Control: tags -1 +moreinfo Le mardi 31 août 2021 à 18:44:19+0200, pk1 a écrit : > Package: lxc > Version: 1:4.0.6-2 > Severity: important > X-Debbugs-Cc: pkoroau+...@gmail.com > > Dear Maintainer, > > > On a pristine Debian 11 install, the example from "Unprivileged containers" > section of /usr/share/doc/lxc/README.Debian.gz gives "Failed to mount proc" > with an AppArmor error in dmesg, but lxc.apparmor.profile is unconfined. > > reportbug said to test unstable's lxc 1:4.0.10-1, but that also fails with > a different error message. > > > $ cat test_config > lxc.idmap = u 0 100000 65536 > lxc.idmap = g 0 100000 65536 > lxc.mount.auto = proc:mixed sys:ro cgroup:mixed > lxc.apparmor.profile = unconfined > > $ systemd-run --scope --quiet --user --property=Delegate=yes lxc-start > --logfile /dev/stderr -f test_config -n machine > lxc-start machine 20210830065007.367 ERROR utils - utils.c:safe_mount:1204 > - Permission denied - Failed to mount "proc" onto "/proc" > lxc-start machine 20210830065007.367 ERROR conf - > conf.c:lxc_mount_auto_mounts:681 - Permission denied - Failed to mount "proc" > on "/proc" with flags 14 > lxc-start machine 20210830065007.367 ERROR conf - conf.c:lxc_setup:3330 - > Failed to setup first automatic mounts > lxc-start machine 20210830065007.367 ERROR start - start.c:do_start:1218 - > Failed to setup container "machine" > [snip] > > # dmesg | tail > [snip unrelated] > [ 2127.458104] audit: type=1400 audit(1630306207.363:40): apparmor="DENIED" > operation="mount" info="failed flags match" error=-13 > profile="/usr/bin/lxc-start" name="/proc/" pid=3286 comm="lxc-start" > fstype="proc" srcname="proc" flags="rw, nosuid, nodev, noexec"
I am unable to reproduce your bug on a vanilla Debian 11 or unstable system. Please print the output of "sysctl kernel.unprivileged_userns_clone" Please also follow all instructions of the readme file, and give me a feedback. Regards, -- Pierre-Elliott Bécue GPG: 9AE0 4D98 6400 E3B6 7528 F493 0D44 2664 1949 74E2 It's far easier to fight for principles than to live up to them.
signature.asc
Description: PGP signature