Hi,
> After some minimal configuration (download directory, password,
> rpc-whitelist), I've tried to restart the service and it failed with
> status=226/NAMESPACE
>
> dmesg had the following apparmor related messages:
>
> [Thu Aug 14 14:06:27 2025] audit: type=1400 audit(1755180387.887:165):
> apparmor=
> "DENIED" operation="mount" class="mount" info="failed flags match"
> error=-13 pro
> file="lxc-container-default-cgns" name="/dev/hugepages/" pid=4264
> comm="mount" f
> lags="rw, move"
> [Thu Aug 14 14:06:27 2025] audit: type=1400 audit(1755180387.887:166):
> apparmor=
> "DENIED" operation="mount" class="mount" info="failed flags match"
> error=-13 pro
> file="lxc-container-default-cgns" name="/dev/mqueue/" pid=4265
> comm="mount" flag
> s="rw, move"
> [Thu Aug 14 14:06:27 2025] audit: type=1400 audit(1755180387.899:167):
> apparmor=
> "DENIED" operation="mount" class="mount" info="failed flags match"
> error=-13 pro
> file="lxc-container-default-cgns" name="/run/lock/" pid=4266 comm="mount"
> flags=
> "rw, move"
> [Thu Aug 14 14:06:27 2025] audit: type=1400 audit(1755180387.919:168):
> apparmor="DENIED" operation="mount" class="mount" info="failed flags match"
> error=-13 profile="lxc-container-default-cgns" name="/tmp/" pid=4267
> comm="mount" flags="rw, move"
> [Thu Aug 14 14:06:27 2025] audit: type=1400 audit(1755180387.927:169):
> apparmor="DENIED" operation="userns_create" class="namespace"
> profile="lxc-container-default-cgns" pid=4269 comm="(journald)"
> requested="userns_create" denied="userns_create"
> [Thu Aug 14 14:06:27 2025] audit: type=1400 audit(1755180387.927:170):
> apparmor="DENIED" operation="mount" class="mount" info="failed flags match"
> error=-13 profile="lxc-container-default-cgns" name="/dev/shm/" pid=4274
> comm="(sd-mkdcreds)" flags="ro, nosuid, nodev, noexec, remount, nosymfollow,
> bind"
> [Thu Aug 14 14:06:27 2025] audit: type=1400 audit(1755180387.939:171):
> apparmor="DENIED" operation="mount" class="mount" info="failed flags match"
> error=-13 profile="lxc-container-default-cgns" name="/dev/shm/" pid=4275
> comm="(sd-mkdcreds)" flags="ro, nosuid, nodev, noexec, remount, nosymfollow,
> bind"
> [Thu Aug 14 14:06:28 2025] audit: type=1400 audit(1755180387.947:172):
> apparmor="DENIED" operation="mount" class="mount" info="failed flags match"
> error=-13 profile="lxc-container-default-cgns" name="/dev/shm/" pid=4276
> comm="(sd-mkdcreds)" flags="ro, nosuid, nodev, noexec, remount, nosymfollow,
> bind"
> [Thu Aug 14 14:06:28 2025] audit: type=1400 audit(1755180388.003:173):
> apparmor="DENIED" operation="userns_create" class="namespace"
> profile="lxc-container-default-cgns" pid=4277 comm="(journald)"
> requested="userns_create" denied="userns_create"
> [Thu Aug 14 14:06:28 2025] audit: type=1400 audit(1755180388.003:174):
> apparmor="DENIED" operation="mount" class="mount" info="failed flags match"
> error=-13 profile="lxc-container-default-cgns" name="/dev/shm/" pid=4280
> comm="(sd-mkdcreds)" flags="ro, nosuid, nodev, noexec, remount, nosymfollow,
> bind"
> [Thu Aug 14 14:21:57 2025] kauditd_printk_skb: 18 callbacks suppressed
> [Thu Aug 14 14:21:57 2025] audit: type=1400 audit(1755181317.535:193):
> apparmor="DENIED" operation="mount" class="mount" info="failed flags match"
> error=-13 profile="lxc-container-default-cgns" name="/dev/shm/" pid=4579
> comm="(sd-mkdcreds)" flags="ro, nosuid, nodev, noexec, remount, nosymfollow,
> bind"
> [Thu Aug 14 15:04:43 2025] audit: type=1400 audit(1755183883.058:194):
> apparmor="DENIED" operation="mount" class="mount" info="failed flags match"
> error=-13 profile="lxc-container-default-cgns" name="/tmp/" pid=5010
> comm="mount" flags="rw, move"
> [Thu Aug 14 15:04:43 2025] audit: type=1400 audit(1755183883.134:195):
> apparmor="DENIED" operation="mount" class="mount" info="failed perms check"
> error=-13 profile="lxc-container-default-cgns"
> name="/run/systemd/mount-rootfs/" pid=5011 comm="(n-daemon)" srcname="/"
> flags="rw, rbind"
>
> Running transmission-daemon directly from the command line with
>
> sudo -u debian-transmission /usr/bin/transmission-daemon -f
> --log-level=info
>
> is working, so I suspect it's an interaction between the hardening
> options in /usr/lib/systemd/system/transmission-daemon.service and the
> container?
I suggest you try to remove hardening options in transmission-daemon.service
using:
# systemctl edit transmission-daemon.service
and see how it goes, and please report here.
> If the problem is that I'm missing some extra configuration because of
> the container situation, would it be possible to document it in a
> README.Debian in the usual place, please?
I have not used lxc for more than a decade, so not really knowledgeable on
these problems. From other similar bug report discussions I could find,
this may be a lxc bug (not supporting systemd hardening options) or a
misconfiguration of the lxc container by the administrator. Looking at
the lxc bug page[1], there are many similar reports.
I'm ok to include some hints in README.Debian if you can provide those.
[1] https://bugs.debian.org/lxc
Thanks!
