Discussion:
[lxc-users] Apparmor DENIED messages in the logs
Andrey Repin
2016-08-12 14:13:55 UTC
Permalink
Greetings, All!

[ 5408.633325] type=1400 audit(1471009220.304:57): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default" name="/" pid=12887 comm="mount" flags="ro, remount"

Host: Ubuntu 12.04
Guests: 12.04 and 14.04
LXC: 2.0.3

I'm getting quite a bit of these lines in the logs.
Is this normal?

Container configurations are quite trivial, I've even removed all questionable
binds.
--
With best regards,
Andrey Repin
Friday, August 12, 2016 17:09:15

Sorry for my terrible english...
Andrey Repin
2016-08-15 15:51:51 UTC
Permalink
Greetings, Andrey Repin!
Post by Andrey Repin
Greetings, All!
[ 5408.633325] type=1400 audit(1471009220.304:57): apparmor="DENIED"
operation="mount" info="failed flags match" error=-13
profile="lxc-container-default" name="/" pid=12887 comm="mount" flags="ro, remount"
Host: Ubuntu 12.04
Guests: 12.04 and 14.04
LXC: 2.0.3
I'm getting quite a bit of these lines in the logs.
Is this normal?
Container configurations are quite trivial, I've even removed all questionable
binds.
Got a similar failure report in #lxcontainers, and this made me realize one thing.
We both use custom container root, and we both trying to bind mount stuff into
container.
I've tried to tell apparmor to behave, but it seems I've lost my grasp.
Can anyone help out here please?
--
With best regards,
Andrey Repin
Monday, August 15, 2016 18:50:19

Sorry for my terrible english...
Andrey Repin
2016-08-18 15:46:43 UTC
Permalink
Greetings, Andrey Repin!
Post by Andrey Repin
[ 5408.633325] type=1400 audit(1471009220.304:57): apparmor="DENIED"
operation="mount" info="failed flags match" error=-13
profile="lxc-container-default" name="/" pid=12887 comm="mount" flags="ro, remount"
Host: Ubuntu 12.04
Guests: 12.04 and 14.04
LXC: 2.0.3
I'm getting quite a bit of these lines in the logs.
Is this normal?
Container configurations are quite trivial, I've even removed all questionable
binds.
Host: 14.04.5 amd64
Guest: 14.04.5 i686
LXC: 2.0.3

# lld /home/mc-superflat/dynmap/web
drwxr-x--x+ 7 mc-superflat nogroup 4096 июня 16 11:00 /home/mc-superflat/dynmap/web
***@daemon1:screen:1:/home/mc-superflat
# tail -20 /var/log/upstart/lxc-instance-hosting.log
lxc-start: utils.c: safe_mount: 1692 No such device - Failed to mount /home/mc-superflat/dynmap/web onto /usr/lib/x86_64-linux-gnu/lxc/home/mc-superflat/htdocs
lxc-start: conf.c: mount_entry: 1650 No such device - failed to mount '/home/mc-superflat/dynmap/web' on '/usr/lib/x86_64-linux-gnu/lxc/home/mc-superflat/htdocs'
lxc-start: conf.c: lxc_setup: 3726 failed to setup the mounts for 'hosting'
lxc-start: start.c: do_start: 833 failed to setup the container
lxc-start: sync.c: __sync_wait: 57 An error occurred in another process (expected sequence number 3)
lxc-start: start.c: __lxc_start: 1353 failed to spawn 'hosting'
lxc-start: lxc_start.c: main: 344 The container failed to start.
lxc-start: lxc_start.c: main: 348 Additional information can be obtained by setting the --logfile and --logpriority options.


--
With best regards,
Andrey Repin
Thursday, August 18, 2016 18:40:14

Sorry for my terrible english...
Andrey Repin
2016-09-13 17:03:52 UTC
Permalink
Greetings, Andrey Repin!
Post by Andrey Repin
Greetings, Andrey Repin!
Post by Andrey Repin
[ 5408.633325] type=1400 audit(1471009220.304:57): apparmor="DENIED"
operation="mount" info="failed flags match" error=-13
profile="lxc-container-default" name="/" pid=12887 comm="mount" flags="ro, remount"
Host: Ubuntu 12.04
Guests: 12.04 and 14.04
LXC: 2.0.3
I'm getting quite a bit of these lines in the logs.
Is this normal?
Container configurations are quite trivial, I've even removed all questionable
binds.
Host: 14.04.5 amd64
Guest: 14.04.5 i686
LXC: 2.0.3
# lld /home/mc-superflat/dynmap/web
drwxr-x--x+ 7 mc-superflat nogroup 4096 июня 16 11:00 /home/mc-superflat/dynmap/web
# tail -20 /var/log/upstart/lxc-instance-hosting.log
lxc-start: utils.c: safe_mount: 1692 No such device - Failed to mount
/home/mc-superflat/dynmap/web onto
/usr/lib/x86_64-linux-gnu/lxc/home/mc-superflat/htdocs
lxc-start: conf.c: mount_entry: 1650 No such device - failed to mount
'/home/mc-superflat/dynmap/web' on
'/usr/lib/x86_64-linux-gnu/lxc/home/mc-superflat/htdocs'
lxc-start: conf.c: lxc_setup: 3726 failed to setup the mounts for 'hosting'
lxc-start: start.c: do_start: 833 failed to setup the container
lxc-start: sync.c: __sync_wait: 57 An error occurred in another process (expected sequence number 3)
lxc-start: start.c: __lxc_start: 1353 failed to spawn 'hosting'
lxc-start: lxc_start.c: main: 344 The container failed to start.
lxc-start: lxc_start.c: main: 348 Additional information can be obtained by
setting the --logfile and --logpriority options.
Anyone? Halp?


--
With best regards,
Andrey Repin
Tuesday, September 13, 2016 20:03:42

Sorry for my terrible english...
Fajar A. Nugraha
2016-09-14 04:03:25 UTC
Permalink
Post by Andrey Repin
Post by Andrey Repin
[ 5408.633325] type=1400 audit(1471009220.304:57): apparmor="DENIED"
operation="mount" info="failed flags match" error=-13
profile="lxc-container-default" name="/" pid=12887 comm="mount"
flags="ro, remount"
Is it working fine?
Post by Andrey Repin
Anyone? Halp?
If the container works, ignore the messages.

The apparmor profile in lxc/lxd will deny most mount commands from inside
the container. Which is fine, since the host is supposed to setup all
necessary mounts anyway. Most distros that run inside the container (at
least I tested with ubuntu and centos) can correctly detect whether the
error can be safely ignored, so there should be no harm other than the (in
your case) unwanted logs.

Some types of mount (e.g. fuse) can be made to work inside the container
(IIRC this is the default in lxd 2.0.4).
More types of mounts can be made available by setting security.nesting
(lxd) or lxc.aa_profile (lxc)
--
Fajar
Andrey Repin
2016-09-14 09:00:37 UTC
Permalink
Greetings, Fajar A. Nugraha!
Post by Fajar A. Nugraha
Post by Andrey Repin
[ 5408.633325] type=1400 audit(1471009220.304:57): apparmor="DENIED"
operation="mount" info="failed flags match" error=-13
profile="lxc-container-default" name="/" pid=12887 comm="mount" flags="ro, remount"
Is it working fine?
No, it either fails to start, or not mounting the directories.
Post by Fajar A. Nugraha
 
Anyone? Halp?
If the container works, ignore the messages.
The apparmor profile in lxc/lxd will deny most mount commands from inside
the container.
I'm mounting from container configuration. Not from inside the container.
Post by Fajar A. Nugraha
Which is fine, since the host is supposed to setup all
necessary mounts anyway. Most distros that run inside the container (at
least I tested with ubuntu and centos) can correctly detect whether the
error can be safely ignored, so there should be no harm other than the (in your case) unwanted logs.
Some types of mount (e.g. fuse) can be made to work inside the container
(IIRC this is the default in lxd 2.0.4).
More types of mounts can be made available by setting security.nesting (lxd) or lxc.aa_profile (lxc)
--
With best regards,
Andrey Repin
Wednesday, September 14, 2016 11:59:22

Sorry for my terrible english...
Fajar A. Nugraha
2016-09-14 09:20:10 UTC
Permalink
Post by Andrey Repin
Greetings, Fajar A. Nugraha!
Post by Fajar A. Nugraha
Post by Andrey Repin
[ 5408.633325] type=1400 audit(1471009220.304:57): apparmor="DENIED"
operation="mount" info="failed flags match" error=-13
profile="lxc-container-default" name="/" pid=12887 comm="mount"
flags="ro, remount"
Post by Fajar A. Nugraha
Is it working fine?
No, it either fails to start, or not mounting the directories.
Does it work if you disable apparmor? e.g. lxc.aa_profile = unconfined (run
"man lxc.container.conf" for details).

If yes, then most likely you need a custom apparmor profile (for example,
see /etc/apparmor.d/abstractions/lxc/start-container), or disable apparmor
completely for your containers.
--
Fajar
Continue reading on narkive:
Loading...