[pkg-lxc-devel] Bug#993391: lxc: Unprivileged lxc example from README.Debian.gz gives AppArmor error "Failed to mount proc"
pk1
pkoroau+bts at gmail.com
Tue Aug 31 17:44:19 BST 2021
Package: lxc
Version: 1:4.0.6-2
Severity: important
X-Debbugs-Cc: pkoroau+bts at gmail.com
Dear Maintainer,
On a pristine Debian 11 install, the example from "Unprivileged containers"
section of /usr/share/doc/lxc/README.Debian.gz gives "Failed to mount proc"
with an AppArmor error in dmesg, but lxc.apparmor.profile is unconfined.
reportbug said to test unstable's lxc 1:4.0.10-1, but that also fails with
a different error message.
$ cat test_config
lxc.idmap = u 0 100000 65536
lxc.idmap = g 0 100000 65536
lxc.mount.auto = proc:mixed sys:ro cgroup:mixed
lxc.apparmor.profile = unconfined
$ systemd-run --scope --quiet --user --property=Delegate=yes lxc-start --logfile /dev/stderr -f test_config -n machine
lxc-start machine 20210830065007.367 ERROR utils - utils.c:safe_mount:1204 - Permission denied - Failed to mount "proc" onto "/proc"
lxc-start machine 20210830065007.367 ERROR conf - conf.c:lxc_mount_auto_mounts:681 - Permission denied - Failed to mount "proc" on "/proc" with flags 14
lxc-start machine 20210830065007.367 ERROR conf - conf.c:lxc_setup:3330 - Failed to setup first automatic mounts
lxc-start machine 20210830065007.367 ERROR start - start.c:do_start:1218 - Failed to setup container "machine"
[snip]
# dmesg | tail
[snip unrelated]
[ 2127.458104] audit: type=1400 audit(1630306207.363:40): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="/usr/bin/lxc-start" name="/proc/" pid=3286 comm="lxc-start" fstype="proc" srcname="proc" flags="rw, nosuid, nodev, noexec"
Could Debian's sysctl be related, as suggested on the LXC forum?
"At some point Debian introduced additional sysctl to restrict user namespaces
for unprivileged users, maybe they still do that and that’s what’s getting in
the way here?"
https://discuss.linuxcontainers.org/t/cannot-start-unprivileged-container-on-debian-11/12019/4
I also tried (umask 022 ; su -l non_root) per #946725 but that does not fix it.
This is also unrelated to #947863 because the config says unconfined.
-- System Information:
Debian Release: 11.0
Architecture: amd64 (x86_64)
Versions of packages lxc depends on:
ii bridge-utils 1.7-1
ii debconf [debconf-2.0] 1.5.77
ii dnsmasq-base [dnsmasq-base] 2.85-1
ii iproute2 5.10.0-4
ii iptables 1.8.7-1
ii libc6 2.31-13
ii libcap2 1:2.44-1
ii libgcc-s1 10.2.1-6
ii liblxc1 1:4.0.6-2
ii libseccomp2 2.5.1-1
ii libselinux1 3.1-3
ii lsb-base 11.1.0
Versions of packages lxc recommends:
ii apparmor 2.13.6-10
ii debootstrap 1.0.123
ii dirmngr 2.2.27-2
ii gnupg 2.2.27-2
ii libpam-cgfs 1:4.0.6-2
ii lxc-templates 3.0.4-5
ii lxcfs 4.0.7-1
ii openssl 1.1.1k-1+deb11u1
ii rsync 3.2.3-4
ii uidmap 1:4.8.1-1
ii wget 1.21-1+b1
Versions of packages lxc suggests:
ii btrfs-progs 5.10.1-2
ii lvm2 2.03.11-2.1
pn python3-lxc <none>
-- debconf information excluded
More information about the Pkg-lxc-devel
mailing list