Welcome to the Linux Foundation Forum!

Lab3.2 lxc - permission denied - apparmor error?

cherif.jazra
cherif.jazra Posts: 3
edited November 8 in LFS253 Class Forum

Hello,

I seem to be unable to start a new unpriviliged container with lxc

$ lxc-start -n unpriv-cont-user -F
lxc-start: unpriv-cont-user: ../src/lxc/lsm/apparmor.c: make_apparmor_namespace: 869 Permission denied - Error creating AppArmor namespace: /sys/kernel/security/apparmor/policy/namespaces/lxc-unpriv-cont-user_<-home-cherif-.local-share-lxc>
lxc-start: unpriv-cont-user: ../src/lxc/lsm/apparmor.c: apparmor_prepare: 1088 Failed to load generated AppArmor profile
lxc-start: unpriv-cont-user: ../src/lxc/start.c: lxc_init: 876 Failed to initialize LSM
lxc-start: unpriv-cont-user: ../src/lxc/start.c: __lxc_start: 2027 Failed to initialize container "unpriv-cont-user"
lxc-start: unpriv-cont-user: ../src/lxc/tools/lxc_start.c: main: 306 The container failed to start
lxc-start: unpriv-cont-user: ../src/lxc/tools/lxc_start.c: main: 311 Additional information can be obtained by setting the --logfile and --logpriority options

i'm doing this on ubuntu running from Apple M3 in UTM

$ cat /etc/os-release 
PRETTY_NAME="Ubuntu 24.04.1 LTS"
NAME="Ubuntu"
VERSION_ID="24.04"
VERSION="24.04.1 LTS (Noble Numbat)"
VERSION_CODENAME=noble
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=noble
LOGO=ubuntu-logo

and i created the container with lxc-create and options

Distribution: ubuntu
Release:  focal
Architecture: arm64

Answers

  • My lxc config file at ~/.config/lxc/default.conf has the following set

    lxc.apparmor.profile = generated
    lxc.apparmor.allow_nesting = 1
    
  • cherif.jazra
    cherif.jazra Posts: 3
    edited November 8

    interestingly, creating a privileged container as root does work, so with
    sudo lxc-create --template download --name priv-cont, i'm able to then bring up the container and attach to it

  • chrispokorni
    chrispokorni Posts: 2,372

    Hi @cherif.jazra,

    More recent releases of the Ubuntu Linux OS have security mechanisms enabled by default, hence the AppArmor error encountered during the start of the unprivileged container.

    Regards,
    -Chris

Categories

Upcoming Training