Noatime causes me trouble

Hello. I’m new to LXC/LXD.
When my system drive is mounted with the noatime flag I get different kind of apparmor=“DENIED” messages in dmesg. Also timedatectl and hostnamectl in debian 10 container don’t work, there is an error:

root@buster:~# systemctl status systemd-timedated.service
  systemd-timedated.service - Time & Date Service
   Loaded: loaded (/lib/systemd/system/systemd-timedated.service; static; vendor preset: enabled)
   Active: failed (Result: exit-code) since Sun 2021-02-21 12:59:02 UTC; 41s ago
     Docs: man:systemd-timedated.service(8)
  Process: 102 ExecStart=/lib/systemd/systemd-timedated (code=exited, status=226/NAMESPACE)
 Main PID: 102 (code=exited, status=226/NAMESPACE)

Feb 21 12:59:02 buster systemd[1]: Starting Time & Date Service...
Feb 21 12:59:02 buster systemd[102]: systemd-timedated.service: Failed to set up mount
 namespacing: Permission denied
Feb 21 12:59:02 buster systemd[102]: systemd-timedated.service: Failed at step NAMESPA
CE spawning /lib/systemd/systemd-timedated: Permission denied
Feb 21 12:59:02 buster systemd[1]: systemd-timedated.service: Main process exited, cod
e=exited, status=226/NAMESPACE
Feb 21 12:59:02 buster systemd[1]: systemd-timedated.service: Failed with result 'exit
Feb 21 12:59:02 buster systemd[1]: Failed to start Time & Date Service.

At the same time in the dmesg there is:

type=1400 audit(1613910952.362:46): apparmor="DENIED" operation="mount" info="failed flags
match" error=-13 profile="lxd-buster_</var/snap/lxd/common/lxd>" name="/run/systemd/unit-
root/" pid=3692 comm="(imedated)" flags="ro, remount, noatime, bind"

Any advice how to solve this?
Tried with LXD 4.11 and 4.0.5, but it is the same with both. The only thing that seems to fix the problem is not to use the noatime flag in fstab for the system drive.
My host OS is Debian 10.8, it has apparmor 2.13.2. Containers are all unprivileged.

And you don’t get that AppArmor denial message when not using noatime?

No, everything works fine without noatime. I tried on another computer, and the same happened.
The host OS is Debian 10.8 too.
Here is with noatime:

And this is without noatime:

@stgraber could this be the hosts own apparmor rules causing issues?

It’s most likely the LXD generated apparmor rules.
Basically apparmor is annoying and the exact set of mount flags must match. In this case, relatime became noatime and so the entire mount rules we have now fail to apply completely…

We already have a number of variants of those mount rules to account for some stuff like that, but it looks like we’d need to double the set again to account for this (may be worth adding logic to generate all combinations at some point…).

@penguinzero lxc config set NAME raw.apparmor mount, will most likely get rid of this issue (allows all mounts, never do that with a privileged container but with an unprivileged one, it’s not a big deal).

@stgraber with that command the container doesn’t even start.

Error: Failed to run: /snap/lxd/current/bin/lxd forkstart buster /var/snap/lxd/common/lxd/containers /var/snap/lxd/common/lxd/logs/buster/lxc.conf: 
Try `lxc info --show-log buster` for more info

lxc info --show-log buster

Name: buster
Location: none
Remote: unix://
Architecture: x86_64
Created: 2021/02/21 11:40 UTC
Status: Stopped
Type: container
Profiles: default


lxc buster 20210222205532.553 ERROR    conf - conf.c:run_buffer:314 - Script exited with status 1
lxc buster 20210222205532.554 ERROR    start - start.c:lxc_init:798 - Failed to run lxc.hook.pre-start for container "buster"
lxc buster 20210222205532.554 ERROR    start - start.c:__lxc_start:1945 - Failed to initialize container "buster"
lxc buster 20210222205532.688 ERROR    conf - conf.c:run_buffer:314 - Script exited with status 1
lxc buster 20210222205532.688 ERROR    start - start.c:lxc_end:958 - Failed to run for container "buster"
lxc buster 20210222205532.688 ERROR    lxccontainer - lxccontainer.c:wait_on_daemonized_start:851 - No such file or directory - Failed to receive the container state

lxc config show buster:

architecture: x86_64
  image.architecture: amd64
  image.description: Debian buster amd64 (20210221_05:24)
  image.os: Debian
  image.release: buster
  image.serial: "20210221_05:24"
  image.type: squashfs
  image.variant: default
  raw.apparmor: mount
  volatile.base_image: bc0a55159801e73d0f3be94839e8c663da33d28a2714bd401922c9f55f0c4f98
  volatile.eth0.host_name: veth991424b2
  volatile.eth0.hwaddr: 00:16:3e:30:17:c3
  volatile.idmap.base: "0"
  volatile.idmap.current: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]' '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
  volatile.last_state.idmap: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
  volatile.last_state.power: STOPPED
  volatile.uuid: 50f53880-80c3-4059-87b8-bc31d6319a1a
devices: {}
ephemeral: false
- default
stateful: false
description: ""

Cannot even unset the key now with: lxc config unset buster raw.apparmor

Error: Parse AppArmor profile: Failed to run: apparmor_parser -QWL /var/snap/lxd/common/lxd/security/apparmor/cache /var/snap/lxd/common/lxd/security/apparmor/profiles/lxd-buster: AppArmor parser error for /var/snap/lxd/common/lxd/security/apparmor/profiles/lxd-buster in /var/snap/lxd/common/lxd/security/apparmor/profiles/lxd-buster at line 516: syntax error, unexpected $end, expecting TOK_END_OF_RULE or TOK_ARROW

Please follow the instructions I gave you, that trailing comma was not a typo!

Ok, with the trailing comma everything works now. Thank you!