[SOLVED] No network when using custom AppArmor profile

[ohmer]

Hello,

I'm trying to allow cifs mount inside one container. So I created a new file at /etc/apparmor.d/lxc/lxc-default-cifs with this contain:

# Do not load this file.  Rather, load /etc/apparmor.d/lxc-containers, which
# will source all profiles under /etc/apparmor.d/lxc

profile lxc-container-default-cifs flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/lxc/container-base>

# allow CIFS mounts.
  mount fstype=cifs,
}

I reloaded the rules with this command:

apparmor_parser -r /etc/apparmor.d/lxc-containers

Then, I added this line in my CT settings in /etc/pve/lxc/####.conf:

lxc.aa_profile = lxc-container-default-cifs

or (I saw both online, not sure if they are both valid)

lxc.aa_profile: lxc-container-default-cifs

Restarted the container. Seem to work, but... Instead of permission denied message when I try to mount my share, I now get network unreachable. The network is indeed not working, ifconfig returns nothing and I cannot ping anything.

If I remove the specific AppArmor profile and restart again the CT, the network works again.

I also tried to configure the CT with the lxc-container-default-with-mounting profile just to test the network issue and I can confirm the problem also appear with this profile.

Did I something wrong?

Proxmox 4.2-17 with all updates installed.

Thanks.

 

[wbumiller]

If you're on lxc>=2.0.3 make sure you include the cgns parts in your profile (from the
`lxc-container-default-cgns` profile instead of `lxc-container-default`.)
Other than that... try debugging the container from the inside, maybe start with `# lxc-start -F -n $vmid` to see its sysinit output.

 

[ohmer]

Thanks, it's working!