systemctl status degraded, apparmor.service fails, in fresh Ubuntu 18.04 container

BenignlyLoopy

New Member
Nov 10, 2018
1
0
1
51
I have several services running on Ubuntu 16.04 containers and was considering moving them to Ubuntu 18.04 containers.

But (on latest Proxmox version), fresh ubuntu 18.04 containers when booted are showing up as degraded.

root@test2:~# systemctl status
* test2
State: degraded
Jobs: 0 queued
Failed: 1 units

The one failed unit inside the container is apparmor.service:

root@test2:~# systemctl list-units --state=failed
UNIT LOAD ACTIVE SUB DESCRIPTION
* apparmor.service loaded failed failed AppArmor initialization

Manual attempt to start this service fail. Errors as follows:

root@test2:~# systemctl status apparmor.service
* apparmor.service - AppArmor initialization
Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Sat 2018-11-10 16:10:49 UTC; 3min 3s ago
...
Process: 416 ExecStart=/etc/init.d/apparmor start (code=exited, status=123)
Main PID: 416 (code=exited, status=123)
Nov 10 16:10:49 test2 apparmor[416]: /sbin/apparmor_parser: Unable to replace "/usr/sbin/tcpdump". Permission denied; attempted to load a profile while confined?
Nov 10 16:10:49 test2 apparmor[416]: /sbin/apparmor_parser: Unable to replace "/sbin/dhclient". Permission denied; attempted to load a profile while confined?
Nov 10 16:10:49 test2 apparmor[416]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd
Nov 10 16:10:49 test2 apparmor[416]: /sbin/apparmor_parser: Unable to replace "/usr/bin/man". Permission denied; attempted to load a profile while confined?
Nov 10 16:10:49 test2 apparmor[416]: /sbin/apparmor_parser: Unable to replace "/usr/sbin/tcpdump". Permission denied; attempted to load a profile while confined?
Nov 10 16:10:49 test2 apparmor[416]: /sbin/apparmor_parser: Unable to replace "/sbin/dhclient". Permission denied; attempted to load a profile while confined?
Nov 10 16:10:49 test2 apparmor[416]: ...fail!
Nov 10 16:10:49 test2 systemd[1]: apparmor.service: Main process exited, code=exited, status=123/n/a
Nov 10 16:10:49 test2 systemd[1]: apparmor.service: Failed with result 'exit-code'.
Nov 10 16:10:49 test2 systemd[1]: Failed to start AppArmor initialization.

Ubuntu 16.04 containers don't have this problem.

Any ideas what is going on here?
 
I have the same problem on Ubuntu 16.04 containers after upgrading from proxmox-ve: 5.2-2 (running kernel: 4.15.17-3-pve) to proxmox-ve: 5.3-1 (running kernel: 4.15.18-9-pve).

These containers worked before upgrade and when I move a container on an old node proxmox-ve: 5.2-2, apparmor start without errors.

Related to this problem, the NFS mounts no longer work from these LXC containers.

Christian
 
Had the same problem on upgrading container from 16.04 to 18.04. I solved the problem with:
Code:
apt remove apparmor --purge -y
rm -rf /etc/apparmor*
apt install apparmor -y
systemctl restart apparmor.service
systemctl status apparmor.service
I have to do that on all containers with Upgrade from 16.04 to 18.04.
 
  • Like
Reactions: balter

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!