[SOLVED] Privileged Container Won't Use DHCP? [app armor error -13 issues?]

S

scyto

Active Member
Aug 8, 2023
397
71
28
I set up a new fresh proxmox install using latest 8.3-1 ISO and performed full update using non-enterprise

my first container i setup using Ubuntu 24.04-2 template got a DHCP address fine, then i realized i needed privileged container for what i was doing

so i deleted the first container and recreated with unprivileged = however it won't get a DHCP address and
Code: 
ip a
shows interface as down inside the container (and yes its correctly set to vmbr0)

in the logs i see a lot of errors like this:

Code: 
Nov 29 15:23:46 pve-test kernel: audit: type=1400 audit(1732922626.817:2493): apparmor="DENIED" operation="mount" class="mount" info="failed perms check" error=-13 profile="lxc-100_</var/lib/lxc>" name="/dev/" pid=55110 comm="(sd-gens)" flags="ro, remount, bind"
Nov 29 15:23:46 pve-test kernel: audit: type=1400 audit(1732922626.817:2494): apparmor="DENIED" operation="mount" class="mount" info="failed perms check" error=-13 profile="lxc-100_</var/lib/lxc>" name="/" pid=55110 comm="(sd-gens)" flags="ro, remount, bind"
Nov 29 15:24:08 pve-test audit[56243]: AVC apparmor="DENIED" operation="mount" class="mount" info="failed perms check" error=-13 profile="lxc-100_</var/lib/lxc>" name="/run/systemd/mount-rootfs/" pid=56243 comm="(d-logind)" srcname="/" flags="rw, rbind"
Nov 29 15:24:08 pve-test audit[56221]: AVC apparmor="STATUS" operation="profile_replace" info="not policy admin" error=-13 label="lxc-100_</var/lib/lxc>//&:lxc-100_<-var-lib-lxc>:unconfined" pid=56221 comm="apparmor_parser"
Nov 29 15:24:08 pve-test audit[56391]: AVC apparmor="DENIED" operation="mount" class="mount" info="failed perms check" error=-13 profile="lxc-100_</var/lib/lxc>" name="/dev/" pid=56391 comm="(sd-mkdcreds)" flags="rw, rslave"

i turned off all firewalls (just incase)

any ideas?
 
Last edited:
nesting = 1 fixed it, this begs the question:
  1. why does nesting get disabled when making the container privileged for this template if it is required.?
  2. Why does the create CT wizard grey out the nesting option when privileged is set?
  3. why does console mode not get set to shell for this template (it is required to attach to console when privileged) yes bonus unrelated issue
(and of course i found this 10 minutes after posting the above, sigh, i was comparing the settings of working and broken container)
 
Last edited:
You must log in or register to reply here.
Top Bottom