[lxc-users] Apparmor DENIED messages in the logs
Andrey Repin
anrdaemon at yandex.ru
Wed Sep 14 09:00:37 UTC 2016
Greetings, Fajar A. Nugraha!
> On Wed, Sep 14, 2016 at 12:03 AM, Andrey Repin <anrdaemon at yandex.ru>wrote:
>>> [ 5408.633325] type=1400 audit(1471009220.304:57): apparmor="DENIED"
>>> operation="mount" info="failed flags match" error=-13
>>> profile="lxc-container-default" name="/" pid=12887 comm="mount" flags="ro, remount"
>
> Is it working fine?
No, it either fails to start, or not mounting the directories.
>
> Anyone? Halp?
>
> If the container works, ignore the messages.
> The apparmor profile in lxc/lxd will deny most mount commands from inside
> the container.
I'm mounting from container configuration. Not from inside the container.
> Which is fine, since the host is supposed to setup all
> necessary mounts anyway. Most distros that run inside the container (at
> least I tested with ubuntu and centos) can correctly detect whether the
> error can be safely ignored, so there should be no harm other than the (in your case) unwanted logs.
> Some types of mount (e.g. fuse) can be made to work inside the container
> (IIRC this is the default in lxd 2.0.4).
> More types of mounts can be made available by setting security.nesting (lxd) or lxc.aa_profile (lxc)
--
With best regards,
Andrey Repin
Wednesday, September 14, 2016 11:59:22
Sorry for my terrible english...
More information about the lxc-users
mailing list