/proc mount error


I’m trying to run mock in lxd container. It chroots into fs and then at some point tries to mount /proc filesystem which fails. Host shows that the mount is blocked by apparmour:

apparmor="DENIED" operation="mount" info="failed type match" error=-13 profile="lxd-buildserver_</var/snap/lxd/common/lxd>" name="/var/lib/mock/cs7/root/proc/" pid=3825 comm="mount" fstype="proc" srcname="proc"

I tried to add “mount fstype=nfs,” into /etc/apparmor.d/lxc/lxc-default and it did not help (yes, I reloaded apparmour and restarted the container). I tried to add “lxc.aa_profile = lxc-container-default-with-mounting” into container config (lxc config edit container_name, raw.lxc: lxc.aa_profile = …), but this gives me “Config parsing error: Initialize LXC: Failed to load raw.lxc” error.

How can I convince the container to allow /proc mounts?

Best regards,

ok, sorted this out myself.lxc config set buildserver raw.apparmor "mount fstype=proc," fixed the issue!

A possibly cleaner way would be to grant security.nesting=true to that container.

It hits again! :slight_smile:
Now I’m trying to run mock under centos8 in container under lxd 4.3 control. When initialising mock root (mock --init) I get the following error:

Could not create dir /var/lib/mock/cs7/root/sys/fs/selinux. Error: [Errno 30] Read-only file system: '/var/lib/mock/cs7/root/sys/fs/selinux

I have all possible permissions in continer config: security.nesting: "true", security.privileged: "true", lxc.apparmor.profile=unconfined and also my hack from last year reported in this thread (raw.apparmor: mount fstype=proc,) - nothing helps.
This time I have no errors from apparmor. --show-log for container reports the following:

lxc buildserver 20200718090712.698 WARN     cgfsng - cgroups/cgfsng.c:mkdir_eexist_on_last:1153 - File exists - Failed to create directory "/sys/fs/cgroup/cpuset//lxc.payload.buildserver"
lxc buildserver 20200718090712.700 ERROR    utils - utils.c:lxc_can_use_pidfd:1834 - Kernel does not support pidfds

Any suggestions how to proceed?
I tried mock 1.4.21 and latest from epel (2.3)
Best regards,

If you take away all the security of a container, why do you use a container? i would say, use the VM option in LXD. Management will only become more difficult with updates.

I remove all security only in attempt to find out the actual reason for /var/lib/mock/cs7/root/sys/fs/selinux error. When I figure out what causes this problem I will restore as much of the restrictions as possible.