.0-3
qemu-server: 8.2.1
smartmontools: 7.3-pve1
spiceterm: 3.3.0
swtpm: 0.8.0+pve1
vncterm: 1.8.0
zfsutils-linux: 2.2.3-pve2
 
Last edited:
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back