[pkg-lxc-devel] Bug#993391: lxc: Unprivileged lxc example from README.Debian.gz gives AppArmor error "Failed to mount proc"

pk1 pkoroau+bts at gmail.com
Tue Aug 31 17:44:19 BST 2021 

Package: lxc
Version: 1:4.0.6-2
Severity: important
X-Debbugs-Cc: pkoroau+bts at gmail.com

Dear Maintainer,


On a pristine Debian 11 install, the example from "Unprivileged containers"
section of /usr/share/doc/lxc/README.Debian.gz gives "Failed to mount proc"
with an AppArmor error in dmesg, but lxc.apparmor.profile is unconfined.

reportbug said to test unstable's lxc 1:4.0.10-1, but that also fails with
a different error message.


$  cat test_config 
  lxc.idmap = u 0 100000 65536
  lxc.idmap = g 0 100000 65536
  lxc.mount.auto = proc:mixed sys:ro cgroup:mixed
  lxc.apparmor.profile = unconfined

$   systemd-run --scope --quiet --user --property=Delegate=yes    lxc-start --logfile /dev/stderr -f test_config -n machine
lxc-start machine 20210830065007.367 ERROR    utils - utils.c:safe_mount:1204 - Permission denied - Failed to mount "proc" onto "/proc"
lxc-start machine 20210830065007.367 ERROR    conf - conf.c:lxc_mount_auto_mounts:681 - Permission denied - Failed to mount "proc" on "/proc" with flags 14
lxc-start machine 20210830065007.367 ERROR    conf - conf.c:lxc_setup:3330 - Failed to setup first automatic mounts
lxc-start machine 20210830065007.367 ERROR    start - start.c:do_start:1218 - Failed to setup container "machine"
[snip]

# dmesg | tail
[snip unrelated]
[ 2127.458104] audit: type=1400 audit(1630306207.363:40): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="/usr/bin/lxc-start" name="/proc/" pid=3286 comm="lxc-start" fstype="proc" srcname="proc" flags="rw, nosuid, nodev, noexec"


Could Debian's sysctl be related, as suggested on the LXC forum?
"At some point Debian introduced additional sysctl to restrict user namespaces
for unprivileged users, maybe they still do that and that’s what’s getting in
the way here?"
https://discuss.linuxcontainers.org/t/cannot-start-unprivileged-container-on-debian-11/12019/4


I also tried (umask 022 ; su -l non_root) per #946725 but that does not fix it.
This is also unrelated to #947863 because the config says unconfined.


-- System Information:
Debian Release: 11.0
Architecture: amd64 (x86_64)

Versions of packages lxc depends on:
ii  bridge-utils                 1.7-1
ii  debconf [debconf-2.0]        1.5.77
ii  dnsmasq-base [dnsmasq-base]  2.85-1
ii  iproute2                     5.10.0-4
ii  iptables                     1.8.7-1
ii  libc6                        2.31-13
ii  libcap2                      1:2.44-1
ii  libgcc-s1                    10.2.1-6
ii  liblxc1                      1:4.0.6-2
ii  libseccomp2                  2.5.1-1
ii  libselinux1                  3.1-3
ii  lsb-base                     11.1.0

Versions of packages lxc recommends:
ii  apparmor       2.13.6-10
ii  debootstrap    1.0.123
ii  dirmngr        2.2.27-2
ii  gnupg          2.2.27-2
ii  libpam-cgfs    1:4.0.6-2
ii  lxc-templates  3.0.4-5
ii  lxcfs          4.0.7-1
ii  openssl        1.1.1k-1+deb11u1
ii  rsync          3.2.3-4
ii  uidmap         1:4.8.1-1
ii  wget           1.21-1+b1

Versions of packages lxc suggests:
ii  btrfs-progs  5.10.1-2
ii  lvm2         2.03.11-2.1
pn  python3-lxc  <none>

-- debconf information excluded

More information about the Pkg-lxc-devel mailing list