Going further, for those who are running arch containers in proxmox who reach here after googling via getting a message similar to this:
[ 2204.273155] audit: type=1400 audit(1548030556.960:100): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-101_</var/lib/lxc>" name="/" pid=26493comm="(networkd)" flags="rw, rslave" the github link in the beginning has discussion on workarounds for the meantime: https://github.com/lxc/lxc/issues/2778#issuecomment-455199160 I attempted to just modify "mount options=(rw,make-rslave)," in "/etc/apparmor.d/abstractions/lxc/container-base" which did not work sadly since the file "/var/lib/lxc/102/apparmor/lxc-{YOUR_CONTAINER_ID}_ \<-var-lib-lxc\>" that is created when starting the container keeps the old commented out version of that line, even after rebooting the host. Instead, I ended up just adding "lxc.apparmor.profile: unconfined" to the "/etc/pve/lxc/{YOUR_CONTAINER_ID}.conf" file for each container and then restarting the container which disabled apparmor for all your containers which while terrible security wise, at least I get my containers back up while waiting for a bug fix. ** Bug watch added: LXC bug tracker #2778 https://github.com/lxc/lxc/issues/2778 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1811248 Title: systemd--networkd mounts denied for lxc guest Status in apparmor package in Ubuntu: New Bug description: Host unbuntu cosmic | lxc 3.0.3 | aa 2.12 | systemd 239-7 Guest Arch Linux | systemd 240.0 After having upgraded in the guest systemd from 239.370 to 240.0 the host's AA is exhibiting > audit: type=1400 audit(1547125168.853:722): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc- container-default-cgns" name="/" pid=8426 comm="(networkd)" flags="rw, rslave" and the guest > systemd-networkd.service: Failed to set up mount namespacing: Permission denied > systemd-networkd.service: Failed at step NAMESPACE spawning /usr/lib/systemd/systemd-networkd: Permission denied According to lxc bug tracker https://github.com/lxc/lxc/issues/2778 > While we'd like to allow such mounts we cannot do so until the apparmor_parser is fixed to handle them correctly. other cross references https://github.com/systemd/systemd/issues/11371 https://bugs.archlinux.org/task/61313 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1811248/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
