Upgrading to pve-9.1: apparmor.service

[mir]

What does the following mean?
$ sudo systemctl status apparmor.service
× apparmor.service - Load AppArmor profiles
Loaded: loaded (/usr/lib/systemd/system/apparmor.service; enabled; preset: enabled)
Active: failed (Result: exit-code) since Sat 2026-01-03 02:11:52 CET; 12min ago
Invocation: 82b525a2ce88402489679720a3c78e08
Docs: man:apparmor(7)
https://gitlab.com/apparmor/apparmor/wikis/home/
Process: 630 ExecStart=/lib/apparmor/apparmor.systemd reload (code=exited, status=1/FAILURE)
Main PID: 630 (code=exited, status=1/FAILURE)
Mem peak: 40.1M
CPU: 5.248s

Jan 03 02:11:48 esx2 systemd[1]: Starting apparmor.service - Load AppArmor profiles...
Jan 03 02:11:50 esx2 apparmor.systemd[630]: Restarting AppArmor
Jan 03 02:11:50 esx2 apparmor.systemd[630]: Reloading AppArmor profiles
Jan 03 02:11:50 esx2 apparmor.systemd[693]: conflicting flag values = 4097, 1
Jan 03 02:11:50 esx2 apparmor.systemd[693]: conflicting flags in the rule
Jan 03 02:11:52 esx2 apparmor.systemd[630]: Error: At least one profile failed to load
Jan 03 02:11:52 esx2 systemd[1]: apparmor.service: Main process exited, code=exited, status=1/FAILURE
Jan 03 02:11:52 esx2 systemd[1]: apparmor.service: Failed with result 'exit-code'.
Jan 03 02:11:52 esx2 systemd[1]: Failed to start apparmor.service - Load AppArmor profiles.
Jan 03 02:11:52 esx2 systemd[1]: apparmor.service: Consumed 5.248s CPU time, 40.1M memory peak.

 

[mir]

It seems the problem is a lxc container with a mount point which is causing the problems. Attached is the debug log from starting the container like this: lxc-start -n 103 -F -lDEBUG -o /tmp/103.log

 

[mir]

Could it be related to this old bug? LXC container fails to start without any reason

 

[mir]

pct start 103 --debug
Has this interesting info:

Changed AppArmor profile to lxc-103_</var/lib/lxc>//&:lxc-103_<-var-lib-lxc>:
DEBUG terminal - ../src/lxc/terminal.c:lxc_terminal_peer_default:704 - No such device - The process does not have a controlling terminal
NOTICE start - ../src/lxc/start.c:start:2214 - Exec'ing "/sbin/init"
NOTICE start - ../src/lxc/start.cost_start:2225 - Started "/sbin/init" with pid "308797"
NOTICE start - ../src/lxc/start.c:signal_handler:447 - Received 17 from pid 308793 instead of container init 308797

 

[dsi]

Jan 03 02:11:50 esx2 apparmor.systemd[693]: conflicting flag values = 4097, 1
Jan 03 02:11:50 esx2 apparmor.systemd[693]: conflicting flags in the rule

Try /sbin/apparmor_parser -N /etc/apparmor.d to find the problematic rule

 

[mir]

Thanks. Got this result:
conflicting flag values = nvidia_modprobe
4097nvidia_modprobe//kmod
, 1
conflicting flags in the rule

Running the command a second time:
conflicting flag values = notepadqq
4097, 1
conflicting flags in the rule

Each time a run the command it complains of a different rule!!
Very confusing.

 

[mir]

apt reinstall apparmor libapparmor1:amd64
Summary:
Upgrading: 0, Installing: 0, Reinstalling: 2, Removing: 0, Not Upgrading: 0
Download size: 755 kB
Space needed: 0 B / 3,915 MB available

Get:1 http://download.proxmox.com/debian/pve trixie/pve-no-subscription amd64 apparmor amd64 4.1.1-pmx1 [711 kB]
Get:2 http://download.proxmox.com/debian/pve trixie/pve-no-subscription amd64 libapparmor1 amd64 4.1.1-pmx1 [43.8 kB]
Fetched 755 kB in 1s (751 kB/s)
Preconfiguring packages ...
(Reading database ... 86201 files and directories currently installed.)
Preparing to unpack .../apparmor_4.1.1-pmx1_amd64.deb ...
Unpacking apparmor (4.1.1-pmx1) over (4.1.1-pmx1) ...
Preparing to unpack .../libapparmor1_4.1.1-pmx1_amd64.deb ...
Unpacking libapparmor1:amd64 (4.1.1-pmx1) over (4.1.1-pmx1) ...
Setting up libapparmor1:amd64 (4.1.1-pmx1) ...
Setting up apparmor (4.1.1-pmx1) ...
Reloading AppArmor profiles
conflicting flag values = 4097, 1
conflicting flags in the rule
Error: At least one profile failed to load
Processing triggers for man-db (2.13.1-1) ...
Processing triggers for libc-bin (2.41-12) ...

It seems there is a bug in the proxmox delivered apparmor profiles?

 

[mir]

Reported on the bug tracker: https://bugzilla.proxmox.com/show_bug.cgi?id=7203

 

[fiona]

Hi,

Thanks. Got this result:
conflicting flag values = nvidia_modprobe
4097nvidia_modprobe//kmod
, 1
conflicting flags in the rule

Running the command a second time:
conflicting flag values = notepadqq
4097, 1
conflicting flags in the rule

Each time a run the command it complains of a different rule!!
Very confusing.

I think it might just be printing at the same time from different threads. What do you get with:

find /etc/apparmor.d/ /etc/apparmor.d/lxc -maxdepth 1 -type f -exec /sbin/apparmor_parser -N {} \;

?

 

[mir]

Hi,
This is the result:
# find /etc/apparmor.d/ /etc/apparmor.d/lxc -maxdepth 1 -type f -exec /sbin/apparmor_parser -N {} \;
ch-run
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/connman/scripts/dhclient-script
/usr/{lib/NetworkManager,libexec}/nm-dhcp-helper
/{,usr/}sbin/dhclient
flatpak
github-desktop
sbuild-destroychroot
chromium
linux-sandbox
1password
crun
lxc-destroy
rootlesskit
opam
libcamerify
QtWebEngineProcess
devhelp
ch-checkns
stress-ng
lxc-create
evolution
tup
sbuild-adduser
notepadqq
keybase
virtiofsd
swtpm
tuxedo-control-center
Xorg
nvidia_modprobe
nvidia_modprobe//kmod
sbuild-upgrade
busybox
vivaldi-bin
qcam
sbuild-hold
/usr/bin/lxc-copy
rpm
sbuild-update
plasmashell
plasmashell//QtWebEngineProcess
obsidian
scide
opera
pve-container-mounthotplug
/usr/bin/man
man_filter
man_groff
/usr/bin/lxc-start
sbuild-checkpackages
rssguard
ipa_verify
sbuild-distupgrade
trinity
sbuild-shell
brave
polypane
balena-etcher
lc-compliance
chrome
runc
lxc-attach
qutebrowser
firefox
sbuild
wpcom
vpnns
kchmviewer
/usr/sbin/chronyd
transmission-cli
transmission-daemon
transmission-gtk
transmission-qt
vdens
unprivileged_userns
lxc-unshare
sbuild-apt
systemd-coredump
lsb_release
slirp4netns
MongoDB Compass
geary
vscode
steam
toybox
lxc-execute
pageedit
wike
sbuild-createchroot
slack
goldendict
epiphany
foliate
msedge
element-desktop
privacybrowser
nautilus
cam
sbuild-abort
userbindmount
lxc-stop
unix-chkpwd
sbuild-unhold
signal-desktop
loupe
mmdebstrap
Discord
surfshark
lxc-usernsexec
sbuild-clean
buildah
conflicting flag values = 4097, 1
conflicting flags in the rule
uwsgi-core
qmapshack
conflicting flag values = 4097, 1
conflicting flags in the rule
lxc-container-default-with-mounting
lxc-container-default-cgns
lxc-container-default-with-nesting