lxc apparmor="DENIED" operation="mount" error=-13

L

leoris90

New Member
Jul 27, 2021
5
0
1
34
Code: 
[3367574.989345] audit: type=1400 audit(1634922540.459:12171): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-102_</var/lib/lxc>" name="/run/systemd/unit-root/" pid=20238 comm="(ionclean)" srcname="/" flags="rw, rbind"

In my LXC container my dmesg is just filled with this message.

arch: amd64
hostname: trip1-fawn1
memory: 16384
mp0: /mtc,mp=/mtc
mp1: /mtctmp,mp=/mtctmp
mp2: /mtclog/app,mp=/mtclog/app
mp3: /mtclocal,mp=/mtclocal
mp4: /mon2,mp=/mon2
mp5: /www,mp=/www
mp6: /var/log/apache2,mp=/var/log/apache2
mp7: /creative,mp=/creative
mp8: /bulk02/source,mp=/bulk02/source
mp9: /bulk_v2,mp=/bulk_v2
net0: name=eth0,bridge=vmbr0,gw=192.168.2.98,hwaddr=CE:A5:A4:F9:91:45,ip=192.168.2.67/21,ip6=auto,type=veth
net1: name=eth1,bridge=vmbr1,hwaddr=EE:BE:9D:B1:10:18,ip=10.52.0.15/12,ip6=auto,type=veth
ostype: debian
rootfs: local:100/vm-100-disk-0.raw,size=20G
swap: 4096


this is the lxc conf file.

I'm not quite sure what exactly this error is complaining about. May I get some help please.
 
These errors been driving me crazy too, i have been searching for many hours without any definite answer. Most advice are told just to ignore it because the container is trying to do what it's not allowed. I just registered and document my journey hopefully it will help newbie like myself have some closures in the future.

I found that these these error occurs in Privileged lxc (ie Unprivileged = no) when it try to do "Privileged actions". The most two common on my logs are comm="(ionclean)" and comm="(d-logind)"

The comm="(d-logind)" is the systemd-logind.service ( /usr/lib/systemd/systemd-logind ) which is related user management, error light up especially when accessing mounting points.

The comm="(ionclean)" is the phpsessionclean.service ( /lib/systemd/system/phpsessionclean.service ) which is a script to clean stale php sessions. It is run every 30 minutes.

To stop these errors polluting my logs, I enable nesting:
On web UI choose lxc -> stop lxc -> Options -> Features -> Tick Nesting -> Start lxc

I use my promox in an internal LAN, for those who expose the proxmox box externally i dont know the security implications for enabling nesting.
 
Last edited:
  • Like
Reactions: stone_well and BruceX
huu said:
I found that these these error occurs in Privileged lxc (ie Unprivileged = no) when it try to do "Privileged actions". The most two common on my logs are comm="(ionclean)" and comm="(d-logind)"
Click to expand...

I am on Proxmox 8.0.3 after upgrading from an old version.
I have these in my log and the machine has number 102, not 200. I wonder if it is getting messages for machine 200:

Code: 
2023-07-19T17:10:41.454554+00:00 p2 kernel: [81220.449368] audit: type=1400 audit(1689786641.449:6432): apparmor="DENIED" operation="mount" class="mount" info="failed perms check" error=-13 profile="lxc-200_</var/lib/lxc>" name="/run/systemd/unit-root/" pid=819415 comm="(d-logind)" srcname="/" flags="rw, rbind"

Yes! I enabled nesting on machine number 200 and the message went away in machine 102...
 
Last edited:
huu said:
These errors been driving me crazy too, i have been searching for many hours without any definite answer. Most advice are told just to ignore it because the container is trying to do what it's not allowed. I just registered and document my journey hopefully it will help newbie like myself have some closures in the future.

I found that these these error occurs in Privileged lxc (ie Unprivileged = no) when it try to do "Privileged actions". The most two common on my logs are comm="(ionclean)" and comm="(d-logind)"

The comm="(d-logind)" is the systemd-logind.service ( /usr/lib/systemd/systemd-logind ) which is related user management, error light up especially when accessing mounting points.

The comm="(ionclean)" is the phpsessionclean.service ( /lib/systemd/system/phpsessionclean.service ) which is a script to clean stale php sessions. It is run every 30 minutes.

To stop these errors polluting my logs, I enable nesting:
On web UI choose lxc -> stop lxc -> Options -> Features -> Tick Nesting -> Start lxc

I use my promox in an internal LAN, for those who expose the proxmox box externally i dont know the security implications for enabling nesting.
Click to expand...
ChatGPTv4 also suggested turning on nesting but didn't explain why, so I came here looking for confirmation. Thanks!
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back