On Wed, 05 Jan 2022 12:34:47 +0000 Pelzi <[email protected]> wrote: > The following patch seems to fix the problem. > > --- /tmp/lxc-default-with-nesting.org 2022-01-05 13:25:18.920809830 +0100 > +++ lxc-default-with-nesting 2022-01-05 13:22:35.019939076 +0100 > @@ -10,6 +10,7 @@ > mount fstype=proc -> /var/cache/lxc/**, > mount fstype=sysfs -> /var/cache/lxc/**, > mount options=(rw,bind), > + mount options=(rw,rbind), > mount fstype=cgroup -> /sys/fs/cgroup/**, > mount fstype=cgroup2 -> /sys/fs/cgroup/**, > } > >
Making this change to /etc/apparmor.d/lxc/lxc-default-with-nesting and reloading apparmor did not fix it for me. It still failed with this in dmesg:
[24331487.635679] audit: type=1400 audit(1656010635.412:13707): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-with-nesting" name="/run/systemd/unit-root/proc/" pid=30720 comm="(d-logind)" fstype="proc" srcname="proc" flags="rw, nosuid, nodev, noexec"
My container is unprivileged and I am including /usr/share/lxc/config/nesting.conf in my container's config file. My lxc package version is 1:3.1.0+really3.0.3-8.
Instead, I masked the systemd-logind service inside the container so that it would no longer delay logins. Hopefully there's a better fix at some point.
