New issues with rootless podman & apparmor in unpriviledged container

E

el_pedr0

Renowned Member
Aug 5, 2016
22
2
68
47
I have installed podman 4.3.9 on ubuntu 22.04 in an lxc that's running on Proxmox 8.2.7.

When I run
podman run --name basic_httpd -dt -p 8080:80/tcp docker.io/nginx

The container produces the following error message:
Code: 
podman@pods:~$ podman run --name basic_httpd -dt -p 8080:80/tcp docker.io/nginxTrying to pull docker.io/library/nginx:latest...
Error: initializing source docker://nginx:latest: pinging container registry registry-1.docker.io: Get "https://registry-1.docker.io/v2/": dial tcp: lookup registry-1.docker.io on 1.1.1.1:53: dial udp 1.1.1.1:53: socket: permission denied

And the denied messages in dmesg in the proxmox corresponding to that event are:
Code: 
~# dmesg | grep DENIED
[508536.959018] audit: type=1400 audit(1729772097.707:20702): apparmor="DENIED" operation="create" class="net" namespace="root//lxc-128_<-var-lib-lxc>" profile="podman" pid=834654 comm="pasta.avx2" family="inet" sock_type="stream" protocol=6 requested="create" denied="create"
[508551.465949] audit: type=1400 audit(1729772112.212:20704): apparmor="DENIED" operation="create" class="net" namespace="root//lxc-128_<-var-lib-lxc>" profile="podman" pid=834837 comm="podman" family="inet" sock_type="dgram" protocol=0 requested="create" denied="create"

If I unconfine apparmor by adding this in the conf:
Code: 
lxc.apparmor.profile: unconfined

My podman run command gets a bit further, but then encounters a different error:
Code: 
podman@pods:~$ podman run --name basic_httpd -dt -p 8080:80/tcp docker.io/nginx\
Trying to pull docker.io/library/nginx:latest...
Getting image source signatures
Copying blob 6476794e50f4 done   |
Copying blob a480a496ba95 done   |
Copying blob 11d6fdd0e8a7 done   |
Copying blob f3ace1b8ce45 done   |
Copying blob f1091da6fd5c done   |
Copying blob 40eea07b53d8 done   |
Copying blob 70850b3ec6b2 done   |
Copying config 3b25b682ea done   |
Writing manifest to image destination
Error: crun: mount `proc` to `proc`: Operation not permitted: OCI permission denied

If these problems aren't related, I'd like to resolve the apparmor problem first without simply unconfining it completely. I'd be grateful for any steps that I can take to resolve it or investigate further.
 
Last edited:
Has anyone else got rootless podman working on Proxmox 8.2? I Still haven't been able to crack this.

I did have a similar rootless podman running in an unprivileged container back in January but that was on an older Proxmox version and older ubuntu.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back