[SOLVED] Privileged LXC with Arch fails to start network and systemd-nspawn

Chais

New Member
Dec 1, 2018
18
1
3
First off, I know that AppArmor is horribly broken right now. But if I understood that correctly this issue only affects unprivileged containers. Correct me if I'm wrong.

I created a privileged container with archlinux-base_20190124. Config:
Code:
arch: amd64
cores: 2
hostname: repo
memory: 2048
net0: name=eth0,bridge=vmbr0,gw=192.168.1.1,hwaddr=E6:87:AE:D7:3B:99,ip=192.168.1.50/24,type=veth
ostype: archlinux
rootfs: local-lvm:vm-103-disk-0,size=20G
swap: 512

Due to AppArmor (I think) I have to bring up the interface manually. But it least it works afterwards.
However, I want to use this container to host my own repository for Arch and build packages in a chroot. Arch uses systemd-nspawn for that purpose.
When running mkarchroot it builds the chroot, installs all the packages, but then fails with this error:

Code:
Failed to mount n/a (type n/a) on / (MS_REC|MS_SLAVE ""): Permission denied
Short read while reading cgroup mode (0 bytes). The child is most likely dead.

Trying to build a package in a chroot based on the newly created one fails with the same error.
Any ideas what I could do here? Other than just switching off AppArmor completely for this container?
 
In the Container Option Tab on our web GUI there's a Feature entry, which is only editable as root@pam at the time of writing, there you can enable nesting (translates to lxc.apparmor.allow_nesting=1).
Or:
Code:
pct set VMID -features 'nesting=1'
 
  • Like
Reactions: Chais
Hi Thomas,

that did it. Oddly enough it also seems to have helped getting the interface up and connected when the container starts. Perhaps due to systemd's extensive use of containerisation.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!