Mount SCSI device in LXC container - Apparmor denied

pszafer

New Member
Mar 13, 2017
5
0
1
37
Hi,
I'm trying to mount scsi tape drive into lxc containter and it I cannot figure out how to do it...

My UDEV config looks like this:
Code:
#/etc/udev/rules.d/70-persistent-iscsi.rules
SUBSYSTEM=="scsi_generic",ATTRS{vendor}=="IBM",ATTRS{model}=="ULTRIUM-HH4", SYMLINK="ultrium", MODE="0660", GROUP="tape"

That's what I tried:
Code:
ls -la /dev/ultrium
#lrwxrwxrwx 1 root root 3 Mar  2 16:41 /dev/ultrium -> sg1

ls -la /dev/sg1
#crw-rw---- 1 root tape 21, 1 Mar  2 16:41 /dev/sg1

Code:
#/etc/pve/lxc/100.conf
lxc.cgroup.devices.allow = c 21:* rwm
lxc.mount.entry: /dev/ultrium /st0 none bind 0 0
mp0: /dev/ultrium,mp=st0

It seems that AppArmor denied mount operation.
Then I tried to change lxc profile in 100.conf:
Code:
lxc.aa_profile = lxc-default-with-nesting

but then in dmesg I got:
Code:
[895616.890786] audit: type=1400 audit(1489364909.731:159): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/bin/lxc-start" pid=27707 comm="apparmor_parser"
[895617.247092] audit: type=1400 audit(1489364910.087:160): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="lxc-container-default" pid=27706 comm="apparmor_parser"
[895617.247415] audit: type=1400 audit(1489364910.087:161): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="lxc-container-default-cgns" pid=27706 comm="apparmor_parser"
[895617.247714] audit: type=1400 audit(1489364910.087:162): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="lxc-container-default-with-mounting" pid=27706 comm="apparmor_parser"
[895617.248043] audit: type=1400 audit(1489364910.087:163): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="lxc-container-default-with-nesting" pid=27706 comm="apparmor_parser"
[895620.356562] EXT4-fs (dm-22): mounted filesystem with ordered data mode. Opts: (null)
[895620.490705] IPv6: ADDRCONF(NETDEV_UP): veth108i0: link is not ready
[895620.491442] device veth108i0 entered promiscuous mode
[895621.013255] device veth108i0 left promiscuous mode
[895621.030181] device veth108i0 entered promiscuous mode
[895621.129417] eth0: renamed from vethS4SK3S
[895622.067073] audit: type=1400 audit(1489364914.907:164): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=27948 comm="mount" flags="rw, remount"

and I'm stuck from there because don't know what else to try...
 
Try this. Do not forget to restart the container after editing the profile.
Code:
lxc.aa_profile=unconfined
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!