snapd in privileged ubuntu container?

C

chiem

Member
Jan 29, 2022
4
0
6
apt install snapd gives me:

Code: 
apparmor_parser: Unable to replace "mount-namespace-capture-helper".  Permission denied; attempted to load a profile while confined?
apparmor_parser: Unable to replace "/usr/lib/snapd/snap-confine".  Permission denied; attempted to load a profile while confined?
 
Works for me. What is your "pveversion -v"? Which container image are you using? Did you change anything?
 
Code: 
# pveversion -v
proxmox-ve: 7.1-1 (running kernel: 5.13.19-6-pve)
pve-manager: 7.1-11 (running version: 7.1-11/8d529482)
pve-kernel-helper: 7.1-13
pve-kernel-5.13: 7.1-9
pve-kernel-5.13.19-6-pve: 5.13.19-14
pve-kernel-5.13.19-4-pve: 5.13.19-9
pve-kernel-5.13.19-2-pve: 5.13.19-4
ceph-fuse: 15.2.15-pve1
corosync: 3.1.5-pve2
criu: 3.15-1+pve-1
glusterfs-client: 9.2-1
ifupdown2: 3.1.0-1+pmx3
ksm-control-daemon: 1.4-1
libjs-extjs: 7.0.0-1
libknet1: 1.22-pve2
libproxmox-acme-perl: 1.4.1
libproxmox-backup-qemu0: 1.2.0-1
libpve-access-control: 7.1-6
libpve-apiclient-perl: 3.2-1
libpve-common-perl: 7.1-5
libpve-guest-common-perl: 4.1-1
libpve-http-server-perl: 4.1-1
libpve-storage-perl: 7.1-1
libspice-server1: 0.14.3-2.1
lvm2: 2.03.11-2.1
lxc-pve: 4.0.11-1
lxcfs: 4.0.11-pve1
novnc-pve: 1.3.0-2
proxmox-backup-client: 2.1.5-1
proxmox-backup-file-restore: 2.1.5-1
proxmox-mini-journalreader: 1.3-1
proxmox-widget-toolkit: 3.4-7
pve-cluster: 7.1-3
pve-container: 4.1-4
pve-docs: 7.1-2
pve-edk2-firmware: 3.20210831-2
pve-firewall: 4.2-5
pve-firmware: 3.3-6
pve-ha-manager: 3.3-3
pve-i18n: 2.6-2
pve-qemu-kvm: 6.1.1-2
pve-xtermjs: 4.16.0-1
qemu-server: 7.1-4
smartmontools: 7.2-1
spiceterm: 3.2-2
swtpm: 0.7.1~bpo11+1
vncterm: 1.7-1
zfsutils-linux: 2.1.2-pve1

I'm not sure how to identify what container image was used. The container was created using this script:

https://raw.githubusercontent.com/tteck/Proxmox/main/ct/plex_container.sh
 
t.lamprecht said:
Note also that you can disable app armor, but that naturally reduces security boundaries close to being non-existent: https://pve.proxmox.com/pve-docs/chapter-pct.html#_apparmor

The following would be also interesting
Bash: 
pct config VMID
cat /var/lib/lxc/VMID/config
Click to expand...

I tried disabling apparmor, but still getting the same error.

Code: 
# pct config 111
arch: amd64
cores: 4
description: plex, tautulli
features: nesting=1
hostname: plex
memory: 4096
net0: name=eth0,bridge=vmbr0,hwaddr=0E:D4:06:C3:8F:4E,ip=dhcp,type=veth
onboot: 1
ostype: ubuntu
rootfs: local-zfs:subvol-111-disk-0,size=128G
startup: order=1
swap: 512
lxc.cgroup2.devices.allow: c 226:0 rwm
lxc.cgroup2.devices.allow: c 226:128 rwm
lxc.cgroup2.devices.allow: c 29:0 rwm
lxc.mount.entry: /dev/dri dev/dri none bind,optional,create=dir
lxc.mount.entry: /dev/fb0 dev/fb0 none bind,optional,create=file
lxc.apparmor.profile: unconfined

Code: 
# cat /var/lib/lxc/111/config
lxc.cgroup.relative = 0
lxc.cgroup.dir.monitor = lxc.monitor/111
lxc.cgroup.dir.container = lxc/111
lxc.cgroup.dir.container.inner = ns
lxc.arch = amd64
lxc.include = /usr/share/lxc/config/ubuntu.common.conf
lxc.monitor.unshare = 1
lxc.tty.max = 2
lxc.environment = TERM=linux
lxc.uts.name = plex
lxc.cgroup2.memory.max = 4294967296
lxc.cgroup2.memory.swap.max = 536870912
lxc.rootfs.path = /var/lib/lxc/111/rootfs
lxc.net.0.type = veth
lxc.net.0.veth.pair = veth111i0
lxc.net.0.hwaddr = 0E:D4:06:C3:8F:4E
lxc.net.0.name = eth0
lxc.net.0.script.up = /usr/share/lxc/lxcnetaddbr
lxc.cgroup2.devices.allow = c 226:0 rwm
lxc.cgroup2.devices.allow = c 226:128 rwm
lxc.cgroup2.devices.allow = c 29:0 rwm
lxc.mount.entry = /dev/dri dev/dri none bind,optional,create=dir
lxc.mount.entry = /dev/fb0 dev/fb0 none bind,optional,create=file
lxc.apparmor.profile = unconfined
lxc.cgroup2.cpuset.cpus = 1-4
 
I am having the same problem. Has anyone found a solution to this?
here is my pveversion -v
Code: 
proxmox-ve: 7.1-1 (running kernel: 5.13.19-2-pve)
pve-manager: 7.1-12 (running version: 7.1-12/b3c09de3)
pve-kernel-helper: 7.1-14
pve-kernel-5.13: 7.1-9
pve-kernel-5.11: 7.0-10
pve-kernel-5.13.19-6-pve: 5.13.19-15
pve-kernel-5.13.19-2-pve: 5.13.19-4
pve-kernel-5.11.22-7-pve: 5.11.22-12
pve-kernel-5.11.22-4-pve: 5.11.22-9
ceph-fuse: 15.2.14-pve1
corosync: 3.1.5-pve2
criu: 3.15-1+pve-1
glusterfs-client: 9.2-1
ifupdown2: 3.1.0-1+pmx3
ksm-control-daemon: 1.4-1
libjs-extjs: 7.0.0-1
libknet1: 1.22-pve2
libproxmox-acme-perl: 1.4.1
libproxmox-backup-qemu0: 1.2.0-1
libpve-access-control: 7.1-7
libpve-apiclient-perl: 3.2-1
libpve-common-perl: 7.1-5
libpve-guest-common-perl: 4.1-1
libpve-http-server-perl: 4.1-1
libpve-storage-perl: 7.1-2
libspice-server1: 0.14.3-2.1
lvm2: 2.03.11-2.1
lxc-pve: 4.0.12-1
lxcfs: 4.0.12-pve1
novnc-pve: 1.3.0-2
proxmox-backup-client: 2.1.6-1
proxmox-backup-file-restore: 2.1.6-1
proxmox-mini-journalreader: 1.3-1
proxmox-widget-toolkit: 3.4-9
pve-cluster: 7.1-3
pve-container: 4.1-4
pve-docs: 7.1-2
pve-edk2-firmware: 3.20210831-2
pve-firewall: 4.2-5
pve-firmware: 3.3-6
pve-ha-manager: 3.3-3
pve-i18n: 2.6-2
pve-qemu-kvm: 6.2.0-3
pve-xtermjs: 4.16.0-1
qemu-server: 7.1-4
smartmontools: 7.2-1
spiceterm: 3.2-2
swtpm: 0.7.1~bpo11+1
vncterm: 1.7-1
zfsutils-linux: 2.1.4-pve1

and cat /var/lib/lxc/vmid/config
Code: 
lxc.cgroup.relative = 0
lxc.cgroup.dir.monitor = lxc.monitor/105
lxc.cgroup.dir.container = lxc/105
lxc.cgroup.dir.container.inner = ns
lxc.arch = amd64
lxc.include = /usr/share/lxc/config/ubuntu.common.conf
lxc.apparmor.profile = generated
lxc.apparmor.allow_nesting = 1
lxc.apparmor.raw = mount fstype=fuse,
lxc.mount.entry = /dev/fuse dev/fuse none bind,create=file 0 0
lxc.monitor.unshare = 1
lxc.tty.max = 2
lxc.environment = TERM=linux
lxc.uts.name = xxx.yyy.com
lxc.cgroup2.memory.max = 4328521728
lxc.cgroup2.memory.swap.max = 1174405120
lxc.rootfs.path = /var/lib/lxc/105/rootfs
lxc.net.0.type = veth
lxc.net.0.veth.pair = veth105i0
lxc.net.0.hwaddr = 02:00:00:0f:c5:49
lxc.net.0.name = eno1
lxc.net.0.script.up = /usr/share/lxc/lxcnetaddbr
lxc.mount.auto = cgroup:rw
lxc.mount.auto = sys:rw
lxc.cgroup2.cpuset.cpus = 1,3,5
 
Did this ever get resolved? I basically can't use any recent Ubuntu container, because basic apps such as Firefox are now snaps.
 
...Encouraging. I guess I'll have to avoid updated Ubuntu versions such as 22.04 and so on. I'll stick on 20.04 for the time being.
 
You must log in or register to reply here.
Top Bottom