Unable to start container using LXC 4.0 on Ubuntu 20.04 LTS (failed to mount: permission denied)

Written by - 0 comments

Published on June 25th 2021 - Listed in LXC Linux


On a new bare-metal Ubuntu 20.04 LTS server, the following error showed up when trying to launch a LXC container in foreground (-F):

root@lxchost:~# lxc-start -n container1 -F
lxc-start: inf-monui01-p: utils.c: __safe_mount_beneath_at: 1106 Function not implemented - Failed to open 40(dev)Failed to mount tmpfs at /dev/shm: Permission denied
Failed to mount tmpfs at /run: Permission denied
Failed to mount tmpfs at /run/lock: Permission denied
Failed to mount tmpfs at /sys/fs/cgroup: Permission denied
Failed to mount cgroup at /sys/fs/cgroup/systemd: No such file or directory
[!!!!!!] Failed to mount API filesystems.
Exiting PID 1...

In dmesg relevant apparmor alerts can be found:

root@lxchost:~# dmesg
[...]
[1371442.354903] audit: type=1400 audit(1624611561.545:30): apparmor="DENIED" operation="change_profile" info="label not found" error=-2 profile="/usr/bin/lxc-start" name="lxc-container-default-cgns" pid=2262462 comm="lxc-start"
[1371442.361397] audit: type=1400 audit(1624611561.549:31): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="/usr/bin/lxc-start" name="/dev/shm/" pid=2262462 comm="systemd" fstype="tmpfs" srcname="tmpfs" flags="rw, nosuid, nodev, strictatime"
[1371442.361632] audit: type=1400 audit(1624611561.549:32): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="/usr/bin/lxc-start" name="/run/" pid=2262462 comm="systemd" fstype="tmpfs" srcname="tmpfs" flags="rw, nosuid, nodev, strictatime"
[1371442.361875] audit: type=1400 audit(1624611561.549:33): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="/usr/bin/lxc-start" name="/run/lock/" pid=2262462 comm="systemd" fstype="tmpfs" srcname="tmpfs" flags="rw, nosuid, nodev, noexec"
[1371442.362427] audit: type=1400 audit(1624611561.549:34): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="/usr/bin/lxc-start" name="/sys/fs/cgroup/" pid=2262462 comm="systemd" fstype="tmpfs" srcname="tmpfs" flags="rw, nosuid, nodev, noexec, strictatime"

No Apparmor profile defined

When a new container is created...

root@lxchost:~# lxc-create -n test7 -B lvm --vgname=vglxc --fstype=ext4 --fssize 10G -t download -- -d ubuntu -r focal -a amd64
Using image from local cache
Unpacking the rootfs

---
You just created an Ubuntu focal amd64 (20210623_08:39) container.

To enable SSH, run: apt install openssh-server
No default root or user password are set by LXC.

... the following default container config is created with it:

root@lxchost:~# cat /var/lib/lxc/test7/config
# Template used to create this container: /usr/share/lxc/templates/lxc-download
# Parameters passed to the template: -d ubuntu -r focal -a amd64
# For additional config options, please look at lxc.container.conf(5)

# Uncomment the following line to support nesting containers:
#lxc.include = /usr/share/lxc/config/nesting.conf
# (Be aware this has security implications)


# Distribution configuration
lxc.include = /usr/share/lxc/config/common.conf

# For Ubuntu 14.04
lxc.mount.entry = /sys/kernel/debug sys/kernel/debug none bind,optional 0 0
lxc.mount.entry = /sys/kernel/security sys/kernel/security none bind,optional 0 0
lxc.mount.entry = /sys/fs/pstore sys/fs/pstore none bind,optional 0 0
lxc.mount.entry = mqueue dev/mqueue mqueue rw,relatime,create=dir,optional 0 0
lxc.arch = linux64

# Container specific configuration
lxc.rootfs.path = lvm:/dev/vglxc/test7
lxc.uts.name = test7

# Network configuration
lxc.net.0.type = veth
lxc.net.0.link = lxcbr0
lxc.net.0.flags = up
lxc.net.0.hwaddr = 00:16:3e:53:e0:45

However this default container config does not contain any Apparmor profile (including the included common.conf). Apparmor then correctly denies the container's request to mount system file systems.

To solve this, an Apparmor profile needs to be chosen and added into the config:

root@lxchost:~# grep apparmor /var/lib/lxc/container1/config
lxc.apparmor.profile = generated

Here the "generated" profile was chosen. This means that Apparmor detects what the container needs and creates a profile for this container.

Right after this, the start of the container worked:

root@lxchost:~# lxc-start -n container1 -d
root@lxchost:~# lxc-ls -f
NAME          STATE   AUTOSTART GROUPS IPV4         IPV6 UNPRIVILEGED
container1    RUNNING 1         -      10.166.15.25 -    false             
test7         STOPPED 0         -      -            -    false 

Available Apparmor profiles

The following Apparmor profile are available (as of LXC 4.0):

  • unconfined: Let's the container do (almost) anything it wants, tells Apparmor to not deny anything on this container
  • unchanged: If already configured somewhere, tells Apparmor to not change the profile
  • generated: Instructs LXC to generate an Apparmor profile based on the needs of the container


Add a comment

Show form to leave a comment

Comments (newest first)

No comments yet.