[pkg-lxc-devel] Bug#993391: lxc: Unprivileged lxc example from README.Debian.gz gives AppArmor error "Failed to mount proc"

pk pkoroau at gmail.com
Wed Sep 1 16:18:53 BST 2021 

Thank you for answering. kernel.unprivileged_userns_clone = 1 on my
machine and on the Live DVD. All instructions of the README.Debian.gz
were followed.

To rule out machine-specific misconfiguration, this log is from the
Live DVD, Debian 11.0 AMD64 Standard:



Warning: Permanently added '[localhost]:12346' (ECDSA) to the list of
known hosts.
user at localhost's password:
Linux debian 5.10.0-8-amd64 #1 SMP Debian 5.10.46-4 (2021-08-03) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
user at debian:~$ sudo su -l
root at debian:~# apt-get update ; apt-get install lxc
[snip]
root at debian:~# sysctl kernel.unprivileged_userns_clone
kernel.unprivileged_userns_clone = 1
root at debian:~# grep user /etc/subuid /etc/subgid
/etc/subuid:user:100000:65536
/etc/subgid:user:100000:65536
root at debian:~#
logout
user at debian:~$ mkdir -p .local/share/lxc
user at debian:~$ chmod +x . .local .local/share
user at debian:~$
user at debian:~$ cat > test_config
  lxc.idmap = u 0 100000 65536
  lxc.idmap = g 0 100000 65536
  lxc.mount.auto = proc:mixed sys:ro cgroup:mixed
  lxc.apparmor.profile = unconfined
user at debian:~$
user at debian:~$   systemd-run --scope --quiet --user
--property=Delegate=yes    lxc-start --logfile /dev/stderr -f
test_config -n machine
lxc-start machine 20210901150740.103 ERROR    utils -
utils.c:safe_mount:1204 - Permission denied - Failed to mount "proc"
onto "/proc"
lxc-start machine 20210901150740.104 ERROR    conf -
conf.c:lxc_mount_auto_mounts:681 - Permission denied - Failed to mount
"proc" on "/proc" with flags 14
lxc-start machine 20210901150740.104 ERROR    conf -
conf.c:lxc_setup:3330 - Failed to setup first automatic mounts
lxc-start machine 20210901150740.105 ERROR    start -
start.c:do_start:1218 - Failed to setup container "machine"
lxc-start machine 20210901150740.106 ERROR    sync -
sync.c:__sync_wait:36 - An error occurred in another process (expected
sequence number 5)
lxc-start machine 20210901150740.106 ERROR    start -
start.c:__lxc_start:1999 - Failed to spawn container "machine"
lxc-start machine 20210901150740.107 ERROR    lxccontainer -
lxccontainer.c:wait_on_daemonized_start:859 - Received container state
"ABORTING" instead of "RUNNING"
lxc-start: machine: lxccontainer.c: wait_on_daemonized_start: 859
Received container state "ABORTING" instead of "RUNNING"
lxc-start machine 20210901150740.108 ERROR    lxc_start -
tools/lxc_start.c:main:308 - The container failed to start
lxc-start: machine: tools/lxc_start.c: main: 308 The container failed to start
lxc-start machine 20210901150740.108 ERROR    lxc_start -
tools/lxc_start.c:main:311 - To get more details, run the container in
foreground mode
lxc-start: machine: tools/lxc_start.c: main: 311 To get more details,
run the container in foreground mode
lxc-start machine 20210901150740.108 ERROR    lxc_start -
tools/lxc_start.c:main:313 - Additional information can be obtained by
setting the --logfile and --logpriority options
lxc-start: machine: tools/lxc_start.c: main: 313 Additional
information can be obtained by setting the --logfile and --logpriority
options
user at debian:~$  sudo su -l
root at debian:~# dmesg | tail
[  294.416862] audit: type=1400 audit(1630508543.972:7):
apparmor="STATUS" operation="profile_replace" info="same as current
profile, skipping" profile="unconfined" name="lsb_release" pid=2444
comm="apparmor_parser"
[  294.526095] audit: type=1400 audit(1630508544.084:8):
apparmor="STATUS" operation="profile_load" profile="unconfined"
name="/usr/bin/man" pid=2442 comm="apparmor_parser"
[  294.527098] audit: type=1400 audit(1630508544.084:9):
apparmor="STATUS" operation="profile_load" profile="unconfined"
name="man_filter" pid=2442 comm="apparmor_parser"
[  294.528359] audit: type=1400 audit(1630508544.084:10):
apparmor="STATUS" operation="profile_load" profile="unconfined"
name="man_groff" pid=2442 comm="apparmor_parser"
[  297.864908] audit: type=1400 audit(1630508547.412:11):
apparmor="STATUS" operation="profile_load" profile="unconfined"
name="lxc-container-default" pid=2618 comm="apparmor_parser"
[  297.867516] audit: type=1400 audit(1630508547.416:12):
apparmor="STATUS" operation="profile_load" profile="unconfined"
name="lxc-container-default-cgns" pid=2618 comm="apparmor_parser"
[  297.869845] audit: type=1400 audit(1630508547.420:13):
apparmor="STATUS" operation="profile_load" profile="unconfined"
name="lxc-container-default-with-mounting" pid=2618
comm="apparmor_parser"
[  297.872902] audit: type=1400 audit(1630508547.420:14):
apparmor="STATUS" operation="profile_load" profile="unconfined"
name="lxc-container-default-with-nesting" pid=2618
comm="apparmor_parser"
[  297.933031] audit: type=1400 audit(1630508547.480:15):
apparmor="STATUS" operation="profile_load" profile="unconfined"
name="/usr/bin/lxc-start" pid=2624 comm="apparmor_parser"
[  610.653177] audit: type=1400 audit(1630508860.099:16):
apparmor="DENIED" operation="mount" info="failed flags match"
error=-13 profile="/usr/bin/lxc-start" name="/proc/" pid=3594
comm="lxc-start" fstype="proc" srcname="proc" flags="rw, nosuid,
nodev, noexec"
root at debian:~#

More information about the Pkg-lxc-devel mailing list