Package: lxc Version: 1:4.0.6-2 Severity: important X-Debbugs-Cc: pkoroau+...@gmail.com
Dear Maintainer, On a pristine Debian 11 install, the example from "Unprivileged containers" section of /usr/share/doc/lxc/README.Debian.gz gives "Failed to mount proc" with an AppArmor error in dmesg, but lxc.apparmor.profile is unconfined. reportbug said to test unstable's lxc 1:4.0.10-1, but that also fails with a different error message. $ cat test_config lxc.idmap = u 0 100000 65536 lxc.idmap = g 0 100000 65536 lxc.mount.auto = proc:mixed sys:ro cgroup:mixed lxc.apparmor.profile = unconfined $ systemd-run --scope --quiet --user --property=Delegate=yes lxc-start --logfile /dev/stderr -f test_config -n machine lxc-start machine 20210830065007.367 ERROR utils - utils.c:safe_mount:1204 - Permission denied - Failed to mount "proc" onto "/proc" lxc-start machine 20210830065007.367 ERROR conf - conf.c:lxc_mount_auto_mounts:681 - Permission denied - Failed to mount "proc" on "/proc" with flags 14 lxc-start machine 20210830065007.367 ERROR conf - conf.c:lxc_setup:3330 - Failed to setup first automatic mounts lxc-start machine 20210830065007.367 ERROR start - start.c:do_start:1218 - Failed to setup container "machine" [snip] # dmesg | tail [snip unrelated] [ 2127.458104] audit: type=1400 audit(1630306207.363:40): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="/usr/bin/lxc-start" name="/proc/" pid=3286 comm="lxc-start" fstype="proc" srcname="proc" flags="rw, nosuid, nodev, noexec" Could Debian's sysctl be related, as suggested on the LXC forum? "At some point Debian introduced additional sysctl to restrict user namespaces for unprivileged users, maybe they still do that and that’s what’s getting in the way here?" https://discuss.linuxcontainers.org/t/cannot-start-unprivileged-container-on-debian-11/12019/4 I also tried (umask 022 ; su -l non_root) per #946725 but that does not fix it. This is also unrelated to #947863 because the config says unconfined. -- System Information: Debian Release: 11.0 Architecture: amd64 (x86_64) Versions of packages lxc depends on: ii bridge-utils 1.7-1 ii debconf [debconf-2.0] 1.5.77 ii dnsmasq-base [dnsmasq-base] 2.85-1 ii iproute2 5.10.0-4 ii iptables 1.8.7-1 ii libc6 2.31-13 ii libcap2 1:2.44-1 ii libgcc-s1 10.2.1-6 ii liblxc1 1:4.0.6-2 ii libseccomp2 2.5.1-1 ii libselinux1 3.1-3 ii lsb-base 11.1.0 Versions of packages lxc recommends: ii apparmor 2.13.6-10 ii debootstrap 1.0.123 ii dirmngr 2.2.27-2 ii gnupg 2.2.27-2 ii libpam-cgfs 1:4.0.6-2 ii lxc-templates 3.0.4-5 ii lxcfs 4.0.7-1 ii openssl 1.1.1k-1+deb11u1 ii rsync 3.2.3-4 ii uidmap 1:4.8.1-1 ii wget 1.21-1+b1 Versions of packages lxc suggests: ii btrfs-progs 5.10.1-2 ii lvm2 2.03.11-2.1 pn python3-lxc <none> -- debconf information excluded