I have installed podman 4.3.9 on ubuntu 22.04 in an lxc that's running on Proxmox 8.2.7.
When I run
The container produces the following error message:
And the denied messages in dmesg in the proxmox corresponding to that event are:
If I unconfine apparmor by adding this in the conf:
My podman run command gets a bit further, but then encounters a different error:
If these problems aren't related, I'd like to resolve the apparmor problem first without simply unconfining it completely. I'd be grateful for any steps that I can take to resolve it or investigate further.
When I run
podman run --name basic_httpd -dt -p 8080:80/tcp docker.io/nginx
The container produces the following error message:
Code:
podman@pods:~$ podman run --name basic_httpd -dt -p 8080:80/tcp docker.io/nginxTrying to pull docker.io/library/nginx:latest...
Error: initializing source docker://nginx:latest: pinging container registry registry-1.docker.io: Get "https://registry-1.docker.io/v2/": dial tcp: lookup registry-1.docker.io on 1.1.1.1:53: dial udp 1.1.1.1:53: socket: permission denied
And the denied messages in dmesg in the proxmox corresponding to that event are:
Code:
~# dmesg | grep DENIED
[508536.959018] audit: type=1400 audit(1729772097.707:20702): apparmor="DENIED" operation="create" class="net" namespace="root//lxc-128_<-var-lib-lxc>" profile="podman" pid=834654 comm="pasta.avx2" family="inet" sock_type="stream" protocol=6 requested="create" denied="create"
[508551.465949] audit: type=1400 audit(1729772112.212:20704): apparmor="DENIED" operation="create" class="net" namespace="root//lxc-128_<-var-lib-lxc>" profile="podman" pid=834837 comm="podman" family="inet" sock_type="dgram" protocol=0 requested="create" denied="create"
If I unconfine apparmor by adding this in the conf:
Code:
lxc.apparmor.profile: unconfined
My podman run command gets a bit further, but then encounters a different error:
Code:
podman@pods:~$ podman run --name basic_httpd -dt -p 8080:80/tcp docker.io/nginx\
Trying to pull docker.io/library/nginx:latest...
Getting image source signatures
Copying blob 6476794e50f4 done |
Copying blob a480a496ba95 done |
Copying blob 11d6fdd0e8a7 done |
Copying blob f3ace1b8ce45 done |
Copying blob f1091da6fd5c done |
Copying blob 40eea07b53d8 done |
Copying blob 70850b3ec6b2 done |
Copying config 3b25b682ea done |
Writing manifest to image destination
Error: crun: mount `proc` to `proc`: Operation not permitted: OCI permission denied
If these problems aren't related, I'd like to resolve the apparmor problem first without simply unconfining it completely. I'd be grateful for any steps that I can take to resolve it or investigate further.
Last edited: