systemctl status degraded, apparmor.service fails, in fresh Ubuntu 18.04 container

[BenignlyLoopy]

I have several services running on Ubuntu 16.04 containers and was considering moving them to Ubuntu 18.04 containers.

But (on latest Proxmox version), fresh ubuntu 18.04 containers when booted are showing up as degraded.

root@test2:~# systemctl status
* test2
State: degraded
Jobs: 0 queued
Failed: 1 units

The one failed unit inside the container is apparmor.service:

root@test2:~# systemctl list-units --state=failed
UNIT LOAD ACTIVE SUB DESCRIPTION
* apparmor.service loaded failed failed AppArmor initialization

Manual attempt to start this service fail. Errors as follows:

root@test2:~# systemctl status apparmor.service
* apparmor.service - AppArmor initialization
Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Sat 2018-11-10 16:10:49 UTC; 3min 3s ago
...
Process: 416 ExecStart=/etc/init.d/apparmor start (code=exited, status=123)
Main PID: 416 (code=exited, status=123)
Nov 10 16:10:49 test2 apparmor[416]: /sbin/apparmor_parser: Unable to replace "/usr/sbin/tcpdump". Permission denied; attempted to load a profile while confined?
Nov 10 16:10:49 test2 apparmor[416]: /sbin/apparmor_parser: Unable to replace "/sbin/dhclient". Permission denied; attempted to load a profile while confined?
Nov 10 16:10:49 test2 apparmor[416]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd
Nov 10 16:10:49 test2 apparmor[416]: /sbin/apparmor_parser: Unable to replace "/usr/bin/man". Permission denied; attempted to load a profile while confined?
Nov 10 16:10:49 test2 apparmor[416]: /sbin/apparmor_parser: Unable to replace "/usr/sbin/tcpdump". Permission denied; attempted to load a profile while confined?
Nov 10 16:10:49 test2 apparmor[416]: /sbin/apparmor_parser: Unable to replace "/sbin/dhclient". Permission denied; attempted to load a profile while confined?
Nov 10 16:10:49 test2 apparmor[416]: ...fail!
Nov 10 16:10:49 test2 systemd[1]: apparmor.service: Main process exited, code=exited, status=123/n/a
Nov 10 16:10:49 test2 systemd[1]: apparmor.service: Failed with result 'exit-code'.
Nov 10 16:10:49 test2 systemd[1]: Failed to start AppArmor initialization.

Ubuntu 16.04 containers don't have this problem.

Any ideas what is going on here?

 

[SysAx]

I have the same problem on Ubuntu 16.04 containers after upgrading from proxmox-ve: 5.2-2 (running kernel: 4.15.17-3-pve) to proxmox-ve: 5.3-1 (running kernel: 4.15.18-9-pve).

These containers worked before upgrade and when I move a container on an old node proxmox-ve: 5.2-2, apparmor start without errors.

Related to this problem, the NFS mounts no longer work from these LXC containers.

Christian

 

[fireon]

Had the same problem on upgrading container from 16.04 to 18.04. I solved the problem with:

apt remove apparmor --purge -y
rm -rf /etc/apparmor*
apt install apparmor -y
systemctl restart apparmor.service
systemctl status apparmor.service

I have to do that on all containers with Upgrade from 16.04 to 18.04.

 

[SysAx]

Thanks Fireon, it works for me on Ubuntu 16.04.

Regards,
Christian