Incus and apparmor

Hi.

I note that my console gets a lot of apparmor “DENIED…” messages. I am wondering if I am supposed to do anything on either a basic Debian or Ubuntu install to make apparmor happy(ier) with incus; or if I should continue to just ignore these messages. Is there a way to stop it displaying these messages (assuming they are benign?)

It’s not a big deal, but it does sometimes overly clutter my console for this times I am using my IPMI interface (usually after I break my networking, which is not an incus problem, it’s an ‘Andrew’ problem…).

A typical console output example follows, and these can appear at quite a rate sometimes, depending on my instance status/action:

Screenshot from 2024-02-21 12-10-531023×748 84.3 KB

THANK YOU for Incus!!

Yeah, that’s mostly normal output as results from systemd trying to perform mounts which could be used to bypass some of the default apparmor policies.

In practice for unprivileged containers, this isn’t much of a concern as apparmor is used as an extra safety net rather than as the main security mechanism. If that causes issues in your containers or if you just want to make things a bit more quiet, you can set security.nesting=true on the container as allowing nesting relaxes a number of the mount related apparmor rules which will likely get rid of all of the ones you showed above.