This is another difference with the apparmor 4.0 userspace. We need to explicitly enable user namespaces in the generated profile - at least when nesting is enabled.
Signed-off-by: Wolfgang Bumiller <w.bumil...@proxmox.com> --- src/PVE/LXC.pm | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm index 741bb33..b922ba1 100644 --- a/src/PVE/LXC.pm +++ b/src/PVE/LXC.pm @@ -595,6 +595,7 @@ sub make_apparmor_config { # We use abi/4.0 which has its own mqueue class which governs access to /dev/mqueue now. # This is currently not default in lxc's profile, so we enable it explicitly. + # FIXME: once lxc's profiles are based on abi/4.0 this should not be required. $raw .= "lxc.apparmor.raw = allow mqueue,\n"; my @profile_uses; @@ -612,6 +613,8 @@ sub make_apparmor_config { if ($features->{nesting}) { push @profile_uses, 'features:nesting'; $raw .= "lxc.apparmor.allow_nesting = 1\n"; + # FIXME: once lxc's profiles are based on abi/4.0 this should not be required. + $raw .= "lxc.apparmor.raw = allow userns,\n"; } else { # In the default profile in /etc/apparmor.d we patch this in because # otherwise a container can for example run `chown` on /sys, breaking -- 2.47.2 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel