New privileged LXC container fails to start network due to apparmor permissions

A

asahiguy

New Member
May 3, 2025
3
0
1
Greetings.

Big time proxmox fan here, but I just stumbled on something and I don't know is it a bug? is it by design?
I am running Proxmox 8.3.4 on an Intel X86_64 architecture PC
I am using the "pve-no-subscription" repository and all packages are up to date as of today (3rd May 2025)

  1. I created an LXC container based on Ubuntu 24.04 LTS downloaded from the templates library
  2. I UNTICKED the unprivileged box.
  3. I assigned a static IP (it didn't work with DHCP either)
  4. I boot the container

First thing I notice, there's no console. Just black screen and cursor.
Second thing I notice .. there's no network. I log into the container and check network, it says it's down

2: eth0@if15: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000 link/ether bc:24:11:dd:dd:50 brd ff:ff:ff:ff:ff:ff link-netnsid 0

setting it to UP makes no difference

I check logs .. nothing useful.
I check the kernel ring buffer ... lots and lots of errors from apparmor about my new container and I see DENIED ( a lot )
small snippet:
Code: 
[2159192.899519] audit: type=1400 audit(1746226570.170:740): apparmor="DENIED" operation="mount" class="mount" info="failed perms check" error=-13 profile="lxc-101_</var/lib/lxc>" name="/dev/" pid=3442760 comm="(sd-mkdcreds)" flags="rw, rslave"

repeated many times.

The container config after creating it via the GUI:

root@pve3:~# cat /etc/pve/lxc/101.conf

Code: 
arch: amd64
cores: 2
hostname: zerotier
memory: 512
net0: name=eth0,bridge=vmbr0,gw=10.10.10.1,hwaddr=BC:24:11:DD:DD:50,ip=10.10.10.11/24,type=veth
onboot: 1
ostype: ubuntu
rootfs: local-zfs:subvol-101-disk-0,mountoptions=discard,size=8G
swap: 512

after adding this line to the .conf file

Code: 
lxc.apparmor.profile = unconfined


and rebooting the container, networking works. either DHCP or static.
so, i'm sure i'm not the first person to discover this, but googling it found nothing but people on reddit from years ago with unrelated issues. maybe my google foo isn't up to the task but i searched with stuff like "proxmox lxc container privileged no networking"

my question is, is this a bug? by design?

in my humble opinion, if you untick the unprivileged box, i would hope that the config creation method would put this line in the config so that the networking will work.
otherwise it may confuse people. Now i wonder, is that done on purpose, so people deliberately have to do this? is there a better way to do it thatn my unconfined statement in the config?

I guess what i'm saying is, should the GUI/LXC creation method have dealt with this problem , or not. If not, perhaps users should be warned about this?
 
Last edited:
Moayad said:
Hi,


I will try to reproduce the issue on my lab. But could you please confirm if other OS like Debian also have this issue or only on the `Ubuntu 24.04 LTS`?
Click to expand...
Hi

Good test idea!
I tested Debian (12) worked fine, didn't need to make any changes to the config.

I tested Ubuntu 24.04 LTS again, same problem. The template it downloaded (from the template library in the GUI) was Ubuntu-24.04-2_amd64.tar.zst
I tested Ubuntu 22.04 << works fine

then i tested Arch linux (archlinux-base_20240911-1_amd64.tar.zst) << Does NOT work. Same problem.

Code: 
sh-5.2# cat /etc/issue
Arch Linux \r (\l)

sh-5.2# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute
       valid_lft forever preferred_lft forever
2: eth0@if29: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether bc:24:11:31:5c:ce brd ff:ff:ff:ff:ff:ff link-netnsid 0

root@pve3:/etc/pve/lxc# cat 102.conf
arch: amd64
cores: 1
hostname: arch
memory: 512
net0: name=eth0,bridge=vmbr0,firewall=1,gw=10.10.10.1,hwaddr=BC:24:11:31:5C:CE,ip=10.10.10.123/24,type=veth
ostype: archlinux
rootfs: local-zfs:subvol-102-disk-0,size=8G
swap: 512
Click to expand...

kernel ring buffer after booting arch linux container:

[249748.908300] audit: type=1400 audit(1746528614.799:849): apparmor="DENIED" operation="mount" class="mount" info="failed perms check" error=-13 profile="lxc-102_</var/lib/lxc>" name="/dev/" pid=999218 comm="(sd-mkdcreds)" flags="rw, rslave"
[249748.912763] audit: type=1400 audit(1746528614.804:850): apparmor="DENIED" operation="mount" class="mount" info="failed perms check" error=-13 profile="lxc-102_</var/lib/lxc>" name="/dev/" pid=999219 comm="(sd-mkdcreds)" flags="rw, rslave"
Click to expand...
I checked both working debian and ubuntu 22.04 configs and neither has any special app armor configs in the .conf in /etc/pve/lxc


Thanks.
 
asahiguy said:
Hi

Good test idea!
I tested Debian (12) worked fine, didn't need to make any changes to the config.

I tested Ubuntu 24.04 LTS again, same problem. The template it downloaded (from the template library in the GUI) was Ubuntu-24.04-2_amd64.tar.zst
I tested Ubuntu 22.04 << works fine

then i tested Arch linux (archlinux-base_20240911-1_amd64.tar.zst) << Does NOT work. Same problem.

Code: 
sh-5.2# cat /etc/issue
Arch Linux \r (\l)

sh-5.2# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute
       valid_lft forever preferred_lft forever
2: eth0@if29: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether bc:24:11:31:5c:ce brd ff:ff:ff:ff:ff:ff link-netnsid 0



kernel ring buffer after booting arch linux container:


I checked both working debian and ubuntu 22.04 configs and neither has any special app armor configs in the .conf in /etc/pve/lxc


Thanks.
Click to expand...
Curious if you had any solution or stuck with Debian? I too have been going a bit nuts with this. I had tried Ubuntu 24.04 in unprivileged and it was fine, but with privileged no console and no network. If I changed the console to shell, I would at least get the shell. I found if I deleted the network interface and rebuild it, I would have network, well until reboot. I will try with Debian next.
 
Lost_Ones said:
Curious if you had any solution or stuck with Debian? I too have been going a bit nuts with this. I had tried Ubuntu 24.04 in unprivileged and it was fine, but with privileged no console and no network. If I changed the console to shell, I would at least get the shell. I found if I deleted the network interface and rebuild it, I would have network, well until reboot. I will try with Debian next.
Click to expand...
I just put this in the containers .conf and don't worry too much as it's all firewalled anyway

lxc.apparmor.profile = unconfined
 
You must log in or register to reply here.
Top Bottom