PVE 9 apparmor errors

tcabernoch

tcabernoch

Well-Known Member
Proxmox Subscriber
Apr 27, 2024
511
195
53
Portland, OR
www.gnetsys.net
All of my upgraded hosts are throwing this error.
No guests. No LXC containers. No nothing there. Just an empty, upgraded host. Throwing errors.

[353827.192186] audit: type=1400 audit(1780020537.902:27110): apparmor="DENIED" operation="create" class="net" info="failed protocol match" error=-13 profile="/usr/sbin/ntpd" pid=3618 comm="ntpd" family="unix" sock_type="dgram" protocol=0 requested="create" denied="create" addr=none

The advice I've seen so far has been fairly light on actual advice.
Mostly it consisted of "go read this", pointing to a page that points to a page, none of which has a full path to resolution.
Even Fiona chimed in and was no help. Sadly. And she usually does try.

Fiona's advice referred to this.
https://pve.proxmox.com/wiki/Roadmap#9.0-known-issues
AppArmor 4
Proxmox VE 9 ships with AppArmor version 4.1. Since this version is relatively new, you might see regressions in packages that are not part of the core Proxmox VE distribution, for example, the CUPS printing daemon.
Most issues with older profiles can be resolved by configuring AppArmor to use the 3.0 ABI by adding the abi <abi/3.0>, rule to the relevant profile. For more details, see the AppArmor Wiki.
There is also a known issue with nested containerization (e.g., Docker inside an LXC container). This issue is tracked as bug #6538.

Well, either that doesn't work, or I need better directions on how to make it work.
This appears to be a global issue in my environment. If you've upgraded any hosts, maybe you'll see it too?
Try this.
dmesg | grep apparmor
 
Hi,
adding the abi version like suggested in the documentation works for me:
Code: 
[I] root@pve9a1 ~# head /etc/apparmor.d/usr.sbin.ntpd 
# vim:syntax=apparmor
#include <tunables/global>

abi <abi/3.0>,

/usr/sbin/ntpd flags=(attach_disconnected) {
  #include <abstractions/base>
  #include <abstractions/nameservice>

  # conf

The warning is present before when booting without the modification, but not anymore with the next boot.
 
  • Like
Reactions: tcabernoch and mariol
This appears to have worked.

nano /etc/apparmor.d/usr.sbin.ntpd

Insert this after the comments, before the code.
Save. Reboot.

abi <abi/3.0>,

I have a 4 node ceph cluster. None of those had the ntpd file.
I've not modified ntpd on these hosts.

I found one standard server that did not have the /etc/apparmor.d/usr.sbin.ntpd file.
It also did not have the errors in the log or on the local console during boot.
Dunno what's different about that box.
 
Last edited:
IIRC older PVE installs may have had the full debian ntp package. Newer installations and guides recommend chrony.
 
  • Like
Reactions: tcabernoch
tcabernoch said:
Thanks.
I think perhaps the installs that did not have the ntpd apparmor issue were fresh from ISO, and not upgrades.
It's hard to tell at this point. I've got a lot of servers to manage, and no help. Things get hectic.
Click to expand...
I switched to chrony at some point but I cannot remember if I was using systemd-timesyncd or full ntpd. Either way AIUI `apt install chrony` will warn about removal of a conflicting package. My preference would be for switching time daemon rather than editing apparmor's package files. You could double check which package is involved `dpkg -S /etc/apparmor.d/*ntp*`
 
Last edited:
You must log in or register to reply here.
Top Bottom
Back