apparmor="DENIED" operation="mount"


(Michel Dubé) #1

Hi!

I have a dedicated server (ubuntu 18.04) with one BTRFS partition (md4 on RAID1) mounted on /srv/lxd

LXD (3.0.1) is installed, BTRFS storage-pools, default profile, nothing has been added or modified and all containers are Ubuntu 18.04.

The storage pool is also mounted on that BTRFS partition -> /var/lib/lxd/storage-pools/lxd-pool.

Everything seems to be running fine but I get each 30 minutes some error messages like this one:

apparmor=“DENIED” operation=“mount” info=“failed flags match” error=-13 profile=“lxd-db2_</var/lib/lxd>” name="/bin/" pid=26448 comm="(ionclean)" flags=“ro, remount, bind”

lxc config show --expanded db2
architecture: x86_64
config:
image.architecture: amd64
image.description: ubuntu 18.04 LTS amd64 (release) (20180724)
image.label: release
image.os: ubuntu
image.release: bionic
image.serial: “20180724”
image.version: “18.04”
volatile.base_image: 38219778c2cf02521f34f950580ce3af0e4b61fbaf2b4411a7a6c4f0736071f9
volatile.eth0.hwaddr: 00:16:3e:20:ae:d4
volatile.idmap.base: “0”
volatile.idmap.next: ‘[{“Isuid”:true,“Isgid”:false,“Hostid”:100000,“Nsid”:0,“Maprange”:65536},{“Isuid”:false,“Isgid”:true,“Hostid”:100000,“Nsid”:0,“Maprange”:65536}]’
volatile.last_state.idmap: ‘[{“Isuid”:true,“Isgid”:false,“Hostid”:100000,“Nsid”:0,“Maprange”:65536},{“Isuid”:false,“Isgid”:true,“Hostid”:100000,“Nsid”:0,“Maprange”:65536}]’
volatile.last_state.power: RUNNING
devices:
eth0:
ipv4.address: 10.247.145.200
name: eth0
nictype: bridged
parent: lxdbr0
type: nic
root:
path: /
pool: lxd-pool
type: disk
ephemeral: false
profiles:

  • default
    stateful: false
    description: “”

What does that mean?
Cannot mount ro /bin in all containers?
What should I do to clean these error messages?

Thanks!


(Stéphane Graber) #2

Looks like a process inside one of your containers is trying to remount /bin read-only, possibly just in a private namespace. That’s currently not allowed by the apparmor policy in LXD 3.0.1 which you’re using.

I believe we have actually refreshed that very bit of policy so LXD 3.0.2 (once released) should silence this and also unblock whatever that process is trying to do.


(Michel Dubé) #3

Thanks Stéphane I appreciate :slight_smile: