Paul Gevers <elb...@debian.org> writes: > On 27-01-2021 22:41, Valentin Vidic wrote: > >> On Wed, Jan 27, 2021 at 10:37:56PM +0100, Paul Gevers wrote: >> >>> debian@ci-worker-ppc64el-01:~$ sudo cat /etc/lxc/default.conf >>> # MANAGED WITH CHEF; DON'T CHANGE BY HAND >>> lxc.net.0.type = veth >>> lxc.net.0.link = virbr0 >>> lxc.net.0.flags = up >>> lxc.apparmor.profile = generated >>> lxc.apparmor.allow_nesting = 1 >> >> I think this is only for new containers and for the existing ones these >> options would be in /var/lib/lxc/<container>/config. Also apparmor >> should log mount failures in kernel log or somewhere... > > We generate fresh containers on a daily basis.
Hi Paul, These systemd messages are emitted during service setup, before the service binary is even started, and are very much characteristic to the Apparmor misconfiguration described in the LXC 3 NEWS file. I can readily reproduce them with another systemd-hardened package: systemd[697]: coturn.service: Failed to set up mount namespacing: Permission denied systemd[697]: coturn.service: Failed at step NAMESPACE spawning /usr/bin/turnserver: Permission denied and such messages are neatly paired with these in the host syslog: audit: type=1400 audit(1611830306.349:157): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=27587 comm="(rnserver)" flags="rw, rslave" Can you see such messages? Are you sure that the failed runs had lxc.apparmor.profile = generated lxc.apparmor.allow_nesting = 1 in their LXC configuration? -- Feri
