Apparmor messages on LXC container, after host upgrade to buster

To: debian-user@lists.debian.org
Subject: Apparmor messages on LXC container, after host upgrade to buster
From: Richard Hector <richard@walnut.gen.nz>
Date: Wed, 23 Jun 2021 20:20:03 +1200
Message-id: <[🔎] 0284334c-9f14-2256-b76b-79571acac345@walnut.gen.nz>

Hi all,

This is a copy of a message I posted to lxc-users last week; maybe morepeople will see it here :-)

I'm getting messages like this after an upgrade of the host from stretchto buster:

Jun 18 12:09:08 postgres kernel: [131022.470073] audit: type=1400audit(1623974948.239:107): apparmor="DENIED" operation="mount"info="failed flags match" error=-13 profile="lxc-container-default-cgns"name="/" pid=15558 comm="(ionclean)" flags="rw, rslave"

I've seen several similar things from web searches, such as this fromthe lxc-users list, 5 years ago:


https://lxc-users.linuxcontainers.narkive.com/3t0leW0p/apparmor-denied-messages-in-the-logs

The suggestion seems to be that it doesn't matter, as long as mounts areactually working ok (all filesystems seem to be mounted).

But if the mounts are working, what triggers the error? If the mountsare set up outside the container, why is the container trying to mountanything? There's nothing in /etc/fstab in the container.

In case it's relevant, /var/lib/lxc/<container>/rootfs is a mount on thehost, for all containers. All containers have additional mounts definedin the lxc config, and those filesystems are also mounts on the host,living under /guestfs. They're all lvm volumes, with xfs, as are theroot filesystems.


Any tips welcome.

Cheers,
Richard

Reply to:

Prev by Date: Re: Web log analysis
Next by Date: Re: Messed up Email
Previous by thread: Re: Web log analysis
Next by thread: cdrskin: burn cdda with cue sheet file
Index(es):
- Date
- Thread