[SOLVED] Privileged LXC container can't get IP (AppArmor)

inDane

Active Member
Jan 11, 2019
34
1
28
34
Code:
Oct 11 11:10:29 pve-lap systemd[1]: Started PVE LXC Container: 118.
Oct 11 11:10:29 pve-lap pvedaemon[20472]: <root@pam> end task UPID:pve-lap:00000877:10AC5DF9:5DA04703:vzstart:118:root@pam: OK
Oct 11 11:10:30 pve-lap audit[2417]: AVC apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-118_</var/lib/lxc>" name="/run/systemd/unit-root/" pid=2417 comm="(networkd)" srcname="/" flags="rw, rbind"
Oct 11 11:10:30 pve-lap kernel: audit: type=1400 audit(1570785030.369:230): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-118_</var/lib/lxc>" name="/run/systemd/unit-root/" pid=2417 comm="(networkd)" srcname="/" flags="rw, rbind"
Oct 11 11:10:30 pve-lap audit[2418]: AVC apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-118_</var/lib/lxc>" name="/run/systemd/unit-root/" pid=2418 comm="(networkd)" srcname="/" flags="rw, rbind"
Oct 11 11:10:30 pve-lap kernel: audit: type=1400 audit(1570785030.393:231): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-118_</var/lib/lxc>" name="/run/systemd/unit-root/" pid=2418 comm="(networkd)" srcname="/" flags="rw, rbind"
Oct 11 11:10:30 pve-lap audit[2419]: AVC apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-118_</var/lib/lxc>" name="/run/systemd/unit-root/" pid=2419 comm="(networkd)" srcname="/" flags="rw, rbind"
Oct 11 11:10:30 pve-lap kernel: audit: type=1400 audit(1570785030.429:232): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-118_</var/lib/lxc>" name="/run/systemd/unit-root/" pid=2419 comm="(networkd)" srcname="/" flags="rw, rbind"
Oct 11 11:10:30 pve-lap audit[2420]: AVC apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-118_</var/lib/lxc>" name="/run/systemd/unit-root/" pid=2420 comm="(networkd)" srcname="/" flags="rw, rbind"
Oct 11 11:10:30 pve-lap kernel: audit: type=1400 audit(1570785030.449:233): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-118_</var/lib/lxc>" name="/run/systemd/unit-root/" pid=2420 comm="(networkd)" srcname="/" flags="rw, rbind"
Oct 11 11:10:30 pve-lap audit[2421]: AVC apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-118_</var/lib/lxc>" name="/run/systemd/unit-root/" pid=2421 comm="(networkd)" srcname="/" flags="rw, rbind"
Oct 11 11:10:30 pve-lap kernel: audit: type=1400 audit(1570785030.469:234): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-118_</var/lib/lxc>" name="/run/systemd/unit-root/" pid=2421 comm="(networkd)" srcname="/" flags="rw, rbind"
Oct 11 11:10:30 pve-lap audit[2473]: AVC apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-118_</var/lib/lxc>" name="/run/systemd/unit-root/" pid=2473 comm="(modprobe)" srcname="/" flags="rw, rbind"
Oct 11 11:10:30 pve-lap kernel: audit: type=1400 audit(1570785030.801:235): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-118_</var/lib/lxc>" name="/run/systemd/unit-root/" pid=2473 comm="(modprobe)" srcname="/" flags="rw, rbind"
Oct 11 11:10:30 pve-lap audit[2476]: AVC apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-118_</var/lib/lxc>" name="/run/systemd/unit-root/" pid=2476 comm="(d-logind)" srcname="/" flags="rw, rbind"
Oct 11 11:10:30 pve-lap kernel: audit: type=1400 audit(1570785030.869:236): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-118_</var/lib/lxc>" name="/run/systemd/unit-root/" pid=2476 comm="(d-logind)" srcname="/" flags="rw, rbind"
Oct 11 11:10:30 pve-lap audit[2482]: AVC apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-118_</var/lib/lxc>" name="/run/systemd/unit-root/" pid=2482 comm="(modprobe)" srcname="/" flags="rw, rbind"
Oct 11 11:10:30 pve-lap kernel: audit: type=1400 audit(1570785030.881:237): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-118_</var/lib/lxc>" name="/run/systemd/unit-root/" pid=2482 comm="(modprobe)" srcname="/" flags="rw, rbind"
Oct 11 11:10:30 pve-lap audit[2483]: AVC apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-118_</var/lib/lxc>" name="/run/systemd/unit-root/" pid=2483 comm="(d-logind)" srcname="/" flags="rw, rbind"
Oct 11 11:10:30 pve-lap kernel: audit: type=1400 audit(1570785030.889:238): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-118_</var/lib/lxc>" name="/run/systemd/unit-root/" pid=2483 comm="(d-logind)" srcname="/" flags="rw, rbind"
Oct 11 11:10:30 pve-lap audit[2486]: AVC apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-118_</var/lib/lxc>" name="/run/systemd/unit-root/" pid=2486 comm="(modprobe)" srcname="/" flags="rw, rbind"
Oct 11 11:10:30 pve-lap audit[2487]: AVC apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-118_</var/lib/lxc>" name="/run/systemd/unit-root/" pid=2487 comm="(d-logind)" srcname="/" flags="rw, rbind"
Oct 11 11:10:30 pve-lap audit[2490]: AVC apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-118_</var/lib/lxc>" name="/run/systemd/unit-root/" pid=2490 comm="(modprobe)" srcname="/" flags="rw, rbind"
Oct 11 11:10:30 pve-lap audit[2491]: AVC apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-118_</var/lib/lxc>" name="/run/systemd/unit-root/" pid=2491 comm="(d-logind)" srcname="/" flags="rw, rbind"
Oct 11 11:10:30 pve-lap audit[2494]: AVC apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-118_</var/lib/lxc>" name="/run/systemd/unit-root/" pid=2494 comm="(modprobe)" srcname="/" flags="rw, rbind"
Oct 11 11:10:30 pve-lap audit[2495]: AVC apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-118_</var/lib/lxc>" name="/run/systemd/unit-root/" pid=2495 comm="(d-logind)" srcname="/" flags="rw, rbind"

It is a fresh "archlinux-base_20190924-1_amd64" template.

Packages are:
proxmox-ve: 6.0-2 (running kernel: 5.0.21-1-pve)
lxc-pve: 3.1.0-64

Is this a known problem? Does anybody know how to fix this?
 
hi,

try enabling the 'nesting' option.

Is this a known problem?
i think it's an upstream problem between apparmor and systemd.
 
  • Like
Reactions: larsen

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!