[lxc-users] Apparmor DENIED messages in the logs

Fajar A. Nugraha list at fajar.net
Wed Sep 14 04:03:25 UTC 2016


On Wed, Sep 14, 2016 at 12:03 AM, Andrey Repin <anrdaemon at yandex.ru> wrote:

> >> [ 5408.633325] type=1400 audit(1471009220.304:57): apparmor="DENIED"
> >> operation="mount" info="failed flags match" error=-13
> >> profile="lxc-container-default" name="/" pid=12887 comm="mount"
> flags="ro, remount"
>
>
Is it working fine?


> Anyone? Halp?
>
>
If the container works, ignore the messages.

The apparmor profile in lxc/lxd will deny most mount commands from inside
the container. Which is fine, since the host is supposed to setup all
necessary mounts anyway. Most distros that run inside the container (at
least I tested with ubuntu and centos) can correctly detect whether the
error can be safely ignored, so there should be no harm other than the (in
your case) unwanted logs.

Some types of mount (e.g. fuse) can be made to work inside the container
(IIRC this is the default in lxd 2.0.4).
More types of mounts can be made available by setting security.nesting
(lxd) or lxc.aa_profile (lxc)

-- 
Fajar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20160914/fb5d9ca9/attachment.html>


More information about the lxc-users mailing list