Hi all,
This is a copy of a message I posted to lxc-users last week; maybe more
people will see it here :-)
I'm getting messages like this after an upgrade of the host from stretch
to buster:
Jun 18 12:09:08 postgres kernel: [131022.470073] audit: type=1400
audit(1623974948.239:107): apparmor="DENIED" operation="mount"
info="failed flags match" error=-13 profile="lxc-container-default-cgns"
name="/" pid=15558 comm="(ionclean)" flags="rw, rslave"
I've seen several similar things from web searches, such as this from
the lxc-users list, 5 years ago:
https://lxc-users.linuxcontainers.narkive.com/3t0leW0p/apparmor-denied-messages-in-the-logs
The suggestion seems to be that it doesn't matter, as long as mounts are
actually working ok (all filesystems seem to be mounted).
But if the mounts are working, what triggers the error? If the mounts
are set up outside the container, why is the container trying to mount
anything? There's nothing in /etc/fstab in the container.
In case it's relevant, /var/lib/lxc/<container>/rootfs is a mount on the
host, for all containers. All containers have additional mounts defined
in the lxc config, and those filesystems are also mounts on the host,
living under /guestfs. They're all lvm volumes, with xfs, as are the
root filesystems.
Any tips welcome.
Cheers,
Richard