On a new bare-metal Ubuntu 20.04 LTS server, the following error showed up when trying to launch a LXC container in foreground (-F):
root@lxchost:~# lxc-start -n container1 -F
lxc-start: inf-monui01-p: utils.c: __safe_mount_beneath_at: 1106 Function not implemented - Failed to open 40(dev)Failed to mount tmpfs at /dev/shm: Permission denied
Failed to mount tmpfs at /run: Permission denied
Failed to mount tmpfs at /run/lock: Permission denied
Failed to mount tmpfs at /sys/fs/cgroup: Permission denied
Failed to mount cgroup at /sys/fs/cgroup/systemd: No such file or directory
[!!!!!!] Failed to mount API filesystems.
Exiting PID 1...
In dmesg relevant apparmor alerts can be found:
root@lxchost:~# dmesg
[...]
[1371442.354903] audit: type=1400 audit(1624611561.545:30): apparmor="DENIED" operation="change_profile" info="label not found" error=-2 profile="/usr/bin/lxc-start" name="lxc-container-default-cgns" pid=2262462 comm="lxc-start"
[1371442.361397] audit: type=1400 audit(1624611561.549:31): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="/usr/bin/lxc-start" name="/dev/shm/" pid=2262462 comm="systemd" fstype="tmpfs" srcname="tmpfs" flags="rw, nosuid, nodev, strictatime"
[1371442.361632] audit: type=1400 audit(1624611561.549:32): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="/usr/bin/lxc-start" name="/run/" pid=2262462 comm="systemd" fstype="tmpfs" srcname="tmpfs" flags="rw, nosuid, nodev, strictatime"
[1371442.361875] audit: type=1400 audit(1624611561.549:33): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="/usr/bin/lxc-start" name="/run/lock/" pid=2262462 comm="systemd" fstype="tmpfs" srcname="tmpfs" flags="rw, nosuid, nodev, noexec"
[1371442.362427] audit: type=1400 audit(1624611561.549:34): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="/usr/bin/lxc-start" name="/sys/fs/cgroup/" pid=2262462 comm="systemd" fstype="tmpfs" srcname="tmpfs" flags="rw, nosuid, nodev, noexec, strictatime"
When a new container is created...
root@lxchost:~# lxc-create -n test7 -B lvm --vgname=vglxc --fstype=ext4 --fssize 10G -t download -- -d ubuntu -r focal -a amd64
Using image from local cache
Unpacking the rootfs
---
You just created an Ubuntu focal amd64 (20210623_08:39) container.
To enable SSH, run: apt install openssh-server
No default root or user password are set by LXC.
... the following default container config is created with it:
root@lxchost:~# cat /var/lib/lxc/test7/config
# Template used to create this container: /usr/share/lxc/templates/lxc-download
# Parameters passed to the template: -d ubuntu -r focal -a amd64
# For additional config options, please look at lxc.container.conf(5)
# Uncomment the following line to support nesting containers:
#lxc.include = /usr/share/lxc/config/nesting.conf
# (Be aware this has security implications)
# Distribution configuration
lxc.include = /usr/share/lxc/config/common.conf
# For Ubuntu 14.04
lxc.mount.entry = /sys/kernel/debug sys/kernel/debug none bind,optional 0 0
lxc.mount.entry = /sys/kernel/security sys/kernel/security none bind,optional 0 0
lxc.mount.entry = /sys/fs/pstore sys/fs/pstore none bind,optional 0 0
lxc.mount.entry = mqueue dev/mqueue mqueue rw,relatime,create=dir,optional 0 0
lxc.arch = linux64
# Container specific configuration
lxc.rootfs.path = lvm:/dev/vglxc/test7
lxc.uts.name = test7
# Network configuration
lxc.net.0.type = veth
lxc.net.0.link = lxcbr0
lxc.net.0.flags = up
lxc.net.0.hwaddr = 00:16:3e:53:e0:45
However this default container config does not contain any Apparmor profile (including the included common.conf). Apparmor then correctly denies the container's request to mount system file systems.
To solve this, an Apparmor profile needs to be chosen and added into the config:
root@lxchost:~# grep apparmor /var/lib/lxc/container1/config
lxc.apparmor.profile = generated
Here the "generated" profile was chosen. This means that Apparmor detects what the container needs and creates a profile for this container.
Right after this, the start of the container worked:
root@lxchost:~# lxc-start -n container1 -d
root@lxchost:~# lxc-ls -f
NAME STATE AUTOSTART GROUPS IPV4 IPV6 UNPRIVILEGED
container1 RUNNING 1 - 10.166.15.25 - false
test7 STOPPED 0 - - - false
The following Apparmor profile are available (as of LXC 4.0):
No comments yet.
AWS Android Ansible Apache Apple Atlassian BSD Backup Bash Bluecoat CMS Chef Cloud Coding Consul Containers CouchDB DB DNS Database Databases Docker ELK Elasticsearch Filebeat FreeBSD Galera Git GlusterFS Grafana Graphics HAProxy HTML Hacks Hardware Icinga Influx Internet Java KVM Kibana Kodi Kubernetes LVM LXC Linux Logstash Mac Macintosh Mail MariaDB Minio MongoDB Monitoring Multimedia MySQL NFS Nagios Network Nginx OSSEC OTRS Office OpenSearch PGSQL PHP Perl Personal PostgreSQL Postgres PowerDNS Proxmox Proxy Python Rancher Rant Redis Roundcube SSL Samba Seafile Security Shell SmartOS Solaris Surveillance Systemd TLS Tomcat Ubuntu Unix VMWare VMware Varnish Virtualization Windows Wireless Wordpress Wyse ZFS Zoneminder