[pkg-lxc-devel] Bug#995350: Fix: enable mount flags (rw, rbind) in addition to (rw, bind)

[John Brooks]

On Wed, 05 Jan 2022 12:34:47 +0000 Pelzi <pelzi at flying-snail.de> wrote:
 > The following patch seems to fix the problem.
 >
 > --- /tmp/lxc-default-with-nesting.org 2022-01-05 13:25:18.920809830 +0100
 > +++ lxc-default-with-nesting 2022-01-05 13:22:35.019939076 +0100
 > @@ -10,6 +10,7 @@
 > mount fstype=proc -> /var/cache/lxc/**,
 > mount fstype=sysfs -> /var/cache/lxc/**,
 > mount options=(rw,bind),
 > + mount options=(rw,rbind),
 > mount fstype=cgroup -> /sys/fs/cgroup/**,
 > mount fstype=cgroup2 -> /sys/fs/cgroup/**,
 > }
 >
 >

Making this change to /etc/apparmor.d/lxc/lxc-default-with-nesting and 
reloading apparmor did not fix it for me. It still failed with this in 
dmesg:

[24331487.635679] audit: type=1400 audit(1656010635.412:13707): 
apparmor="DENIED" operation="mount" info="failed flags match" error=-13 
profile="lxc-container-default-with-nesting" 
name="/run/systemd/unit-root/proc/" pid=30720 comm="(d-logind)" 
fstype="proc" srcname="proc" flags="rw, nosuid, nodev, noexec"

My container is unprivileged and I am including 
/usr/share/lxc/config/nesting.conf in my container's config file. My lxc 
package version is 1:3.1.0+really3.0.3-8.

Instead, I masked the systemd-logind service inside the container so 
that it would no longer delay logins. Hopefully there's a better fix at 
some point.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-lxc-devel/attachments/20220623/4fd9dc41/attachment.htm>