`dmesg` shows the LXC and AppAmor related error:
audit: type=1400 audit(1463148399.557:7): apparmor="DENIED" operation="mount"
info="failed flags match" error=-13
profile="lx-container-default" name="/sys/fs/cgroup/" pid=1208 comm="systemd"
flags="ro, nosuid, nodev, noexec, remount, strictatime"
Obvious, appamor prevents the LXC container to mount "/sys/fs/cgroup/" as read-writeable inside
the container. The `lxc-container-default` profile is defined on proxmox host in
`/etc/apparmor.d/lxc/lxc-default`:
profile lxc-container-default flags=(attach_disconnected,mediate_deleted) {
#include <abstractions/lxc/container-base>
deny mount fstype=devpts,
}
and here we are:
$ cat /etc/apparmor.d/abstractions/lxc/container-base | grep 'deny /sys/fs/cgroup'
deny /sys/fs/cgroup?*{,/**} wklx,
where access controls are present, deny writing to
Somewhere in proxmox LXC configuration `cgroups` are mounted read-writeable. Debian is using the
[FUSE filesystem for LXC](https://github.com/lxc/lxcfs), which is mounted on proxmox host at
`/var/lib/lxcfs`:
$ mount | grep fuse.lxcfs
lxcfs on /var/lib/lxcfs type fuse.lxcfs (rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)
from systemd target `lxcfs.service`:
$ cat /etc/systemd/system/multi-user.target.wants/lxcfs.service
[Unit]
Description=FUSE filesystem for LXC
ConditionVirtualization=!container
Before=lxc.service
[Service]
ExecStart=/usr/bin/lxcfs /var/lib/lxcfs/
KillMode=process
Restart=on-failure
ExecReload=/bin/kill -USR1 $MAINPID
ExecStopPost=-/bin/fusermount -u /var/lib/lxcfs
[Install]
WantedBy=multi-user.target
and used by LXC's common config:
/usr/share/lxc/config/common.conf:lxc.include = /usr/share/lxc/config/common.conf.d/
/usr/share/lxc/config/common.conf.d/00-lxcfs.conf:lxc.hook.mount = /usr/share/lxcfs/lxc.mount.hook
Well, still no idea how to mount it read-only to get rid of error message. Any suggestions?
audit: type=1400 audit(1463148399.557:7): apparmor="DENIED" operation="mount"
info="failed flags match" error=-13
profile="lx-container-default" name="/sys/fs/cgroup/" pid=1208 comm="systemd"
flags="ro, nosuid, nodev, noexec, remount, strictatime"
Obvious, appamor prevents the LXC container to mount "/sys/fs/cgroup/" as read-writeable inside
the container. The `lxc-container-default` profile is defined on proxmox host in
`/etc/apparmor.d/lxc/lxc-default`:
profile lxc-container-default flags=(attach_disconnected,mediate_deleted) {
#include <abstractions/lxc/container-base>
deny mount fstype=devpts,
}
and here we are:
$ cat /etc/apparmor.d/abstractions/lxc/container-base | grep 'deny /sys/fs/cgroup'
deny /sys/fs/cgroup?*{,/**} wklx,
where access controls are present, deny writing to
Somewhere in proxmox LXC configuration `cgroups` are mounted read-writeable. Debian is using the
[FUSE filesystem for LXC](https://github.com/lxc/lxcfs), which is mounted on proxmox host at
`/var/lib/lxcfs`:
$ mount | grep fuse.lxcfs
lxcfs on /var/lib/lxcfs type fuse.lxcfs (rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)
from systemd target `lxcfs.service`:
$ cat /etc/systemd/system/multi-user.target.wants/lxcfs.service
[Unit]
Description=FUSE filesystem for LXC
ConditionVirtualization=!container
Before=lxc.service
[Service]
ExecStart=/usr/bin/lxcfs /var/lib/lxcfs/
KillMode=process
Restart=on-failure
ExecReload=/bin/kill -USR1 $MAINPID
ExecStopPost=-/bin/fusermount -u /var/lib/lxcfs
[Install]
WantedBy=multi-user.target
and used by LXC's common config:
/usr/share/lxc/config/common.conf:lxc.include = /usr/share/lxc/config/common.conf.d/
/usr/share/lxc/config/common.conf.d/00-lxcfs.conf:lxc.hook.mount = /usr/share/lxcfs/lxc.mount.hook
Well, still no idea how to mount it read-only to get rid of error message. Any suggestions?