Unable t start containers

[jblain]

Hello

I am running a single node Proxmox Virtual Environment 5.1-41 (community version)

The node is able to run VM without any problem. But if I create a container and then try to start it, I am denied the right to do so.

#lxc-start -n 334 -F

Gives :

lxc-start: 334: lxccontainer.c: do_lxcapi_start: 984 Permission denied - Failed to make / rslave at startup
lxc-start: 334: tools/lxc_start.c: main: 371 The container failed to start.
lxc-start: 334: tools/lxc_start.c: main: 375 Additional information can be obtained by setting the --logfile and --logpriority options.

The container seems to be correctly setup. If I do

# lxc-checkconfig 334

I get the following all green output :

Kernel configuration not found at /proc/config.gz; searching...
Kernel configuration found at /boot/config-4.13.13-2-pve
--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: enabled
Network namespace: enabled

--- Control groups ---
Cgroups: enabled

Cgroup v1 mount points:
/sys/fs/cgroup/systemd
/sys/fs/cgroup/cpu,cpuacct
/sys/fs/cgroup/net_cls,net_prio
/sys/fs/cgroup/hugetlb
/sys/fs/cgroup/rdma
/sys/fs/cgroup/freezer
/sys/fs/cgroup/devices
/sys/fs/cgroup/memory
/sys/fs/cgroup/blkio
/sys/fs/cgroup/cpuset
/sys/fs/cgroup/perf_event
/sys/fs/cgroup/pids

Cgroup v2 mount points:


Cgroup v1 clone_children flag: enabled
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: enabled
Cgroup cpuset: enabled

--- Misc ---
Veth pair device: enabled, not loaded
Macvlan: enabled, not loaded
Vlan: enabled, not loaded
Bridges: enabled, not loaded
Advanced netfilter: enabled, not loaded
CONFIG_NF_NAT_IPV4: enabled, not loaded
CONFIG_NF_NAT_IPV6: enabled, not loaded
CONFIG_IP_NF_TARGET_MASQUERADE: enabled, not loaded
CONFIG_IP6_NF_TARGET_MASQUERADE: enabled, not loaded
CONFIG_NETFILTER_XT_TARGET_CHECKSUM: enabled, not loadedCONFIG_NETFILTER_XT_MATCH_COMMENT: enabled, not loaded
FUSE (for use with lxcfs): enabled, not loaded

--- Checkpoint/Restore ---
checkpoint restore: enabled
CONFIG_FHANDLE: enabled
CONFIG_EVENTFD: enabled
CONFIG_EPOLL: enabled
CONFIG_UNIX_DIAG: enabled
CONFIG_INET_DIAG: enabled
CONFIG_PACKET_DIAG: enabled
CONFIG_NETLINK_DIAG: enabled
File capabilities: enabled

My proxmox is fully updated including the no subscription repository

deb http://download.proxmox.com/debian/pve stretch pve-no-subscription

I then ran

#journalctl | grep apparmor

and I found :

Jun 18 10:33:59 pve02 audit[8245]: AVC apparmor="DENIED" operation="mount" info="failed mntpnt match" error=-13 profile="/usr/bin/lxc-start" name="/" pid=8245 comm="lxc-start" flags="rw, rslave"
Jun 18 10:33:59 pve02 kernel: audit: type=1400 audit(1529332439.088:18): apparmor="DENIED" operation="mount" info="failed mntpnt match" error=-13 profile="/usr/bin/lxc-start" name="/" pid=8245 comm="lxc-start" flags="rw, rslave"

So for some reason apparmor is not letting the container mount it’s filesystems because of permissions.

Does anyone know how to fix this ?

 

[devinacosta]

I would upgrade all your packages to Proxmox 5.2-2, and see what happens with that.