Apparmor error
55 views
Skip to first unread message
Richard Hector
Jun 18, 2021, 12:33:11 AM6/18/21
to lxc-...@lists.linuxcontainers.org
Hi all,
I'm getting messages like this after an upgrade of the host from stretch
to buster:
Jun 18 12:09:08 postgres kernel: [131022.470073] audit: type=1400
audit(1623974948.239:107): apparmor="DENIED" operation="mount"
info="failed flags match" error=-13 profile="lxc-container-default-cgns"
name="/" pid=15558 comm="(ionclean)" flags="rw, rslave"
I've seen several similar things from web searches, such as this from
this list, 5 years ago:
https://lxc-users.linuxcontainers.narkive.com/3t0leW0p/apparmor-denied-messages-in-the-logs
The suggestion seems to be that it doesn't matter, as long as mounts are
actually working ok (all filesystems seem to be mounted).
But if the mounts are working, what triggers the error? If the mounts
are set up outside the container, why is the container trying to mount
anything? There's nothing in /etc/fstab in the container.
In case it's relevant, /var/lib/lxc/<container>/rootfs is a mount on the
host, for all containers. All containers have additional mounts defined
in the lxc config, and those filesystems are also mounts on the host,
living under /guestfs. They're all lvm volumes, with xfs, as are the
root filesystems.
Any tips welcome.
Cheers,
Richard
I'm getting messages like this after an upgrade of the host from stretch
to buster:
Jun 18 12:09:08 postgres kernel: [131022.470073] audit: type=1400
audit(1623974948.239:107): apparmor="DENIED" operation="mount"
info="failed flags match" error=-13 profile="lxc-container-default-cgns"
name="/" pid=15558 comm="(ionclean)" flags="rw, rslave"
I've seen several similar things from web searches, such as this from
this list, 5 years ago:
https://lxc-users.linuxcontainers.narkive.com/3t0leW0p/apparmor-denied-messages-in-the-logs
The suggestion seems to be that it doesn't matter, as long as mounts are
actually working ok (all filesystems seem to be mounted).
But if the mounts are working, what triggers the error? If the mounts
are set up outside the container, why is the container trying to mount
anything? There's nothing in /etc/fstab in the container.
In case it's relevant, /var/lib/lxc/<container>/rootfs is a mount on the
host, for all containers. All containers have additional mounts defined
in the lxc config, and those filesystems are also mounts on the host,
living under /guestfs. They're all lvm volumes, with xfs, as are the
root filesystems.
Any tips welcome.
Cheers,
Richard
Richard Hector
Jun 27, 2021, 9:39:35 PM6/27/21
to lxc-...@lists.linuxcontainers.org
Hi - sorry about the bump. I hate it when people do that ...
Nobody?
Do I need to clarify something?
Does nobody else here understand what's happening either?
Or is LXC the wrong place to be looking?
Cheers,
Richard
Nobody?
Do I need to clarify something?
Does nobody else here understand what's happening either?
Or is LXC the wrong place to be looking?
Cheers,
Richard
Serge E. Hallyn
Jun 28, 2021, 4:51:11 PM6/28/21
to Richard Hector, lxc-...@lists.linuxcontainers.org
Bump is good sometimes, things do get lost in mboxes.
Ordinarily I'd guess you were doing unprivileged container
and so weren't able to get to /var/lib/lxc/container/rootfs,
but since you say it broke on upgrade, I don't know.
Can you paste the full container configuration?
> --
> You received this message because you are subscribed to the Google Groups "lxc-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to lxc-users+...@lists.linuxcontainers.org.
> To view this discussion on the web visit https://groups.google.com/a/lists.linuxcontainers.org/d/msgid/lxc-users/029e34da-9cd9-eeb5-3aaf-f4cae9169c67%40walnut.gen.nz.
Ordinarily I'd guess you were doing unprivileged container
and so weren't able to get to /var/lib/lxc/container/rootfs,
but since you say it broke on upgrade, I don't know.
Can you paste the full container configuration?
> You received this message because you are subscribed to the Google Groups "lxc-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to lxc-users+...@lists.linuxcontainers.org.
> To view this discussion on the web visit https://groups.google.com/a/lists.linuxcontainers.org/d/msgid/lxc-users/029e34da-9cd9-eeb5-3aaf-f4cae9169c67%40walnut.gen.nz.
Richard Hector
Jun 28, 2021, 6:52:49 PM6/28/21
to lxc-...@lists.linuxcontainers.org
I'm using privileged containers (mostly because I haven't researched
unprivileged ones enough?).
Current config of an example container:
---------------
lxc.net.0.type = veth
lxc.net.0.flags = up
lxc.net.0.link = br0
lxc.net.0.ipv4.address = 192.168.1.85/24
lxc.net.0.ipv4.gateway = 192.168.1.1
lxc.rootfs.path = /var/lib/lxc/postgres/rootfs
lxc.mount.entry = /guestfs/postgresql
/var/lib/lxc/postgres/rootfs/var/lib/postgresql none bind 0 0
lxc.mount.entry = /guestfs/pg_xlog
/var/lib/lxc/postgres/rootfs/var/lib/pg_xlog none bind 0 0
# Common configuration
lxc.include = /usr/share/lxc/config/debian.common.conf
# Container specific configuration
lxc.tty.max = 4
ddlxc.uts.name = postgres
lxc.arch = amd64
lxc.start.auto = 1
------------------
Previous config (before host upgrade):
-----------------
lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = br0
lxc.network.ipv4 = 192.168.1.85/24
lxc.network.ipv4.gateway = 192.168.1.1
lxc.rootfs = /var/lib/lxc/postgres/rootfs
lxc.rootfs.backend = dir
lxc.mount.entry = /guestfs/postgresql
/var/lib/lxc/postgres/rootfs/var/lib/postgresql none bind 0 0
lxc.mount.entry = /guestfs/pg_xlog
/var/lib/lxc/postgres/rootfs/var/lib/pg_xlog none bind 0 0
# Common configuration
lxc.include = /usr/share/lxc/config/debian.common.conf
# Container specific configuration
lxc.tty = 4
ddlxc.utsname = postgres
lxc.arch = amd64
lxc.start.auto = 1
-----------------
Do you need debian.common.conf and common.conf and others? Or is there a
way to dump the full config after all includes?
Cheers,
Richard
unprivileged ones enough?).
Current config of an example container:
---------------
lxc.net.0.type = veth
lxc.net.0.flags = up
lxc.net.0.link = br0
lxc.net.0.ipv4.address = 192.168.1.85/24
lxc.net.0.ipv4.gateway = 192.168.1.1
lxc.rootfs.path = /var/lib/lxc/postgres/rootfs
lxc.mount.entry = /guestfs/postgresql
/var/lib/lxc/postgres/rootfs/var/lib/postgresql none bind 0 0
lxc.mount.entry = /guestfs/pg_xlog
/var/lib/lxc/postgres/rootfs/var/lib/pg_xlog none bind 0 0
# Common configuration
lxc.include = /usr/share/lxc/config/debian.common.conf
# Container specific configuration
lxc.tty.max = 4
ddlxc.uts.name = postgres
lxc.arch = amd64
lxc.start.auto = 1
------------------
Previous config (before host upgrade):
-----------------
lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = br0
lxc.network.ipv4 = 192.168.1.85/24
lxc.network.ipv4.gateway = 192.168.1.1
lxc.rootfs = /var/lib/lxc/postgres/rootfs
lxc.rootfs.backend = dir
lxc.mount.entry = /guestfs/postgresql
/var/lib/lxc/postgres/rootfs/var/lib/postgresql none bind 0 0
lxc.mount.entry = /guestfs/pg_xlog
/var/lib/lxc/postgres/rootfs/var/lib/pg_xlog none bind 0 0
# Common configuration
lxc.include = /usr/share/lxc/config/debian.common.conf
# Container specific configuration
lxc.tty = 4
ddlxc.utsname = postgres
lxc.arch = amd64
lxc.start.auto = 1
-----------------
Do you need debian.common.conf and common.conf and others? Or is there a
way to dump the full config after all includes?
Cheers,
Richard
Serge Hallyn
Jun 29, 2021, 8:09:34 AM6/29/21
to Richard Hector, lxc-...@lists.linuxcontainers.org
> On Jun 28, 2021, at 17:52, Richard Hector <ric...@walnut.gen.nz> wrote:
>
> I'm using privileged containers (mostly because I haven't researched unprivileged ones enough?).
Thanks. And can you paste the full Llc log when starting with -l trace?
Make sure to check for any sensitive info…
If it’s not obvious from that, I’ll try to reproduce tonight.
Richard Hector
Jun 29, 2021, 11:03:48 PM6/29/21
to lxc-...@lists.linuxcontainers.org
On 30/06/21 12:09 am, Serge Hallyn wrote:
>
>
>> On Jun 28, 2021, at 17:52, Richard Hector <ric...@walnut.gen.nz> wrote:
>>
>> I'm using privileged containers (mostly because I haven't researched unprivileged ones enough?).
>
> Thanks. And can you paste the full Llc log when starting with -l trace?
Llc? Should that be lxc? And man lxc-start doesn't show trace as an
>
>
>> On Jun 28, 2021, at 17:52, Richard Hector <ric...@walnut.gen.nz> wrote:
>>
>> I'm using privileged containers (mostly because I haven't researched unprivileged ones enough?).
>
> Thanks. And can you paste the full Llc log when starting with -l trace?
option for -l. I'd also need to arrange with my client to restart to test.
Cheers,
Richard
John A
Jun 30, 2021, 8:57:06 AM6/30/21
to lxc-users, ric...@walnut.gen.nz
I get this error on one of my containers. As I recall it is an unprivileged one. These two errors occur every 30 minutes on my system so I assume it is something coming out of a cron job:
Jun 30 03:39:01 host audit[29178]: AVC apparmor="DENIED" operation="mount" info="failed flags mat
ch" error=-13 profile="lxc-container-default-cgns" name="/" pid=29178 comm="(ionclean)" flags="rw,
rslave"
Jun 30 03:39:01 host kernel: audit: type=1400 audit(1625042341.858:324): apparmor="DENIED" operat
ion="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=2
9178 comm="(ionclean)" flags="rw, rslave"
ch" error=-13 profile="lxc-container-default-cgns" name="/" pid=29178 comm="(ionclean)" flags="rw,
rslave"
Jun 30 03:39:01 host kernel: audit: type=1400 audit(1625042341.858:324): apparmor="DENIED" operat
ion="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=2
9178 comm="(ionclean)" flags="rw, rslave"
In my case I am going to stop using this container in a few months so just ignoring it.
John
Serge E. Hallyn
Jun 30, 2021, 9:08:15 AM6/30/21
to Richard Hector, lxc-...@lists.linuxcontainers.org
On Wed, Jun 30, 2021 at 03:03:40PM +1200, Richard Hector wrote:
> On 30/06/21 12:09 am, Serge Hallyn wrote:
> >
> >
> > > On Jun 28, 2021, at 17:52, Richard Hector <ric...@walnut.gen.nz> wrote:
> > >
> > > I'm using privileged containers (mostly because I haven't researched unprivileged ones enough?).
> >
> > Thanks. And can you paste the full Llc log when starting with -l trace?
>
> Llc? Should that be lxc? And man lxc-start doesn't show trace as an option
> for -l. I'd also need to arrange with my client to restart to test.
yes, lxc. Yeah, I see TRACE is not listed in lxc-start(1), I don't
> On 30/06/21 12:09 am, Serge Hallyn wrote:
> >
> >
> > > On Jun 28, 2021, at 17:52, Richard Hector <ric...@walnut.gen.nz> wrote:
> > >
> > > I'm using privileged containers (mostly because I haven't researched unprivileged ones enough?).
> >
> > Thanks. And can you paste the full Llc log when starting with -l trace?
>
> Llc? Should that be lxc? And man lxc-start doesn't show trace as an option
> for -l. I'd also need to arrange with my client to restart to test.
know why that is. It's the next level under debug. Looks like a
manpage bug.
Reply all
Reply to author
Forward
0 new messages