[lxc-users] How to avoid apparmor="DENIED" for remount in container

Kees Bakker keesb at ghs.com
Wed Jul 3 09:25:44 UTC 2019


Hey,

In a container I'm running some Apache/PHP service (in this case LibreNMS). This service
is causing an annoying error in /var/log/syslog which I get to see in logwatch. The error
message is triggered by a remount done by phpsessionclean, I think.

Here is a sample of the syslog message

Jul  3 06:39:01 maas kernel: [4912175.444878] audit: type=1400 audit(1562128741.931:85397): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxd-librenms_</var/lib/lxd>" name="/home/" pid=2336 comm="(ionclean)" flags="ro, nosuid, nodev, remount, bind"

The same issue was discussed before [1]. At the time it was reported for
LXD 3.0.1. Stephane replied with

   "Looks like a process inside one of your containers is trying to remount /bin read-only,
    possibly just in a private namespace. That’s currently not allowed by the apparmor policy
    in LXD 3.0.1 which you’re using.

    I believe we have actually refreshed that very bit of policy so LXD 3.0.2 (once released)
    should silence this and also unblock whatever that process is trying to do."

Today, I'm running LXD 3.0.3 and the error is still there.
How can I suppress this error?

[1] https://discuss.linuxcontainers.org/t/apparmor-denied-operation-mount/2424
-- 
Kees
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20190703/fc5082cc/attachment.html>


More information about the lxc-users mailing list