[lxc-users] securityfs mount denied by apparmor

Serge Hallyn serge.hallyn at ubuntu.com
Mon Oct 20 21:33:13 UTC 2014


Quoting Tamas Papp (tompos at martos.bme.hu):
> 
> On 10/18/2014 02:57 PM, Tamas Papp wrote:
> >hi,
> >
> >It's on daily ppa.
> >I have tried with a container created with v1.0.6 and daily too.
> >
> >apparmor="DENIED" operation="mount" info="failed type match"
> >error=-13 profile="/usr/bin/lxc-start"
> >name="/sys/kernel/security/" pid=30225 comm="lxc-start"
> >fstype="securityfs" srcname="securityfs" flags="rw"
> >
> >
> >end of lxc-start -l DEBUG:
> >
> >      lxc-start 1413636324.068 NOTICE   lxc_conf -
> >conf.c:lxc_setup:4173 - 'trinity' is setup.
> >      lxc-start 1413636324.069 DEBUG    lxc_cgmanager -
> >cgmanager.c:cgm_setup_limits:1246 - cgroup 'devices.deny' set to
> >'a'
> >      lxc-start 1413636324.070 DEBUG    lxc_cgmanager -
> >cgmanager.c:cgm_setup_limits:1246 - cgroup 'devices.allow' set to
> >'c *:* m'
> >      lxc-start 1413636324.070 DEBUG    lxc_cgmanager -
> >cgmanager.c:cgm_setup_limits:1246 - cgroup 'devices.allow' set to
> >'b *:* m'
> >      lxc-start 1413636324.070 DEBUG    lxc_cgmanager -
> >cgmanager.c:cgm_setup_limits:1246 - cgroup 'devices.allow' set to
> >'c 1:3 rwm'
> >      lxc-start 1413636324.071 DEBUG    lxc_cgmanager -
> >cgmanager.c:cgm_setup_limits:1246 - cgroup 'devices.allow' set to
> >'c 1:5 rwm'
> >      lxc-start 1413636324.071 DEBUG    lxc_cgmanager -
> >cgmanager.c:cgm_setup_limits:1246 - cgroup 'devices.allow' set to
> >'c 1:7 rwm'
> >      lxc-start 1413636324.071 DEBUG    lxc_cgmanager -
> >cgmanager.c:cgm_setup_limits:1246 - cgroup 'devices.allow' set to
> >'c 5:0 rwm'
> >      lxc-start 1413636324.071 DEBUG    lxc_cgmanager -
> >cgmanager.c:cgm_setup_limits:1246 - cgroup 'devices.allow' set to
> >'c 5:1 rwm'
> >      lxc-start 1413636324.072 DEBUG    lxc_cgmanager -
> >cgmanager.c:cgm_setup_limits:1246 - cgroup 'devices.allow' set to
> >'c 5:2 rwm'
> >      lxc-start 1413636324.072 DEBUG    lxc_cgmanager -
> >cgmanager.c:cgm_setup_limits:1246 - cgroup 'devices.allow' set to
> >'c 1:8 rwm'
> >      lxc-start 1413636324.072 DEBUG    lxc_cgmanager -
> >cgmanager.c:cgm_setup_limits:1246 - cgroup 'devices.allow' set to
> >'c 1:9 rwm'
> >      lxc-start 1413636324.073 DEBUG    lxc_cgmanager -
> >cgmanager.c:cgm_setup_limits:1246 - cgroup 'devices.allow' set to
> >'c 136:* rwm'
> >      lxc-start 1413636324.073 INFO     lxc_cgmanager -
> >cgmanager.c:cgm_setup_limits:1250 - cgroup limits have been setup
> >      lxc-start 1413636324.073 ERROR    lxc_apparmor -
> >lsm/apparmor.c:mount_feature_enabled:61 - Permission denied -
> >Error mounting securityfs
> >      lxc-start 1413636324.073 WARN     lxc_apparmor -
> >lsm/apparmor.c:apparmor_process_label_set:184 - Incomplete
> >AppArmor support in your kernel
> >      lxc-start 1413636324.073 ERROR    lxc_apparmor -
> >lsm/apparmor.c:apparmor_process_label_set:186 - If you really want
> >to start this container, set
> >      lxc-start 1413636324.073 ERROR    lxc_apparmor -
> >lsm/apparmor.c:apparmor_process_label_set:187 -
> >lxc.aa_allow_incomplete = 1
> >      lxc-start 1413636324.073 ERROR    lxc_apparmor -
> >lsm/apparmor.c:apparmor_process_label_set:188 - in your container
> >configuration file
> >      lxc-start 1413636324.073 ERROR    lxc_sync -
> >sync.c:__sync_wait:51 - invalid sequence number 1. expected 4
> >      lxc-start 1413636324.073 ERROR    lxc_start -
> >start.c:__lxc_start:1087 - failed to spawn 'trinity'
> >      lxc-start 1413636324.074 ERROR    lxc_cgmanager -
> >cgmanager.c:cgm_remove_cgroup:503 - call to cgmanager_remove_sync
> >failed: invalid request
> >      lxc-start 1413636324.074 ERROR    lxc_cgmanager -
> >cgmanager.c:cgm_remove_cgroup:505 - Error removing
> >name=systemd:lxc/trinity-5
> >      lxc-start 1413636324.074 ERROR    lxc_cgmanager -
> >cgmanager.c:cgm_remove_cgroup:503 - call to cgmanager_remove_sync
> >failed: invalid request
> >      lxc-start 1413636324.074 ERROR    lxc_cgmanager -
> >cgmanager.c:cgm_remove_cgroup:505 - Error removing
> >hugetlb:lxc/trinity-5
> >      lxc-start 1413636324.074 ERROR    lxc_cgmanager -
> >cgmanager.c:cgm_remove_cgroup:503 - call to cgmanager_remove_sync
> >failed: invalid request
> >      lxc-start 1413636324.074 ERROR    lxc_cgmanager -
> >cgmanager.c:cgm_remove_cgroup:505 - Error removing
> >perf_event:lxc/trinity-5
> >      lxc-start 1413636324.075 ERROR    lxc_cgmanager -
> >cgmanager.c:cgm_remove_cgroup:503 - call to cgmanager_remove_sync
> >failed: invalid request
> >      lxc-start 1413636324.075 ERROR    lxc_cgmanager -
> >cgmanager.c:cgm_remove_cgroup:505 - Error removing
> >blkio:lxc/trinity-5
> >      lxc-start 1413636324.075 ERROR    lxc_cgmanager -
> >cgmanager.c:cgm_remove_cgroup:503 - call to cgmanager_remove_sync
> >failed: invalid request
> >      lxc-start 1413636324.075 ERROR    lxc_cgmanager -
> >cgmanager.c:cgm_remove_cgroup:505 - Error removing
> >freezer:lxc/trinity-5
> >      lxc-start 1413636324.075 ERROR    lxc_cgmanager -
> >cgmanager.c:cgm_remove_cgroup:503 - call to cgmanager_remove_sync
> >failed: invalid request
> >      lxc-start 1413636324.076 ERROR    lxc_cgmanager -
> >cgmanager.c:cgm_remove_cgroup:505 - Error removing
> >devices:lxc/trinity-5
> >      lxc-start 1413636324.076 ERROR    lxc_cgmanager -
> >cgmanager.c:cgm_remove_cgroup:503 - call to cgmanager_remove_sync
> >failed: invalid request
> >      lxc-start 1413636324.076 ERROR    lxc_cgmanager -
> >cgmanager.c:cgm_remove_cgroup:505 - Error removing
> >memory:lxc/trinity-5
> >      lxc-start 1413636324.076 ERROR    lxc_cgmanager -
> >cgmanager.c:cgm_remove_cgroup:503 - call to cgmanager_remove_sync
> >failed: invalid request
> >      lxc-start 1413636324.076 ERROR    lxc_cgmanager -
> >cgmanager.c:cgm_remove_cgroup:505 - Error removing
> >cpuacct:lxc/trinity-5
> >      lxc-start 1413636324.076 ERROR    lxc_cgmanager -
> >cgmanager.c:cgm_remove_cgroup:503 - call to cgmanager_remove_sync
> >failed: invalid request
> >      lxc-start 1413636324.076 ERROR    lxc_cgmanager -
> >cgmanager.c:cgm_remove_cgroup:505 - Error removing
> >cpu:lxc/trinity-5
> >      lxc-start 1413636324.077 ERROR    lxc_cgmanager -
> >cgmanager.c:cgm_remove_cgroup:503 - call to cgmanager_remove_sync
> >failed: invalid request
> >      lxc-start 1413636324.077 ERROR    lxc_cgmanager -
> >cgmanager.c:cgm_remove_cgroup:505 - Error removing
> >cpuset:lxc/trinity-5
> >      lxc-start 1413636324.096 WARN     lxc_commands -
> >commands.c:lxc_cmd_rsp_recv:172 - command get_init_pid failed to
> >receive response
> >      lxc-start 1413636324.096 WARN     lxc_cgmanager -
> >cgmanager.c:cgm_get:955 - do_cgm_get exited with error
> >      lxc-start 1413636329.101 ERROR    lxc_start_ui -
> >lxc_start.c:main:341 - The container failed to start.
> >      lxc-start 1413636329.102 ERROR    lxc_start_ui -
> >lxc_start.c:main:343 - To get more details, run the container in
> >foreground mode.
> >      lxc-start 1413636329.102 ERROR    lxc_start_ui -
> >lxc_start.c:main:345 - Additional information can be obtained by
> >setting the --logfile and --logpriority options.
> >
> >
> >Do I make something wrong?
> 
> The template is oracle (6.5)...

I guess this patch:

https://lists.linuxcontainers.org/pipermail/lxc-devel/2014-October/010662.html

must not yet have been applied.  I'll do so right now.

-serge


More information about the lxc-users mailing list