Unable to start container using LXC 4.0 on Ubuntu 20.04 LTS (failed to mount: permission denied)

Written by - 0 comments

Published on - Listed in LXC Linux

On a new bare-metal Ubuntu 20.04 LTS server, the following error showed up when trying to launch a LXC container in foreground (-F):

root@lxchost:~# lxc-start -n container1 -F
lxc-start: inf-monui01-p: utils.c: __safe_mount_beneath_at: 1106 Function not implemented - Failed to open 40(dev)Failed to mount tmpfs at /dev/shm: Permission denied
Failed to mount tmpfs at /run: Permission denied
Failed to mount tmpfs at /run/lock: Permission denied
Failed to mount tmpfs at /sys/fs/cgroup: Permission denied
Failed to mount cgroup at /sys/fs/cgroup/systemd: No such file or directory
[!!!!!!] Failed to mount API filesystems.
Exiting PID 1...

In dmesg relevant apparmor alerts can be found:

root@lxchost:~# dmesg
[...]
[1371442.354903] audit: type=1400 audit(1624611561.545:30): apparmor="DENIED" operation="change_profile" info="label not found" error=-2 profile="/usr/bin/lxc-start" name="lxc-container-default-cgns" pid=2262462 comm="lxc-start"
[1371442.361397] audit: type=1400 audit(1624611561.549:31): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="/usr/bin/lxc-start" name="/dev/shm/" pid=2262462 comm="systemd" fstype="tmpfs" srcname="tmpfs" flags="rw, nosuid, nodev, strictatime"
[1371442.361632] audit: type=1400 audit(1624611561.549:32): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="/usr/bin/lxc-start" name="/run/" pid=2262462 comm="systemd" fstype="tmpfs" srcname="tmpfs" flags="rw, nosuid, nodev, strictatime"
[1371442.361875] audit: type=1400 audit(1624611561.549:33): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="/usr/bin/lxc-start" name="/run/lock/" pid=2262462 comm="systemd" fstype="tmpfs" srcname="tmpfs" flags="rw, nosuid, nodev, noexec"
[1371442.362427] audit: type=1400 audit(1624611561.549:34): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="/usr/bin/lxc-start" name="/sys/fs/cgroup/" pid=2262462 comm="systemd" fstype="tmpfs" srcname="tmpfs" flags="rw, nosuid, nodev, noexec, strictatime"

No Apparmor profile defined

When a new container is created...

root@lxchost:~# lxc-create -n test7 -B lvm --vgname=vglxc --fstype=ext4 --fssize 10G -t download -- -d ubuntu -r focal -a amd64
Using image from local cache
Unpacking the rootfs

---
You just created an Ubuntu focal amd64 (20210623_08:39) container.

To enable SSH, run: apt install openssh-server
No default root or user password are set by LXC.

... the following default container config is created with it:

root@lxchost:~# cat /var/lib/lxc/test7/config
# Template used to create this container: /usr/share/lxc/templates/lxc-download
# Parameters passed to the template: -d ubuntu -r focal -a amd64
# For additional config options, please look at lxc.container.conf(5)

# Uncomment the following line to support nesting containers:
#lxc.include = /usr/share/lxc/config/nesting.conf
# (Be aware this has security implications)


# Distribution configuration
lxc.include = /usr/share/lxc/config/common.conf

# For Ubuntu 14.04
lxc.mount.entry = /sys/kernel/debug sys/kernel/debug none bind,optional 0 0
lxc.mount.entry = /sys/kernel/security sys/kernel/security none bind,optional 0 0
lxc.mount.entry = /sys/fs/pstore sys/fs/pstore none bind,optional 0 0
lxc.mount.entry = mqueue dev/mqueue mqueue rw,relatime,create=dir,optional 0 0
lxc.arch = linux64

# Container specific configuration
lxc.rootfs.path = lvm:/dev/vglxc/test7
lxc.uts.name = test7

# Network configuration
lxc.net.0.type = veth
lxc.net.0.link = lxcbr0
lxc.net.0.flags = up
lxc.net.0.hwaddr = 00:16:3e:53:e0:45

However this default container config does not contain any Apparmor profile (including the included common.conf). Apparmor then correctly denies the container's request to mount system file systems.

To solve this, an Apparmor profile needs to be chosen and added into the config:

root@lxchost:~# grep apparmor /var/lib/lxc/container1/config
lxc.apparmor.profile = generated

Here the "generated" profile was chosen. This means that Apparmor detects what the container needs and creates a profile for this container.

Right after this, the start of the container worked:

root@lxchost:~# lxc-start -n container1 -d
root@lxchost:~# lxc-ls -f
NAME          STATE   AUTOSTART GROUPS IPV4         IPV6 UNPRIVILEGED
container1    RUNNING 1         -      10.166.15.25 -    false             
test7         STOPPED 0         -      -            -    false 

Available Apparmor profiles

The following Apparmor profile are available (as of LXC 4.0):

  • unconfined: Let's the container do (almost) anything it wants, tells Apparmor to not deny anything on this container
  • unchanged: If already configured somewhere, tells Apparmor to not change the profile
  • generated: Instructs LXC to generate an Apparmor profile based on the needs of the container


Add a comment

Show form to leave a comment

Comments (newest first)

No comments yet.

RSS feed

Blog Tags:

  AWS   Android   Ansible   Apache   Apple   Atlassian   BSD   Backup   Bash   Bluecoat   CMS   Chef   Cloud   Coding   Consul   Containers   CouchDB   DB   DNS   Database   Databases   Docker   ELK   Elasticsearch   Filebeat   FreeBSD   Galera   Git   GlusterFS   Grafana   Graphics   HAProxy   HTML   Hacks   Hardware   Icinga   Influx   Internet   Java   KVM   Kibana   Kodi   Kubernetes   LVM   LXC   Linux   Logstash   Mac   Macintosh   Mail   MariaDB   Minio   MongoDB   Monitoring   Multimedia   MySQL   NFS   Nagios   Network   Nginx   OSSEC   OTRS   Office   PGSQL   PHP   Perl   Personal   PostgreSQL   Postgres   PowerDNS   Proxmox   Proxy   Python   Rancher   Rant   Redis   Roundcube   SSL   Samba   Seafile   Security   Shell   SmartOS   Solaris   Surveillance   Systemd   TLS   Tomcat   Ubuntu   Unix   VMWare   VMware   Varnish   Virtualization   Windows   Wireless   Wordpress   Wyse   ZFS   Zoneminder