Diego
December 23, 2025, 7:37pm
1
Hello all,
I’ve just installed Incus (version 6.0.4) in Ubuntu 25.10 (with apt install incus) and configured with all the default options but IPv6 that is disabled. Then I’ve created a new Ubuntu 24.04 container with incus launch ubuntu/noble noble and then I’ve enter inside it with incus exec noble bash to run an apt update, and the problem is that that last command hangs forever. This is the output with apt debug enabled:
root@noble:~# apt -oDebug::pkgAcquire::Worker=1 update
Starting method ‘/usr/lib/apt/methods/http’
← http:100%20Capabilities%0aSend-URI-Encoded:%20true%0aSend-Config:%20true%0aPipeline:%20true%0aVersion:%201.2
Configured access method httpVersion:1.2 SingleInstance:0 Pipeline:1 SendConfig:1 LocalOnly: 0 NeedsCleanup: 0 Removable: 0 AuxRequests: 0 SendURIEncoded: 1
apt is stuck there forever. But if a try an apt install <package>, it works as expected (I’ve installed openssh-server without problem).
As you can see, Internet connection is available and working as expected, but apt update hangs.
Could you please give me any clue about what is happening? Thanks very much.
–
Diego
stgraber
December 23, 2025, 7:43pm
2
Most likely a MTU issue of some kind.
You can try the rather extreme option of:
incus network set incusbr0 bridge.mtu=1280
incus restart noble
If that fixes it, then you have a PMTU issue somewhere on your network leading to the container having issues when getting responses larger than one of the intermediate hops can handle.
Diego
December 23, 2025, 7:47pm
3
stgraber:
incus network set incusbr0 bridge.mtu=1280
Thanks for the fast reply!
I’ve just applied the change but the behavior is the same: apt update gets stuck.
stgraber
December 23, 2025, 8:00pm
4
Ah, it not being an MTU issue is unusual apt-get update?
Diego
December 23, 2025, 8:03pm
5
Yes, exactly the same result:
root@noble:~# apt-get -oDebug::pkgAcquire::Worker=1 update
Starting method '/usr/lib/apt/methods/http'
<- http:100%20Capabilities%0aSend-URI-Encoded:%20true%0aSend-Config:%20true%0aPipeline:%20true%0aVersion:%201.2
Configured access method http
Version:1.2 SingleInstance:0 Pipeline:1 SendConfig:1 LocalOnly: 0 NeedsCleanup: 0 Removable: 0 AuxRequests: 0 SendURIEncoded: 1
stgraber
December 23, 2025, 8:38pm
6
Interesting. Can you install curl in there and use that to try to fetch some web pages to see if that somehow hits the same issue at some point?
Diego
December 23, 2025, 9:06pm
7
Found out the solution:
incus config set noble security.privileged=true
Then, apt update worked as expected (I’ve figured out that trying to strace the apt executable, but obviously it didn’t work in an unprivileged container, so I’ve marked the container as privileged).
The new question is: why an apt update doesn’t work in unprivileged containers but I can apt install any package?
stgraber
December 23, 2025, 11:01pm
8
Not sure, but running the container privileged is definitely a terrible idea
What happens if you run apt update under stracein an unprivileged container?
Diego
December 23, 2025, 11:42pm
9
Nothing happens. strace apt update gets stuck in the same way as apt update. Even strace apt -oDebug::pkgAcquire::Worker=1 update has no activity, no output at all.
stgraber
December 23, 2025, 11:43pm
10
Maybe look at the dmesg output on the host, this smells like some weird kernel or security thing causing issues somehow.
Diego
December 23, 2025, 11:48pm
11
On apt update on the container, this is what is shown in host’s dmesg:
[18489.581475] audit: type=1400 audit(1766533536.602:6323): apparmor="AUDIT" operation="change_profile" class="file" info="change_profile unprivileged unconfined converted to stacking" profile="unconfined" name="incus-noble_</var/lib/incus>//&unconfined//&:incus-noble_<var-lib-incus>:unconfined" pid=368175 comm="incusd"
[18494.897130] audit: type=1400 audit(1766533541.916:6324): apparmor="DENIED" operation="signal" class="signal" profile="incus-noble_</var/lib/incus>" pid=368288 comm="apt" requested_mask="send" denied_mask="send" signal=int peer="incus-noble_</var/lib/incus>//&unconfined"
[18494.902908] audit: type=1400 audit(1766533541.922:6325): apparmor="DENIED" operation="ptrace" class="ptrace" profile="incus-noble_</var/lib/incus>" pid=368294 comm="systemctl" requested_mask="read" denied_mask="read" peer="incus-noble_</var/lib/incus>//&unconfined"
[18494.919459] audit: type=1400 audit(1766533541.938:6326): apparmor="DENIED" operation="ptrace" class="ptrace" profile="incus-noble_</var/lib/incus>" pid=366675 comm="systemd" requested_mask="read" denied_mask="read" peer="incus-noble_</var/lib/incus>//&unconfined"
[18494.920335] audit: type=1400 audit(1766533541.939:6327): apparmor="DENIED" operation="ptrace" class="ptrace" profile="incus-noble_</var/lib/incus>" pid=366736 comm="systemd-journal" requested_mask="read" denied_mask="read" peer="incus-noble_</var/lib/incus>//&unconfined"
[18494.920480] audit: type=1400 audit(1766533541.939:6328): apparmor="DENIED" operation="ptrace" class="ptrace" profile="incus-noble_</var/lib/incus>" pid=366736 comm="systemd-journal" requested_mask="read" denied_mask="read" peer="incus-noble_</var/lib/incus>//&unconfined"
[18494.925441] audit: type=1400 audit(1766533541.944:6329): apparmor="DENIED" operation="ptrace" class="ptrace" profile="incus-noble_</var/lib/incus>" pid=366675 comm="systemd" requested_mask="read" denied_mask="read" peer="incus-noble_</var/lib/incus>//&unconfined"
[18494.926121] audit: type=1400 audit(1766533541.945:6330): apparmor="DENIED" operation="change_onexec" class="file" info="label not found" error=-2 namespace="root//incus-noble_<var-lib-incus>" profile="unconfined" name="ubuntu_pro_apt_news" pid=368296 comm="(python3)"
[18494.926200] audit: type=1400 audit(1766533541.945:6331): apparmor="DENIED" operation="signal" class="signal" profile="incus-noble_</var/lib/incus>" pid=368294 comm="systemctl" requested_mask="send" denied_mask="send" signal=term peer="incus-noble_</var/lib/incus>//&unconfined"
[18494.934178] audit: type=1400 audit(1766533541.953:6332): apparmor="DENIED" operation="change_onexec" class="file" info="label not found" error=-2 namespace="root//incus-noble_<var-lib-incus>" profile="unconfined" name="ubuntu_pro_esm_cache" pid=368297 comm="(python3)"
[18495.044690] audit: type=1400 audit(1766533542.063:6333): apparmor="DENIED" operation="signal" class="signal" profile="incus-noble_</var/lib/incus>" pid=368296 comm="python3" requested_mask="send" denied_mask="send" signal=int peer="incus-noble_</var/lib/incus>//&unconfined"
But there is another thing I’ve detected in dmesg when the container is restarted:
[18606.213821] audit: type=1400 audit(1766533653.211:6341): apparmor="DENIED" operation="ptrace" class="ptrace" profile="incus-noble_</var/lib/incus>" pid=366736 comm="systemd-journal" requested_mask="read" denied_mask="read" peer="incus-noble_</var/lib/incus>//&unconfined"
[18606.213892] audit: type=1400 audit(1766533653.211:6342): apparmor="DENIED" operation="ptrace" class="ptrace" profile="incus-noble_</var/lib/incus>" pid=366736 comm="systemd-journal" requested_mask="read" denied_mask="read" peer="incus-noble_</var/lib/incus>//&unconfined"
[18606.225316] audit: type=1400 audit(1766533653.222:6343): apparmor="DENIED" operation="signal" class="signal" profile="incus-noble_</var/lib/incus>" pid=366675 comm="systemd" requested_mask="send" denied_mask="send" signal=term peer="incus-noble_</var/lib/incus>//&unconfined"
[18606.225495] audit: type=1400 audit(1766533653.223:6344): apparmor="DENIED" operation="signal" class="signal" profile="incus-noble_</var/lib/incus>" pid=366675 comm="systemd" requested_mask="send" denied_mask="send" signal=kill peer="incus-noble_</var/lib/incus>//&unconfined"
[18606.225849] audit: type=1400 audit(1766533653.223:6345): apparmor="DENIED" operation="signal" class="signal" profile="incus-noble_</var/lib/incus>" pid=366675 comm="systemd" requested_mask="send" denied_mask="send" signal=term peer="incus-noble_</var/lib/incus>//&unconfined"
[18606.226060] audit: type=1400 audit(1766533653.223:6346): apparmor="DENIED" operation="signal" class="signal" profile="incus-noble_</var/lib/incus>" pid=366675 comm="systemd" requested_mask="send" denied_mask="send" signal=kill peer="incus-noble_</var/lib/incus>//&unconfined"
[18606.226392] audit: type=1400 audit(1766533653.223:6347): apparmor="DENIED" operation="signal" class="signal" profile="incus-noble_</var/lib/incus>" pid=366675 comm="systemd" requested_mask="send" denied_mask="send" signal=exists peer="incus-noble_</var/lib/incus>//&unconfined"
[18606.228012] audit: type=1400 audit(1766533653.225:6348): apparmor="DENIED" operation="signal" class="signal" profile="incus-noble_</var/lib/incus>" pid=366675 comm="systemd" requested_mask="send" denied_mask="send" signal=term peer="incus-noble_</var/lib/incus>//&unconfined"
[18606.228146] audit: type=1400 audit(1766533653.225:6349): apparmor="DENIED" operation="signal" class="signal" profile="incus-noble_</var/lib/incus>" pid=366675 comm="systemd" requested_mask="send" denied_mask="send" signal=kill peer="incus-noble_</var/lib/incus>//&unconfined"
[18606.228209] audit: type=1400 audit(1766533653.225:6350): apparmor="DENIED" operation="signal" class="signal" profile="incus-noble_</var/lib/incus>" pid=366675 comm="systemd" requested_mask="send" denied_mask="send" signal=term peer="incus-noble_</var/lib/incus>//&unconfined"
[18606.363817] ------------[ cut here ]------------
[18606.363821] WARNING: CPU: 11 PID: 366665 at net/core/dev.c:12410 __dev_change_net_namespace+0xc00/0xca0
[18606.363828] Modules linked in: ntfs3 uas usb_storage dummy veth nft_masq vhost_vsock vmw_vsock_virtio_transport_common vhost vhost_iotlb vsock tls uhid snd_seq_dummy snd_hrtimer xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT nf_reject_ipv4 xt_tcpudp nft_compat nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables bridge stp llc ccm vboxnetadp(O) vboxnetflt(O) vboxdrv(O) nvidia_uvm(PO) snd_hda_codec_intelhdmi snd_hda_codec_alc269 snd_hda_scodec_component snd_hda_codec_realtek_lib snd_hda_codec_generic rfcomm cmac algif_hash algif_skcipher af_alg qrtr bnep binfmt_misc snd_hda_intel snd_sof_pci_intel_cnl snd_sof_intel_hda_generic soundwire_intel snd_sof_intel_hda_sdw_bpt snd_sof_intel_hda_common snd_soc_hdac_hda snd_sof_intel_hda_mlink snd_sof_intel_hda snd_hda_codec_hdmi soundwire_cadence snd_sof_pci snd_sof_xtensa_dsp snd_sof snd_sof_utils snd_soc_acpi_intel_match snd_soc_acpi_intel_sdca_quirks soundwire_generic_allocation snd_soc_acpi soundwire_bus nvidia_drm(PO) snd_soc_sdca crc8 snd_soc_avs
[18606.363931] intel_rapl_msr snd_soc_hda_codec intel_rapl_common snd_hda_ext_core intel_uncore_frequency intel_uncore_frequency_common snd_hda_codec nvidia_modeset(PO) snd_hda_core snd_intel_dspcfg snd_intel_sdw_acpi snd_hwdep intel_tcc_cooling x86_pkg_temp_thermal snd_soc_core intel_powerclamp snd_compress coretemp ac97_bus kvm_intel nls_iso8859_1 snd_pcm_dmaengine uvcvideo nvidia(PO) snd_pcm videobuf2_vmalloc snd_seq_midi btusb uvc kvm snd_seq_midi_event btrtl videobuf2_memops btintel snd_rawmidi videobuf2_v4l2 cmdlinepart btbcm rtsx_usb_ms videobuf2_common snd_seq spi_nor memstick iwlmvm ee1004 irqbypass btmtk videodev mtd snd_seq_device mei_pxp mei_hdcp i915 mc snd_timer bluetooth asus_wmi rapl mac80211 snd drm_buddy sparse_keymap i2c_i801 intel_cstate mxm_wmi platform_profile wmi_bmof libarc4 intel_pmc_core i2c_smbus soundcore drm_ttm_helper spi_intel_pci i2c_mux pmt_telemetry mei_me drm_display_helper spi_intel pmt_discovery ttm mei iwlwifi pmt_class cec rc_core cfg80211 intel_pmc_ssram_telemetry i2c_algo_bit
[18606.364101] intel_pch_thermal intel_vsec acpi_pad acpi_tad joydev input_leds mac_hid sch_fq_codel msr parport_pc ppdev lp parport efi_pstore nfnetlink dmi_sysfs ip_tables x_tables autofs4 dm_crypt rtsx_usb_sdmmc rtsx_usb hid_multitouch hid_generic 8250_dw nvme nvme_core polyval_clmulni i2c_hid_acpi intel_lpss_pci nvme_keyring ahci r8169 ghash_clmulni_intel video i2c_hid serio_raw intel_lpss nvme_auth libahci realtek idma64 hid wmi pinctrl_cannonlake aesni_intel
[18606.364144] CPU: 11 UID: 0 PID: 366665 Comm: incusd Tainted: P W O 6.17.0-8-generic #8-Ubuntu PREEMPT(voluntary)
[18606.364149] Tainted: [P]=PROPRIETARY_MODULE, [W]=WARN, [O]=OOT_MODULE
[18606.364150] Hardware name: SLIMBOOK PROX15/PROX15, BIOS N.1.02 12/10/2019
[18606.364152] RIP: 0010:__dev_change_net_namespace+0xc00/0xca0
[18606.364156] Code: e0 f5 ff ff 48 8b bd 60 ff ff ff e8 9a b4 2f 00 e9 cf f5 ff ff 31 f6 4c 89 e7 e8 5b 8f fe ff 89 85 70 ff ff ff e9 b0 f6 ff ff <0f> 0b e9 7a f5 ff ff 0f 0b e9 88 fb ff ff 48 c7 c7 40 00 98 bd e8
[18606.364159] RSP: 0018:ffffd173e95a3528 EFLAGS: 00010282
[18606.364162] RAX: 00000000fffffffe RBX: ffff8ee18240b000 RCX: 0000000000000000
[18606.364164] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[18606.364165] RBP: ffffd173e95a35e0 R08: 0000000000000000 R09: 0000000000000000
[18606.364167] R10: 0000000000000000 R11: 0000000000000000 R12: ffffffffbf3d5600
[18606.364168] R13: ffff8ee18240b5b0 R14: ffff8ee18240b1a0 R15: ffff8ee18240b1a8
[18606.364170] FS: 00007921b2250e00(0000) GS:ffff8ee79ebff000(0000) knlGS:0000000000000000
[18606.364173] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[18606.364174] CR2: 0000792168788000 CR3: 00000001057f6002 CR4: 00000000003726f0
[18606.364177] Call Trace:
[18606.364178] <TASK>
[18606.364184] do_setlink.isra.0+0xbc/0xdf0
[18606.364193] __rtnl_newlink+0x2f0/0x3c0
[18606.364198] rtnl_newlink+0x4d6/0x910
[18606.364201] ? fsnotify_grab_connector+0x4c/0x90
[18606.364207] ? security_capable+0x44/0x80
[18606.364211] ? __pfx_rtnl_newlink+0x10/0x10
[18606.364214] rtnetlink_rcv_msg+0x381/0x460
[18606.364218] ? __call_rcu_common+0xcc/0x380
[18606.364222] ? call_rcu+0x31/0x50
[18606.364225] ? __pfx_rtnetlink_rcv_msg+0x10/0x10
[18606.364228] netlink_rcv_skb+0x5e/0x120
[18606.364234] rtnetlink_rcv+0x15/0x30
[18606.364236] netlink_unicast+0x28c/0x3c0
[18606.364240] netlink_sendmsg+0x216/0x450
[18606.364245] ____sys_sendmsg+0x3a8/0x3e0
[18606.364262] ___sys_sendmsg+0x99/0xf0
[18606.364263] ? do_sock_setsockopt+0xc1/0x1b0
[18606.364270] __sys_sendmsg+0x93/0x100
[18606.364275] __x64_sys_sendmsg+0x1d/0x30
[18606.364277] x64_sys_call+0x1ae4/0x2330
[18606.364280] do_syscall_64+0x81/0xc90
[18606.364284] ? __wake_up+0x45/0x70
[18606.364287] ? netlink_bind+0x13e/0x360
[18606.364290] ? apparmor_socket_bind+0x36/0x80
[18606.364293] ? __sys_bind+0xf5/0x130
[18606.364297] ? arch_exit_to_user_mode_prepare.isra.0+0xd/0xe0
[18606.364300] ? do_syscall_64+0xb9/0xc90
[18606.364302] ? arch_exit_to_user_mode_prepare.isra.0+0xd/0xe0
[18606.364304] ? do_syscall_64+0xb9/0xc90
[18606.364306] ? do_syscall_64+0xb9/0xc90
[18606.364308] ? exc_page_fault+0x90/0x1b0
[18606.364311] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[18606.364313] RIP: 0033:0x7921b20ac772
[18606.364316] Code: 08 0f 85 a1 38 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 <c3> 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 55 bf 01 00
[18606.364318] RSP: 002b:00007ffd84e95be8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[18606.364320] RAX: ffffffffffffffda RBX: 00007ffd84e95d10 RCX: 00007921b20ac772
[18606.364322] RDX: 0000000000004000 RSI: 00007ffd84e95c60 RDI: 0000000000000005
[18606.364323] RBP: 00007ffd84e95c10 R08: 0000000000000000 R09: 0000000000000000
[18606.364325] R10: 0000000000000000 R11: 0000000000000246 R12: 000000003158d400
[18606.364326] R13: 00007ffd84e95d10 R14: 0000000031587a65 R15: 0000000031587a20
[18606.364330] </TASK>
[18606.364331] ---[ end trace 0000000000000000 ]---
[18606.364518] physN9XqHK: renamed from eth0
[18606.364788] incusbr0: port 2(veth89a4dd70) entered disabled state
[18606.371466] vethf5e351ee: renamed from physN9XqHK
[18606.407445] incusbr0: port 2(veth89a4dd70) entered blocking state
[18606.407454] incusbr0: port 2(veth89a4dd70) entered forwarding state
[18606.416922] veth89a4dd70: left allmulticast mode
[18606.416930] veth89a4dd70: left promiscuous mode
[18606.416994] incusbr0: port 2(veth89a4dd70) entered disabled state
[18607.084368] incusbr0: port 2(veth4610b7ee) entered blocking state
[18607.084374] incusbr0: port 2(veth4610b7ee) entered disabled state
[18607.084391] veth4610b7ee: entered allmulticast mode
[18607.084483] veth4610b7ee: entered promiscuous mode
[18607.219990] ------------[ cut here ]------------
[18607.219995] WARNING: CPU: 4 PID: 370624 at net/core/dev.c:12410 __dev_change_net_namespace+0xc00/0xca0
[18607.220007] Modules linked in: ntfs3 uas usb_storage dummy veth nft_masq vhost_vsock vmw_vsock_virtio_transport_common vhost vhost_iotlb vsock tls uhid snd_seq_dummy snd_hrtimer xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT nf_reject_ipv4 xt_tcpudp nft_compat nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables bridge stp llc ccm vboxnetadp(O) vboxnetflt(O) vboxdrv(O) nvidia_uvm(PO) snd_hda_codec_intelhdmi snd_hda_codec_alc269 snd_hda_scodec_component snd_hda_codec_realtek_lib snd_hda_codec_generic rfcomm cmac algif_hash algif_skcipher af_alg qrtr bnep binfmt_misc snd_hda_intel snd_sof_pci_intel_cnl snd_sof_intel_hda_generic soundwire_intel snd_sof_intel_hda_sdw_bpt snd_sof_intel_hda_common snd_soc_hdac_hda snd_sof_intel_hda_mlink snd_sof_intel_hda snd_hda_codec_hdmi soundwire_cadence snd_sof_pci snd_sof_xtensa_dsp snd_sof snd_sof_utils snd_soc_acpi_intel_match snd_soc_acpi_intel_sdca_quirks soundwire_generic_allocation snd_soc_acpi soundwire_bus nvidia_drm(PO) snd_soc_sdca crc8 snd_soc_avs
[18607.220098] intel_rapl_msr snd_soc_hda_codec intel_rapl_common snd_hda_ext_core intel_uncore_frequency intel_uncore_frequency_common snd_hda_codec nvidia_modeset(PO) snd_hda_core snd_intel_dspcfg snd_intel_sdw_acpi snd_hwdep intel_tcc_cooling x86_pkg_temp_thermal snd_soc_core intel_powerclamp snd_compress coretemp ac97_bus kvm_intel nls_iso8859_1 snd_pcm_dmaengine uvcvideo nvidia(PO) snd_pcm videobuf2_vmalloc snd_seq_midi btusb uvc kvm snd_seq_midi_event btrtl videobuf2_memops btintel snd_rawmidi videobuf2_v4l2 cmdlinepart btbcm rtsx_usb_ms videobuf2_common snd_seq spi_nor memstick iwlmvm ee1004 irqbypass btmtk videodev mtd snd_seq_device mei_pxp mei_hdcp i915 mc snd_timer bluetooth asus_wmi rapl mac80211 snd drm_buddy sparse_keymap i2c_i801 intel_cstate mxm_wmi platform_profile wmi_bmof libarc4 intel_pmc_core i2c_smbus soundcore drm_ttm_helper spi_intel_pci i2c_mux pmt_telemetry mei_me drm_display_helper spi_intel pmt_discovery ttm mei iwlwifi pmt_class cec rc_core cfg80211 intel_pmc_ssram_telemetry i2c_algo_bit
[18607.220207] intel_pch_thermal intel_vsec acpi_pad acpi_tad joydev input_leds mac_hid sch_fq_codel msr parport_pc ppdev lp parport efi_pstore nfnetlink dmi_sysfs ip_tables x_tables autofs4 dm_crypt rtsx_usb_sdmmc rtsx_usb hid_multitouch hid_generic 8250_dw nvme nvme_core polyval_clmulni i2c_hid_acpi intel_lpss_pci nvme_keyring ahci r8169 ghash_clmulni_intel video i2c_hid serio_raw intel_lpss nvme_auth libahci realtek idma64 hid wmi pinctrl_cannonlake aesni_intel
[18607.220260] CPU: 4 UID: 0 PID: 370624 Comm: incusd Tainted: P W O 6.17.0-8-generic #8-Ubuntu PREEMPT(voluntary)
[18607.220266] Tainted: [P]=PROPRIETARY_MODULE, [W]=WARN, [O]=OOT_MODULE
[18607.220268] Hardware name: SLIMBOOK PROX15/PROX15, BIOS N.1.02 12/10/2019
[18607.220270] RIP: 0010:__dev_change_net_namespace+0xc00/0xca0
[18607.220277] Code: e0 f5 ff ff 48 8b bd 60 ff ff ff e8 9a b4 2f 00 e9 cf f5 ff ff 31 f6 4c 89 e7 e8 5b 8f fe ff 89 85 70 ff ff ff e9 b0 f6 ff ff <0f> 0b e9 7a f5 ff ff 0f 0b e9 88 fb ff ff 48 c7 c7 40 00 98 bd e8
[18607.220280] RSP: 0018:ffffd173e245f648 EFLAGS: 00010282
[18607.220284] RAX: 00000000fffffffe RBX: ffff8ee0448ce000 RCX: 0000000000000000
[18607.220286] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[18607.220288] RBP: ffffd173e245f700 R08: 0000000000000000 R09: 0000000000000000
[18607.220290] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8ee033279740
[18607.220292] R13: ffff8ee0448ce5b0 R14: ffff8ee0448ce1a0 R15: ffff8ee0448ce1a8
[18607.220295] FS: 000074d902e4ce00(0000) GS:ffff8ee79e87f000(0000) knlGS:0000000000000000
[18607.220297] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[18607.220300] CR2: 0000746cf97ca5f4 CR3: 000000047640e002 CR4: 00000000003726f0
[18607.220302] Call Trace:
[18607.220304] <TASK>
[18607.220310] ? kfree_skbmem+0x7d/0xa0
[18607.220316] do_setlink.isra.0+0xbc/0xdf0
[18607.220325] ? update_load_avg+0x8f/0x420
[18607.220330] ? pcpu_block_update_hint_free+0x2d4/0x300
[18607.220336] __rtnl_newlink+0x2f0/0x3c0
[18607.220341] rtnl_newlink+0x4d6/0x910
[18607.220347] ? security_capable+0x44/0x80
[18607.220351] ? __pfx_rtnl_newlink+0x10/0x10
[18607.220356] rtnetlink_rcv_msg+0x381/0x460
[18607.220360] ? __memcg_slab_post_alloc_hook+0x1ba/0x3f0
[18607.220366] ? __pfx_rtnetlink_rcv_msg+0x10/0x10
[18607.220370] netlink_rcv_skb+0x5e/0x120
[18607.220377] rtnetlink_rcv+0x15/0x30
[18607.220380] netlink_unicast+0x28c/0x3c0
[18607.220385] netlink_sendmsg+0x216/0x450
[18607.220390] ____sys_sendmsg+0x3a8/0x3e0
[18607.220395] ___sys_sendmsg+0x99/0xf0
[18607.220403] __sys_sendmsg+0x93/0x100
[18607.220409] __x64_sys_sendmsg+0x1d/0x30
[18607.220413] x64_sys_call+0x1ae4/0x2330
[18607.220416] do_syscall_64+0x81/0xc90
[18607.220420] ? arch_exit_to_user_mode_prepare.isra.0+0xd/0xe0
[18607.220424] ? do_syscall_64+0xb9/0xc90
[18607.220427] ? sock_alloc_file+0x67/0xe0
[18607.220432] ? __sys_socket+0xe2/0x110
[18607.220436] ? arch_exit_to_user_mode_prepare.isra.0+0xd/0xe0
[18607.220438] ? do_syscall_64+0xb9/0xc90
[18607.220441] ? do_syscall_64+0xb9/0xc90
[18607.220444] ? exc_page_fault+0x90/0x1b0
[18607.220449] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[18607.220452] RIP: 0033:0x74d902cac772
[18607.220456] Code: 08 0f 85 a1 38 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 <c3> 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 55 bf 01 00
[18607.220458] RSP: 002b:00007fff69734338 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[18607.220462] RAX: ffffffffffffffda RBX: 00007fff69734440 RCX: 000074d902cac772
[18607.220464] RDX: 0000000000004000 RSI: 00007fff697343b0 RDI: 000000000000000c
[18607.220466] RBP: 00007fff69734360 R08: 0000000000000000 R09: 0000000000000000
[18607.220468] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000018190400
[18607.220470] R13: 000000000005a7cb R14: 0000000000000000 R15: 00007fff69734440
[18607.220475] </TASK>
[18607.220477] ---[ end trace 0000000000000000 ]---
[18607.220625] physztUTH7: renamed from vethb7f68bfd
[18607.221428] eth0: renamed from physztUTH7
[18607.222002] incusbr0: port 2(veth4610b7ee) entered blocking state
[18607.222009] incusbr0: port 2(veth4610b7ee) entered forwarding state
I don’t know if they are related things or not.
stgraber
December 23, 2025, 11:50pm
12
Yeah, the apparmor denials may well be related.
Can you make sure your host is fully up to date and running its latest available kernel update?
Diego
December 23, 2025, 11:52pm
13
I think my box is fully updated:
user@box ~ $ sudo apt update
Hit:1 https://dl.winehq.org/wine-builds/ubuntu questing InRelease
Hit:2 http://es.archive.ubuntu.com/ubuntu questing InRelease
Hit:3 https://packages.microsoft.com/repos/code stable InRelease
Hit:4 http://security.ubuntu.com/ubuntu questing-security InRelease
Hit:5 https://dl.google.com/linux/chrome/deb stable InRelease
Hit:6 http://es.archive.ubuntu.com/ubuntu questing-updates InRelease
Hit:7 http://es.archive.ubuntu.com/ubuntu questing-backports InRelease
Hit:8 https://ppa.launchpadcontent.net/ansible/ansible/ubuntu noble InRelease
Hit:9 https://ppa.launchpadcontent.net/flexiondotorg/quickemu/ubuntu noble InRelease
Hit:10 https://ppa.launchpadcontent.net/papirus/papirus/ubuntu plucky InRelease
Hit:11 https://packages.mozilla.org/apt mozilla InRelease
All packages are up to date.
user@box ~ $ uname -a
Linux box 6.17.0-8-generic #8-Ubuntu SMP PREEMPT_DYNAMIC Fri Nov 14 21:44:46 UTC 2025 x86_64 GNU/Linux
user@box ~ $ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 25.10
Release: 25.10
Codename: questing
slip
December 24, 2025, 7:38am
14
why are u using 6.0.4 version? latest is 6.20. i can run ubuntu/24.04 containers just fine, host is arch (kernel 6.17.8-arch1-1):
root@ubuntu:~# apt update
Hit:1 http://archive.ubuntu.com/ubuntu noble InRelease
Get:2 http://archive.ubuntu.com/ubuntu noble-updates InRelease [126 kB]
Get:3 http://security.ubuntu.com/ubuntu noble-security InRelease [126 kB]
Fetched 252 kB in 0s (948 kB/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
All packages are up to date.
Diego
December 24, 2025, 10:47am
15
Incus 6.0.4 is de default version in official Ubuntu 25.10 repositories.
EDIT : I’ve installed Incus 6.20 using Zabbly (and libfuse3-3 manually because Ubuntu 25.10 only have libfuse3-4 in its repository) and the problem still persist. An apt update hangs in unprivileged containers but it works in privileged ones.
EDIT2 : Issuing an aa-teardown to temporarily disable apparmor on the host and then launching the apt update command inside the container makes it works as expected.
simos
December 25, 2025, 9:19pm
16
If you want to figure out the source of an image, you would run the following. Here it says that this system is running Incus 6.19 from the Zabbly repositories, while the latest version is 6.20. And if the user would sudo apt install incus, it would upgrade to the latest version. The 6.0.4 version could either be provided by Zabbly, or by the Debian universe repository, or by someone else. You would need to apt policy the package to make sure what you are dealing with.
$ apt policy incus
incus:
Installed: 1:6.19.1-ubuntu22.04-202512052328
Candidate: 1:6.20-ubuntu22.04-202512212018
Version table:
1:6.20-ubuntu22.04-202512212018 500
500 https://pkgs.zabbly.com/incus/stable jammy/main amd64 Packages
1:6.20-ubuntu22.04-202512191823 500
500 https://pkgs.zabbly.com/incus/stable jammy/main amd64 Packages
*** 1:6.19.1-ubuntu22.04-202512052328 100
100 /var/lib/dpkg/status
$
remcoa
December 30, 2025, 9:07pm
17
I believe you are running into the new Ubuntu apparmor kernel settings, specifically enforcing stacking profiles.
Related: AppArmor blocks sending signals on Ubuntu 25.04 host
security.privileged=true will disable the apparmor profile, just like doing a aa_teardown, so then the apt update will work.
I believe the apparmor profile in the stable releases now have some special handling when stacking is enforced, so either upgrading to the latest stable version, or adding some extra apparmor rules in the config, like in the related issue, will fix this without compromising security.
1 Like
