[lxc-users] securityfs mount denied by apparmor

Tamas Papp tompos at martos.bme.hu
Sat Oct 18 13:36:24 UTC 2014 

On 10/18/2014 02:57 PM, Tamas Papp wrote:
> hi,
>
> It's on daily ppa.
> I have tried with a container created with v1.0.6 and daily too.
>
> apparmor="DENIED" operation="mount" info="failed type match" error=-13 
> profile="/usr/bin/lxc-start" name="/sys/kernel/security/" pid=30225 
> comm="lxc-start" fstype="securityfs" srcname="securityfs" flags="rw"
>
>
> end of lxc-start -l DEBUG:
>
>       lxc-start 1413636324.068 NOTICE   lxc_conf - 
> conf.c:lxc_setup:4173 - 'trinity' is setup.
>       lxc-start 1413636324.069 DEBUG    lxc_cgmanager - 
> cgmanager.c:cgm_setup_limits:1246 - cgroup 'devices.deny' set to 'a'
>       lxc-start 1413636324.070 DEBUG    lxc_cgmanager - 
> cgmanager.c:cgm_setup_limits:1246 - cgroup 'devices.allow' set to 'c 
> *:* m'
>       lxc-start 1413636324.070 DEBUG    lxc_cgmanager - 
> cgmanager.c:cgm_setup_limits:1246 - cgroup 'devices.allow' set to 'b 
> *:* m'
>       lxc-start 1413636324.070 DEBUG    lxc_cgmanager - 
> cgmanager.c:cgm_setup_limits:1246 - cgroup 'devices.allow' set to 'c 
> 1:3 rwm'
>       lxc-start 1413636324.071 DEBUG    lxc_cgmanager - 
> cgmanager.c:cgm_setup_limits:1246 - cgroup 'devices.allow' set to 'c 
> 1:5 rwm'
>       lxc-start 1413636324.071 DEBUG    lxc_cgmanager - 
> cgmanager.c:cgm_setup_limits:1246 - cgroup 'devices.allow' set to 'c 
> 1:7 rwm'
>       lxc-start 1413636324.071 DEBUG    lxc_cgmanager - 
> cgmanager.c:cgm_setup_limits:1246 - cgroup 'devices.allow' set to 'c 
> 5:0 rwm'
>       lxc-start 1413636324.071 DEBUG    lxc_cgmanager - 
> cgmanager.c:cgm_setup_limits:1246 - cgroup 'devices.allow' set to 'c 
> 5:1 rwm'
>       lxc-start 1413636324.072 DEBUG    lxc_cgmanager - 
> cgmanager.c:cgm_setup_limits:1246 - cgroup 'devices.allow' set to 'c 
> 5:2 rwm'
>       lxc-start 1413636324.072 DEBUG    lxc_cgmanager - 
> cgmanager.c:cgm_setup_limits:1246 - cgroup 'devices.allow' set to 'c 
> 1:8 rwm'
>       lxc-start 1413636324.072 DEBUG    lxc_cgmanager - 
> cgmanager.c:cgm_setup_limits:1246 - cgroup 'devices.allow' set to 'c 
> 1:9 rwm'
>       lxc-start 1413636324.073 DEBUG    lxc_cgmanager - 
> cgmanager.c:cgm_setup_limits:1246 - cgroup 'devices.allow' set to 'c 
> 136:* rwm'
>       lxc-start 1413636324.073 INFO     lxc_cgmanager - 
> cgmanager.c:cgm_setup_limits:1250 - cgroup limits have been setup
>       lxc-start 1413636324.073 ERROR    lxc_apparmor - 
> lsm/apparmor.c:mount_feature_enabled:61 - Permission denied - Error 
> mounting securityfs
>       lxc-start 1413636324.073 WARN     lxc_apparmor - 
> lsm/apparmor.c:apparmor_process_label_set:184 - Incomplete AppArmor 
> support in your kernel
>       lxc-start 1413636324.073 ERROR    lxc_apparmor - 
> lsm/apparmor.c:apparmor_process_label_set:186 - If you really want to 
> start this container, set
>       lxc-start 1413636324.073 ERROR    lxc_apparmor - 
> lsm/apparmor.c:apparmor_process_label_set:187 - 
> lxc.aa_allow_incomplete = 1
>       lxc-start 1413636324.073 ERROR    lxc_apparmor - 
> lsm/apparmor.c:apparmor_process_label_set:188 - in your container 
> configuration file
>       lxc-start 1413636324.073 ERROR    lxc_sync - 
> sync.c:__sync_wait:51 - invalid sequence number 1. expected 4
>       lxc-start 1413636324.073 ERROR    lxc_start - 
> start.c:__lxc_start:1087 - failed to spawn 'trinity'
>       lxc-start 1413636324.074 ERROR    lxc_cgmanager - 
> cgmanager.c:cgm_remove_cgroup:503 - call to cgmanager_remove_sync 
> failed: invalid request
>       lxc-start 1413636324.074 ERROR    lxc_cgmanager - 
> cgmanager.c:cgm_remove_cgroup:505 - Error removing 
> name=systemd:lxc/trinity-5
>       lxc-start 1413636324.074 ERROR    lxc_cgmanager - 
> cgmanager.c:cgm_remove_cgroup:503 - call to cgmanager_remove_sync 
> failed: invalid request
>       lxc-start 1413636324.074 ERROR    lxc_cgmanager - 
> cgmanager.c:cgm_remove_cgroup:505 - Error removing hugetlb:lxc/trinity-5
>       lxc-start 1413636324.074 ERROR    lxc_cgmanager - 
> cgmanager.c:cgm_remove_cgroup:503 - call to cgmanager_remove_sync 
> failed: invalid request
>       lxc-start 1413636324.074 ERROR    lxc_cgmanager - 
> cgmanager.c:cgm_remove_cgroup:505 - Error removing 
> perf_event:lxc/trinity-5
>       lxc-start 1413636324.075 ERROR    lxc_cgmanager - 
> cgmanager.c:cgm_remove_cgroup:503 - call to cgmanager_remove_sync 
> failed: invalid request
>       lxc-start 1413636324.075 ERROR    lxc_cgmanager - 
> cgmanager.c:cgm_remove_cgroup:505 - Error removing blkio:lxc/trinity-5
>       lxc-start 1413636324.075 ERROR    lxc_cgmanager - 
> cgmanager.c:cgm_remove_cgroup:503 - call to cgmanager_remove_sync 
> failed: invalid request
>       lxc-start 1413636324.075 ERROR    lxc_cgmanager - 
> cgmanager.c:cgm_remove_cgroup:505 - Error removing freezer:lxc/trinity-5
>       lxc-start 1413636324.075 ERROR    lxc_cgmanager - 
> cgmanager.c:cgm_remove_cgroup:503 - call to cgmanager_remove_sync 
> failed: invalid request
>       lxc-start 1413636324.076 ERROR    lxc_cgmanager - 
> cgmanager.c:cgm_remove_cgroup:505 - Error removing devices:lxc/trinity-5
>       lxc-start 1413636324.076 ERROR    lxc_cgmanager - 
> cgmanager.c:cgm_remove_cgroup:503 - call to cgmanager_remove_sync 
> failed: invalid request
>       lxc-start 1413636324.076 ERROR    lxc_cgmanager - 
> cgmanager.c:cgm_remove_cgroup:505 - Error removing memory:lxc/trinity-5
>       lxc-start 1413636324.076 ERROR    lxc_cgmanager - 
> cgmanager.c:cgm_remove_cgroup:503 - call to cgmanager_remove_sync 
> failed: invalid request
>       lxc-start 1413636324.076 ERROR    lxc_cgmanager - 
> cgmanager.c:cgm_remove_cgroup:505 - Error removing cpuacct:lxc/trinity-5
>       lxc-start 1413636324.076 ERROR    lxc_cgmanager - 
> cgmanager.c:cgm_remove_cgroup:503 - call to cgmanager_remove_sync 
> failed: invalid request
>       lxc-start 1413636324.076 ERROR    lxc_cgmanager - 
> cgmanager.c:cgm_remove_cgroup:505 - Error removing cpu:lxc/trinity-5
>       lxc-start 1413636324.077 ERROR    lxc_cgmanager - 
> cgmanager.c:cgm_remove_cgroup:503 - call to cgmanager_remove_sync 
> failed: invalid request
>       lxc-start 1413636324.077 ERROR    lxc_cgmanager - 
> cgmanager.c:cgm_remove_cgroup:505 - Error removing cpuset:lxc/trinity-5
>       lxc-start 1413636324.096 WARN     lxc_commands - 
> commands.c:lxc_cmd_rsp_recv:172 - command get_init_pid failed to 
> receive response
>       lxc-start 1413636324.096 WARN     lxc_cgmanager - 
> cgmanager.c:cgm_get:955 - do_cgm_get exited with error
>       lxc-start 1413636329.101 ERROR    lxc_start_ui - 
> lxc_start.c:main:341 - The container failed to start.
>       lxc-start 1413636329.102 ERROR    lxc_start_ui - 
> lxc_start.c:main:343 - To get more details, run the container in 
> foreground mode.
>       lxc-start 1413636329.102 ERROR    lxc_start_ui - 
> lxc_start.c:main:345 - Additional information can be obtained by 
> setting the --logfile and --logpriority options.
>
>
> Do I make something wrong?

The template is oracle (6.5)...

tamas

More information about the lxc-users mailing list