Hello
I am running a single node Proxmox Virtual Environment 5.1-41 (community version)
The node is able to run VM without any problem. But if I create a container and then try to start it, I am denied the right to do so.
#lxc-start -n 334 -F
Gives :
lxc-start: 334: lxccontainer.c: do_lxcapi_start: 984 Permission denied - Failed to make / rslave at startup
lxc-start: 334: tools/lxc_start.c: main: 371 The container failed to start.
lxc-start: 334: tools/lxc_start.c: main: 375 Additional information can be obtained by setting the --logfile and --logpriority options.
The container seems to be correctly setup. If I do
# lxc-checkconfig 334
I get the following all green output :
Kernel configuration not found at /proc/config.gz; searching...
Kernel configuration found at /boot/config-4.13.13-2-pve
--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: enabled
Network namespace: enabled
--- Control groups ---
Cgroups: enabled
Cgroup v1 mount points:
/sys/fs/cgroup/systemd
/sys/fs/cgroup/cpu,cpuacct
/sys/fs/cgroup/net_cls,net_prio
/sys/fs/cgroup/hugetlb
/sys/fs/cgroup/rdma
/sys/fs/cgroup/freezer
/sys/fs/cgroup/devices
/sys/fs/cgroup/memory
/sys/fs/cgroup/blkio
/sys/fs/cgroup/cpuset
/sys/fs/cgroup/perf_event
/sys/fs/cgroup/pids
Cgroup v2 mount points:
Cgroup v1 clone_children flag: enabled
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: enabled
Cgroup cpuset: enabled
--- Misc ---
Veth pair device: enabled, not loaded
Macvlan: enabled, not loaded
Vlan: enabled, not loaded
Bridges: enabled, not loaded
Advanced netfilter: enabled, not loaded
CONFIG_NF_NAT_IPV4: enabled, not loaded
CONFIG_NF_NAT_IPV6: enabled, not loaded
CONFIG_IP_NF_TARGET_MASQUERADE: enabled, not loaded
CONFIG_IP6_NF_TARGET_MASQUERADE: enabled, not loaded
CONFIG_NETFILTER_XT_TARGET_CHECKSUM: enabled, not loadedCONFIG_NETFILTER_XT_MATCH_COMMENT: enabled, not loaded
FUSE (for use with lxcfs): enabled, not loaded
--- Checkpoint/Restore ---
checkpoint restore: enabled
CONFIG_FHANDLE: enabled
CONFIG_EVENTFD: enabled
CONFIG_EPOLL: enabled
CONFIG_UNIX_DIAG: enabled
CONFIG_INET_DIAG: enabled
CONFIG_PACKET_DIAG: enabled
CONFIG_NETLINK_DIAG: enabled
File capabilities: enabled
My proxmox is fully updated including the no subscription repository
deb http://download.proxmox.com/debian/pve stretch pve-no-subscription
I then ran
#journalctl | grep apparmor
and I found :
Jun 18 10:33:59 pve02 audit[8245]: AVC apparmor="DENIED" operation="mount" info="failed mntpnt match" error=-13 profile="/usr/bin/lxc-start" name="/" pid=8245 comm="lxc-start" flags="rw, rslave"
Jun 18 10:33:59 pve02 kernel: audit: type=1400 audit(1529332439.088:18): apparmor="DENIED" operation="mount" info="failed mntpnt match" error=-13 profile="/usr/bin/lxc-start" name="/" pid=8245 comm="lxc-start" flags="rw, rslave"
So for some reason apparmor is not letting the container mount it’s filesystems because of permissions.
Does anyone know how to fix this ?
I am running a single node Proxmox Virtual Environment 5.1-41 (community version)
The node is able to run VM without any problem. But if I create a container and then try to start it, I am denied the right to do so.
#lxc-start -n 334 -F
Gives :
lxc-start: 334: lxccontainer.c: do_lxcapi_start: 984 Permission denied - Failed to make / rslave at startup
lxc-start: 334: tools/lxc_start.c: main: 371 The container failed to start.
lxc-start: 334: tools/lxc_start.c: main: 375 Additional information can be obtained by setting the --logfile and --logpriority options.
The container seems to be correctly setup. If I do
# lxc-checkconfig 334
I get the following all green output :
Kernel configuration not found at /proc/config.gz; searching...
Kernel configuration found at /boot/config-4.13.13-2-pve
--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: enabled
Network namespace: enabled
--- Control groups ---
Cgroups: enabled
Cgroup v1 mount points:
/sys/fs/cgroup/systemd
/sys/fs/cgroup/cpu,cpuacct
/sys/fs/cgroup/net_cls,net_prio
/sys/fs/cgroup/hugetlb
/sys/fs/cgroup/rdma
/sys/fs/cgroup/freezer
/sys/fs/cgroup/devices
/sys/fs/cgroup/memory
/sys/fs/cgroup/blkio
/sys/fs/cgroup/cpuset
/sys/fs/cgroup/perf_event
/sys/fs/cgroup/pids
Cgroup v2 mount points:
Cgroup v1 clone_children flag: enabled
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: enabled
Cgroup cpuset: enabled
--- Misc ---
Veth pair device: enabled, not loaded
Macvlan: enabled, not loaded
Vlan: enabled, not loaded
Bridges: enabled, not loaded
Advanced netfilter: enabled, not loaded
CONFIG_NF_NAT_IPV4: enabled, not loaded
CONFIG_NF_NAT_IPV6: enabled, not loaded
CONFIG_IP_NF_TARGET_MASQUERADE: enabled, not loaded
CONFIG_IP6_NF_TARGET_MASQUERADE: enabled, not loaded
CONFIG_NETFILTER_XT_TARGET_CHECKSUM: enabled, not loadedCONFIG_NETFILTER_XT_MATCH_COMMENT: enabled, not loaded
FUSE (for use with lxcfs): enabled, not loaded
--- Checkpoint/Restore ---
checkpoint restore: enabled
CONFIG_FHANDLE: enabled
CONFIG_EVENTFD: enabled
CONFIG_EPOLL: enabled
CONFIG_UNIX_DIAG: enabled
CONFIG_INET_DIAG: enabled
CONFIG_PACKET_DIAG: enabled
CONFIG_NETLINK_DIAG: enabled
File capabilities: enabled
My proxmox is fully updated including the no subscription repository
deb http://download.proxmox.com/debian/pve stretch pve-no-subscription
I then ran
#journalctl | grep apparmor
and I found :
Jun 18 10:33:59 pve02 audit[8245]: AVC apparmor="DENIED" operation="mount" info="failed mntpnt match" error=-13 profile="/usr/bin/lxc-start" name="/" pid=8245 comm="lxc-start" flags="rw, rslave"
Jun 18 10:33:59 pve02 kernel: audit: type=1400 audit(1529332439.088:18): apparmor="DENIED" operation="mount" info="failed mntpnt match" error=-13 profile="/usr/bin/lxc-start" name="/" pid=8245 comm="lxc-start" flags="rw, rslave"
So for some reason apparmor is not letting the container mount it’s filesystems because of permissions.
Does anyone know how to fix this ?