lxc apparmor="DENIED" operation="mount" error=-13

[leoris90]

[3367574.989345] audit: type=1400 audit(1634922540.459:12171): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-102_</var/lib/lxc>" name="/run/systemd/unit-root/" pid=20238 comm="(ionclean)" srcname="/" flags="rw, rbind"

In my LXC container my dmesg is just filled with this message.

arch: amd64
hostname: trip1-fawn1
memory: 16384
mp0: /mtc,mp=/mtc
mp1: /mtctmp,mp=/mtctmp
mp2: /mtclog/app,mp=/mtclog/app
mp3: /mtclocal,mp=/mtclocal
mp4: /mon2,mp=/mon2
mp5: /www,mp=/www
mp6: /var/log/apache2,mp=/var/log/apache2
mp7: /creative,mp=/creative
mp8: /bulk02/source,mp=/bulk02/source
mp9: /bulk_v2,mp=/bulk_v2
net0: name=eth0,bridge=vmbr0,gw=192.168.2.98,hwaddr=CE:A5:A4:F9:91:45,ip=192.168.2.67/21,ip6=auto,type=veth
net1: name=eth1,bridge=vmbr1,hwaddr=EE:BE:9D:B1:10:18,ip=10.52.0.15/12,ip6=auto,type=veth
ostype: debian
rootfs: local:100/vm-100-disk-0.raw,size=20G
swap: 4096


this is the lxc conf file.

I'm not quite sure what exactly this error is complaining about. May I get some help please.

 

[huu]

These errors been driving me crazy too, i have been searching for many hours without any definite answer. Most advice are told just to ignore it because the container is trying to do what it's not allowed. I just registered and document my journey hopefully it will help newbie like myself have some closures in the future.

I found that these these error occurs in Privileged lxc (ie Unprivileged = no) when it try to do "Privileged actions". The most two common on my logs are comm="(ionclean)" and comm="(d-logind)"

The comm="(d-logind)" is the systemd-logind.service ( /usr/lib/systemd/systemd-logind ) which is related user management, error light up especially when accessing mounting points.

The comm="(ionclean)" is the phpsessionclean.service ( /lib/systemd/system/phpsessionclean.service ) which is a script to clean stale php sessions. It is run every 30 minutes.

To stop these errors polluting my logs, I enable nesting:
On web UI choose lxc -> stop lxc -> Options -> Features -> Tick Nesting -> Start lxc

I use my promox in an internal LAN, for those who expose the proxmox box externally i dont know the security implications for enabling nesting.

 

[le_top]

I found that these these error occurs in Privileged lxc (ie Unprivileged = no) when it try to do "Privileged actions". The most two common on my logs are comm="(ionclean)" and comm="(d-logind)"

I am on Proxmox 8.0.3 after upgrading from an old version.
I have these in my log and the machine has number 102, not 200. I wonder if it is getting messages for machine 200:

2023-07-19T17:10:41.454554+00:00 p2 kernel: [81220.449368] audit: type=1400 audit(1689786641.449:6432): apparmor="DENIED" operation="mount" class="mount" info="failed perms check" error=-13 profile="lxc-200_</var/lib/lxc>" name="/run/systemd/unit-root/" pid=819415 comm="(d-logind)" srcname="/" flags="rw, rbind"

Yes! I enabled nesting on machine number 200 and the message went away in machine 102...

 

[BruceX]

These errors been driving me crazy too, i have been searching for many hours without any definite answer. Most advice are told just to ignore it because the container is trying to do what it's not allowed. I just registered and document my journey hopefully it will help newbie like myself have some closures in the future.

I found that these these error occurs in Privileged lxc (ie Unprivileged = no) when it try to do "Privileged actions". The most two common on my logs are comm="(ionclean)" and comm="(d-logind)"

The comm="(d-logind)" is the systemd-logind.service ( /usr/lib/systemd/systemd-logind ) which is related user management, error light up especially when accessing mounting points.

The comm="(ionclean)" is the phpsessionclean.service ( /lib/systemd/system/phpsessionclean.service ) which is a script to clean stale php sessions. It is run every 30 minutes.

To stop these errors polluting my logs, I enable nesting:
On web UI choose lxc -> stop lxc -> Options -> Features -> Tick Nesting -> Start lxc

I use my promox in an internal LAN, for those who expose the proxmox box externally i dont know the security implications for enabling nesting.

ChatGPTv4 also suggested turning on nesting but didn't explain why, so I came here looking for confirmation. Thanks!