Niklas, thanks a lot for the report and for the proposed patch. On Tue, 6 Jan 2026 22:45:06 +0100 (CET) Niklas Edmundsson <[email protected]> wrote:
> This seems to be due to apparmor disallowing namespace creation: > > Jan 06 21:55:10 nn kernel: audit: type=1400 audit(1767732910.047:562): > apparmor="DENIED" operation="userns_create" class="namespace" > profile="libvirt-d91af33f-182a-4bf8-9293-f5837a4601d8//passt" pid=28241 > comm="passt.avx2" requested="userns_create" denied="userns_create" See also: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098521 https://github.com/lxc/lxc/issues/4529 I'm still trying to find out why I can't reproduce this on current Debian testing or Debian unstable with (slightly outdated) AppArmor 4.1.0-1+b1. Maybe it's something that only triggers due to some combination of Debian stable backports? I'm now trying with several different versions of the AppArmor packages. I'm a bit wary of just adding the "userns" flag for the reason explained in those other reports, that is, it might break compatibility. But maybe it's not a real problem, we should look into that as well. -- Stefano
