LXC postqueue BUG: warning: close: Permission denied

[Ovidiu]

which lxc* files?

etc/apparmor.d# ls -altotal 48
drwxr-xr-x 9 root root 4096 Nov 2 14:39 .
drwxr-xr-x 102 root root 4096 Nov 16 14:12 ..
drwxr-xr-x 5 root root 4096 Jun 23 12:23 abstractions
drwxr-xr-x 2 root root 4096 Nov 2 14:39 cache
drwxr-xr-x 2 root root 4096 Nov 18 17:55 disable
drwxr-xr-x 2 root root 4096 Dec 12 2014 force-complain
drwxr-xr-x 2 root root 4096 Sep 22 10:36 local
drwxr-xr-x 2 root root 4096 Nov 2 14:39 lxc
-rw-r--r-- 1 root root 198 Jun 3 06:29 lxc-containers
drwxr-xr-x 5 root root 4096 Jun 23 12:23 tunables
-rw-r--r-- 1 root root 125 Jun 3 06:29 usr.bin.lxc-start
-rw-r--r-- 1 root root 1342 Feb 19 2015 usr.sbin.named

lxc is a folder so there's only lxc-contaienrs left, is that the one you mean?

 

[ipp-2nd]

the disable folder should like this:
lxc-containers -> /etc/apparmor.d/lxc-containers
lxc-default -> /etc/apparmor.d/lxc/lxc-default
usr.bin.lxc-start -> /etc/apparmor.d/usr.bin.lxc-start

 

[wbumiller]

I very much recommend against disabling the profiles entirely. Better set `lxc.aa_profile = unconfined` individually in containers which need it.

 

[Ovidiu]

Ok, this is totally crazy. apparmor is stopping part of my mailservice.

Nov 20 23:12:38 james kernel: [656510.381183] audit: type=1400 audit(1448057558.947:114307): apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="private/trace" pid=18150 comm="qmgr" requested_mask="r" denied_mask="r" fsuid=100 ouid=0

Nov 20 23:12:38 james kernel: [656510.379304] audit: type=1400 audit(1448057558.947:114300): apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="private/defer" pid=18168 comm="error" requested_mask="r" denied_mask="r" fsuid=100 ouid=0

I have done the following and then restarted the container and yet the problem still persists. I even stopped and restarted the container from the proxmox interface. Do I have to restart anything else? I still se the two above errors in my logs.

/etc/init.d/apparmor stop

nano /etc/pve/lxc/100.conf
inserted => lxc.aa_profile : unconfined

ls -al /etc/apparmor.d/disable/
total 8
drwxr-xr-x 2 root root 4096 Nov 20 23:36 .
drwxr-xr-x 9 root root 4096 Nov 2 14:39 ..
lrwxrwxrwx 1 root root 30 Nov 20 23:35 lxc-containers -> /etc/apparmor.d/lxc-containers
lrwxrwxrwx 1 root root 31 Nov 20 23:35 lxc-default -> /etc/apparmor.d/lxc/lxc-default
lrwxrwxrwx 1 root root 33 Nov 20 23:36 usr.bin.lxc-start -> /etc/apparmor.d/usr.bin.lxc-start

###edit###
OK figured out how to finally stop apparmor:
# /etc/init.d/apparmor stop
# /etc/init.d/apparmor teardown
# update-rc.d -f apparmor remove

 

[Ovidiu]

Just a note: I actually had to stop apparmor as assigning the unconfined profile gives me this in the logs:

Nov 21 08:50:50 james pveproxy[16611]: vm 102 - unable to parse config: lxc.aa_profile : unconfined
Nov 21 08:50:47 james pveproxy[16611]: vm 100 - unable to parse config: lxc.aa_profile : unconfined

changed that to:
lxc.aa_profile = unconfined

 

[mr.x]

Hi all,

are there any news in regards to this topic?

BR
Mr.X

 

[dietmar]

are there any news in regards to this topic?

AFAIK this is already fixed with newer kernels.

 

[mr.x]

Hi Dietmar,

AFAIK this is already fixed with newer kernels.

thanks for your reply, but I have the latest versions installed. Please have a look

pveversion -v
proxmox-ve: 4.1-37 (running kernel: 4.2.3-2-pve)
pve-manager: 4.1-13 (running version: 4.1-13/cfb599fb)
pve-kernel-2.6.32-37-pve: 2.6.32-150
pve-kernel-2.6.32-43-pve: 2.6.32-166
pve-kernel-2.6.32-28-pve: 2.6.32-124
pve-kernel-4.2.8-1-pve: 4.2.8-37
pve-kernel-2.6.32-39-pve: 2.6.32-157
pve-kernel-4.2.2-1-pve: 4.2.2-16
pve-kernel-2.6.32-40-pve: 2.6.32-160
pve-kernel-2.6.32-41-pve: 2.6.32-164
pve-kernel-2.6.32-26-pve: 2.6.32-114
pve-kernel-4.2.3-2-pve: 4.2.3-22
lvm2: 2.02.116-pve2
corosync-pve: 2.3.5-2
libqb0: 1.0-1
pve-cluster: 4.0-32
qemu-server: 4.0-55
pve-firmware: 1.1-7
libpve-common-perl: 4.0-48
libpve-access-control: 4.0-11
libpve-storage-perl: 4.0-40
pve-libspice-server1: 0.12.5-2
vncterm: 1.2-1
pve-qemu-kvm: 2.5-5
pve-container: 1.0-44
pve-firewall: 2.0-17
pve-ha-manager: 1.0-21
ksm-control-daemon: 1.2-1
glusterfs-client: 3.5.2-2+deb8u1
lxc-pve: 1.1.5-7
lxcfs: 0.13-pve3
cgmanager: 0.39-pve1
criu: 1.6.0-1
fence-agents-pve: 4.0.20-1

uname -a
Linux prox111 4.2.3-2-pve #1 SMP Tue Nov 3 12:30:37 CET 2015 x86_64 GNU/Linux

Br
Jan

 

[dietmar]

thanks for your reply, but I have the latest versions installed. Please have a look

you still run an old kernel 4.2.3-2-pve - please reboot with latest kernel pve-kernel-4.2.8-1-pve

 

[mr.x]

Hi Dietmar,

you still run an old kernel 4.2.3-2-pve - please reboot with latest kernel pve-kernel-4.2.8-1-pve

ups, your right. I overlooked it. Sorry.
Will reboot and keep you posted.

BR
Jan

 

[FrankB]

This problem still exists in the ISO installed versions. The maximum Kernel you can get is 4.2.6-1-pve.

 

[dietmar]

Please update your installation and test with latest version.

 

[FrankB]

I ran apt-get install then apt-get update and nothing pops up.

 

[tom]

I ran apt-get install then apt-get update and nothing pops up.

See http://pve.proxmox.com/wiki/Downloads#Update_a_running_Proxmox_Virtual_Environment_4.x_to_latest_4.1

 

[FrankB]

See http://pve.proxmox.com/wiki/Downloads#Update_a_running_Proxmox_Virtual_Environment_4.x_to_latest_4.1

Could it be that I do not have a subscription key?

 

[tom]

Could it be that I do not have a subscription key?

Read again the wiki page in detail.

 

[FrankB]

Read again the wiki page in detail.

1. I installed from the latest ISO that its asking me to download, so that is unnecessary.
2. I checked the sources
3. I checked the REPO
4. I ran the update and dist-upgrade
5. I get nothing.

The only thing I nothing is during the update I get:
Err https://enterprise.proxmox.com jessie/pve-enterprise amd64 Packages
HttpError401
W: Failed to fetch https://enterprise.proxmox.com/debian/dists/jessie/pve-enterprise/binary-amd64/Packages HttpError401

Thats about it.

 

[tom]

the wiki page mention that you need to configure a valid apt repository.

seems you missed this.

 

[FrankB]

the wiki page mention that you need to configure a valid apt repository.

seems you missed this.

The repo is exactly like the one shown. I'm using the AT.DEBIAN repo instead of the US.DEBIAN.

I think this line in the wiki is the issue:

Make sure that you have uploaded a valid subscription key to your Proxmox VE host. Here is the howto for the CLI:

I think it really is a subscription key issue. I can make a screencast and upload it to youtube of the problem so that you can see that I'm following everything step-by-step, but I think the answer is clear.

 

[fabian]

The repo is exactly like the one shown. I'm using the AT.DEBIAN repo instead of the US.DEBIAN.

I think this line in the wiki is the issue:


I think it really is a subscription key issue. I can make a screencast and upload it to youtube of the problem so that you can see that I'm following everything step-by-step, but I think the answer is clear.

If you don't have a subscription (yet? ), you should enable the pve-no-subscription repository (see https://pve.proxmox.com/wiki/Package_repositories). Otherwise you won't get any updates.