LXC Container Upgrade to Bullseye - Slow Login and AppArmor Errors

[Dunuin]

I also need to update my LXCs from Buster to Bullseye.
So there is nothing special updating a LXC except for enabling nesting? So only a apt dist-upgrade like with my VMs I upgraded from Buster to Bullseye?

 

[oguz]

I also need to update my LXCs from Buster to Bullseye.
So there is nothing special updating a LXC except for enabling nesting? So only a apt dist-upgrade like with my VMs I upgraded from Buster to Bullseye?

you can follow the regular upgrade procedure for debian.
1. apt update && apt dist-upgrade to get the latest buster packages
2. change repositories in /etc/apt/sources.list and sources.list.d to use bullseye instead of debian.
for example from our wiki sed -i 's/buster\/updates/bullseye-security/g;s/buster/bullseye/g' /etc/apt/sources.list will do that for the sources.list file (you'll need to check if you have any other repositories enabled)
3. apt update && apt dist-upgrade and follow the prompts
4. exit the container and reboot it with pct reboot CTID (you can also use the "Reboot" button in GUI)
also allow nesting if not already enabled

 

[vmware]

Hi!

Google takes me to this thread after I experienced "slow logins". Is there a plan to update the official wiki about nesting?

https://pve.proxmox.com/wiki/Linux_Container

Thanks!

 

[fabian]

yeah, a short paragraph for the docs would probably be a good idea. note that this mainly affects existing containers - new unprivileged containers are created with nesting enabled by default for this reason (at least when created via the GUI).

 

[eddiewu]

I am not a Proxmox user but I experienced the same issue after upgrading from Debian 10 to 11 in a LXC container.

I have a simple solution to the issue which does not require enabling nesting or masking systemd-logind that I hope more people can try and verify.

Solution:
Comment out the hardening options starting with *Private* or *Protect* in /lib/systemd/system/systemd-logind.service.
Then run systemctl daemon-reload to reload the profile.

 

[Lars-Daniel]

Comment out the hardening options starting with *Private* or *Protect* in /lib/systemd/system/systemd-logind.service.

I've done some trial-and-error. For me, commenting out these two works:

# ProtectProc=invisible
# ProtectControlGroups=yes

Warning: I don't have a clue, how this affects security. Maybe using nested is better (or worse).

 

[leesteken]

Warning: I don't have a clue, how this affects security. Maybe using nested is better (or worse).

You can read the opinion of the Proxmox staff earlier in this thread.

 

[Lars-Daniel]

You can read the opinion of the Proxmox staff earlier in this thread.

Thanks. Shouldn't you also link this in the wiki? There you only find the hint that it might be insecure because procfs and sysfs are mounted from the host into the container.

For myself, I haven't had any problems with uninstalling dbus by the way. Seems like none of my applications need it.