Errors in dmesg after rebooting lxd container


#1

Hi,

in the dmesg log, if I reboot instance ‘ib6’, it will have following error, if no rebooting, no error at all, any idea why?

[54931.386811] audit: type=1400 audit(1552605408.515:60): apparmor=“DENIED” operation=“mount” info=“failed flags match” error=-13 profile=“lxd-ib6_</var/snap/lxd/common/lxd>” name="/dev/" pid=27511 comm=“mount” flags=“ro, remount”
[54931.389921] audit: type=1400 audit(1552605408.519:61): apparmor=“DENIED” operation=“mount” info=“failed flags match” error=-13 profile=“lxd-ib6_</var/snap/lxd/common/lxd>” name="/proc/" pid=27512 comm=“mount” flags=“ro, remount”
[54931.393028] audit: type=1400 audit(1552605408.523:62): apparmor=“DENIED” operation=“mount” info=“failed flags match” error=-13 profile=“lxd-ib6_</var/snap/lxd/common/lxd>” name="/sys/" pid=27513 comm=“mount” flags=“ro, remount”
[54931.396118] audit: type=1400 audit(1552605408.523:63): apparmor=“DENIED” operation=“mount” info=“failed flags match” error=-13 profile=“lxd-ib6_</var/snap/lxd/common/lxd>” name="/proc/cpuinfo" pid=27514 comm=“mount” flags=“ro, remount”
[54931.399245] audit: type=1400 audit(1552605408.527:64): apparmor=“DENIED” operation=“mount” info=“failed flags match” error=-13 profile=“lxd-ib6_</var/snap/lxd/common/lxd>” name="/proc/diskstats" pid=27515 comm=“mount” flags=“ro, remount”
[54931.402406] audit: type=1400 audit(1552605408.531:65): apparmor=“DENIED” operation=“mount” info=“failed flags match” error=-13 profile=“lxd-ib6_</var/snap/lxd/common/lxd>” name="/proc/meminfo" pid=27516 comm=“mount” flags=“ro, remount”
[54931.405522] audit: type=1400 audit(1552605408.535:66): apparmor=“DENIED” operation=“mount” info=“failed flags match” error=-13 profile=“lxd-ib6_</var/snap/lxd/common/lxd>” name="/proc/stat" pid=27517 comm=“mount” flags=“ro, remount”
[54931.408657] audit: type=1400 audit(1552605408.539:67): apparmor=“DENIED” operation=“mount” info=“failed flags match” error=-13 profile=“lxd-ib6_</var/snap/lxd/common/lxd>” name="/proc/swaps" pid=27518 comm=“mount” flags=“ro, remount”
[54931.411721] audit: type=1400 audit(1552605408.539:68): apparmor=“DENIED” operation=“mount” info=“failed flags match” error=-13 profile=“lxd-ib6_</var/snap/lxd/common/lxd>” name="/proc/uptime" pid=27519 comm=“mount” flags=“ro, remount”
[54931.414754] audit: type=1400 audit(1552605408.543:69): apparmor=“DENIED” operation=“mount” info=“failed flags match” error=-13 profile=“lxd-ib6_</var/snap/lxd/common/lxd>” name="/dev/full" pid=27520 comm=“mount” flags=“ro, remount”


(Stéphane Graber) #2

Yeah, it just means that the init system in your container attempted to remount / in the container as read-only.

That’s not an unusual behavior but because of how the kernel works, especially with privileged containers, this read-only remount can get propagated back to the host, affecting the host itself and all other containers.

To prevent such issues, apparmor is configured to prevent it, which may lead to such DENIAL log entries. It’s not really something to worry about though.


#3

cool.