시스템:
데비안 테스트(Bullseye)
다음과 같이 LXC 컨테이너를 시작하고 실행하려고 합니다.여기그러나 도착하면 lxc-start -n my-container -d다음과 같은 메시지가 나타납니다.
$ lxc-start -n test1 -d
lxc-start: test1: lxccontainer.c: wait_on_daemonized_start: 851 No such file or directory - Failed to receive the container state
lxc-start: test1: tools/lxc_start.c: main: 308 The container failed to start
lxc-start: test1: tools/lxc_start.c: main: 311 To get more details, run the container in foreground mode
lxc-start: test1: tools/lxc_start.c: main: 313 Additional information can be obtained by setting the --logfile and --logpriority options
전경 모드에서 실행하면
$ lxc-start -n test1 -F
lxc-start: test1: lsm/apparmor.c: apparmor_prepare: 1051 Cannot use generated profile: apparmor_parser not available
lxc-start: test1: start.c: lxc_init: 832 Failed to initialize LSM
lxc-start: test1: start.c: __lxc_start: 1945 Failed to initialize container "test1"
lxc-start: test1: tools/lxc_start.c: main: 308 The container failed to start
lxc-start: test1: tools/lxc_start.c: main: 313 Additional information can be obtained by setting the --logfile and --logpriority options
제가 아는 한, apparmor_parser not available의류가 설치/활성화되지 않았을 때 오류가 발생합니다. 내 시스템에 의류가 설치되어 실행되고 있는 경우는 제외됩니다.
$ systemctl status apparmor.service
● apparmor.service - Load AppArmor profiles
Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor >
Active: active (exited) since Sat 2021-02-06 21:00:28 EST; 1h 37min ago
Docs: man:apparmor(7)
https://gitlab.com/apparmor/apparmor/wikis/home/
Main PID: 524 (code=exited, status=0/SUCCESS)
Tasks: 0 (limit: 8176)
Memory: 0B
CPU: 0
CGroup: /system.slice/apparmor.service
Warning: some journal files were not opened due to insufficient permissions.
무엇을 제공합니까?
편집하다:
컨테이너를 루트(sudo)로 생성하고 실행하면 예상대로 작동하지만 링크의 지침에서는 일반 사용자로 컨테이너를 실행하기 위한 지침도 제공합니다.
systemd-run --unit=myshell --user --scope -p "Delegate=yes" lxc-start -l INFO -o test1.log test1다음 로그를 생성합니다
lxc-start test1 20210611133631.168 WARN apparmor - lsm/apparmor.c:lsm_apparmor_ops_init:1269 - Per-container AppArmor profiles are disabled because the mac_admin capability is missing
lxc-start test1 20210611133631.195 ERROR apparmor - lsm/apparmor.c:apparmor_prepare:1051 - Cannot use generated profile: apparmor_parser not available
lxc-start test1 20210611133631.195 ERROR start - start.c:lxc_init:832 - Failed to initialize LSM
lxc-start test1 20210611133631.195 ERROR start - start.c:__lxc_start:1945 - Failed to initialize container "test1"
lxc-start test1 20210611133631.712 ERROR lxccontainer - lxccontainer.c:wait_on_daemonized_start:851 - No such file or directory - Failed to receive the container state
lxc-start test1 20210611133631.712 ERROR lxc_start - tools/lxc_start.c:main:308 - The container failed to start
lxc-start test1 20210611133631.712 ERROR lxc_start - tools/lxc_start.c:main:311 - To get more details, run the container in foreground mode
lxc-start test1 20210611133631.712 ERROR lxc_start - tools/lxc_start.c:main:313 - Additional information can be obtained by setting the --logfile and --logpriority options
lxc-start test1 20210611133722.933 INFO confile - confile.c:set_config_idmaps:1942 - Read uid map: type u nsid 0 hostid 100000 range 65536
lxc-start test1 20210611133722.933 INFO confile - confile.c:set_config_idmaps:1942 - Read uid map: type g nsid 0 hostid 100000 range 65536
lxc-start test1 20210611133722.934 INFO lxccontainer - lxccontainer.c:do_lxcapi_start:979 - Set process title to [lxc monitor] /home/bobby/.local/share/lxc test1
lxc-start test1 20210611133722.934 WARN apparmor - lsm/apparmor.c:lsm_apparmor_ops_init:1269 - Per-container AppArmor profiles are disabled because the mac_admin capability is missing
lxc-start test1 20210611133722.934 INFO lsm - lsm/lsm.c:lsm_init:40 - Initialized LSM security driver AppArmor
lxc-start test1 20210611133722.935 INFO conf - conf.c:add_idmap_entry:4462 - Adding id map: type u nsid 0 hostid 100000 range 1
lxc-start test1 20210611133722.935 INFO conf - conf.c:add_idmap_entry:4462 - Adding id map: type u nsid 1000 hostid 1000 range 1
lxc-start test1 20210611133722.935 INFO conf - conf.c:add_idmap_entry:4462 - Adding id map: type g nsid 0 hostid 100000 range 1
lxc-start test1 20210611133722.935 INFO conf - conf.c:add_idmap_entry:4462 - Adding id map: type g nsid 1000 hostid 1000 range 1
lxc-start test1 20210611133722.935 INFO conf - conf.c:add_idmap_entry:4462 - Adding id map: type g nsid 5 hostid 100005 range 1
lxc-start test1 20210611133722.942 NOTICE utils - utils.c:lxc_switch_uid_gid:1398 - Switched to gid 0
lxc-start test1 20210611133722.942 NOTICE utils - utils.c:lxc_switch_uid_gid:1407 - Switched to uid 0
lxc-start test1 20210611133722.942 NOTICE utils - utils.c:lxc_setgroups:1420 - Dropped additional groups
lxc-start test1 20210611133722.943 INFO seccomp - seccomp.c:parse_config_v2:807 - Processing "reject_force_umount # comment this to allow umount -f; not recommended"
lxc-start test1 20210611133722.943 INFO seccomp - seccomp.c:do_resolve_add_rule:524 - Set seccomp rule to reject force umounts
lxc-start test1 20210611133722.943 INFO seccomp - seccomp.c:do_resolve_add_rule:524 - Set seccomp rule to reject force umounts
lxc-start test1 20210611133722.943 INFO seccomp - seccomp.c:do_resolve_add_rule:524 - Set seccomp rule to reject force umounts
lxc-start test1 20210611133722.943 INFO seccomp - seccomp.c:parse_config_v2:807 - Processing "[all]"
lxc-start test1 20210611133722.943 INFO seccomp - seccomp.c:parse_config_v2:807 - Processing "kexec_load errno 1"
lxc-start test1 20210611133722.943 INFO seccomp - seccomp.c:do_resolve_add_rule:564 - Adding native rule for syscall[246:kexec_load] action[327681:errno] arch[0]
lxc-start test1 20210611133722.943 INFO seccomp - seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[246:kexec_load] action[327681:errno] arch[1073741827]
lxc-start test1 20210611133722.943 INFO seccomp - seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[246:kexec_load] action[327681:errno] arch[1073741886]
lxc-start test1 20210611133722.943 INFO seccomp - seccomp.c:parse_config_v2:807 - Processing "open_by_handle_at errno 1"
lxc-start test1 20210611133722.943 INFO seccomp - seccomp.c:do_resolve_add_rule:564 - Adding native rule for syscall[304:open_by_handle_at] action[327681:errno] arch[0]
lxc-start test1 20210611133722.943 INFO seccomp - seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[304:open_by_handle_at] action[327681:errno] arch[1073741827]
lxc-start test1 20210611133722.943 INFO seccomp - seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[304:open_by_handle_at] action[327681:errno] arch[1073741886]
lxc-start test1 20210611133722.943 INFO seccomp - seccomp.c:parse_config_v2:807 - Processing "init_module errno 1"
lxc-start test1 20210611133722.943 INFO seccomp - seccomp.c:do_resolve_add_rule:564 - Adding native rule for syscall[175:init_module] action[327681:errno] arch[0]
lxc-start test1 20210611133722.943 INFO seccomp - seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[175:init_module] action[327681:errno] arch[1073741827]
lxc-start test1 20210611133722.943 INFO seccomp - seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[175:init_module] action[327681:errno] arch[1073741886]
lxc-start test1 20210611133722.943 INFO seccomp - seccomp.c:parse_config_v2:807 - Processing "finit_module errno 1"
lxc-start test1 20210611133722.943 INFO seccomp - seccomp.c:do_resolve_add_rule:564 - Adding native rule for syscall[313:finit_module] action[327681:errno] arch[0]
lxc-start test1 20210611133722.943 INFO seccomp - seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[313:finit_module] action[327681:errno] arch[1073741827]
lxc-start test1 20210611133722.943 INFO seccomp - seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[313:finit_module] action[327681:errno] arch[1073741886]
lxc-start test1 20210611133722.943 INFO seccomp - seccomp.c:parse_config_v2:807 - Processing "delete_module errno 1"
lxc-start test1 20210611133722.943 INFO seccomp - seccomp.c:do_resolve_add_rule:564 - Adding native rule for syscall[176:delete_module] action[327681:errno] arch[0]
lxc-start test1 20210611133722.943 INFO seccomp - seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[176:delete_module] action[327681:errno] arch[1073741827]
lxc-start test1 20210611133722.943 INFO seccomp - seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[176:delete_module] action[327681:errno] arch[1073741886]
lxc-start test1 20210611133722.943 INFO seccomp - seccomp.c:parse_config_v2:1017 - Merging compat seccomp contexts into main context
lxc-start test1 20210611133722.945 ERROR apparmor - lsm/apparmor.c:apparmor_prepare:1051 - Cannot use generated profile: apparmor_parser not available
lxc-start test1 20210611133722.945 ERROR start - start.c:lxc_init:832 - Failed to initialize LSM
lxc-start test1 20210611133722.945 ERROR start - start.c:__lxc_start:1945 - Failed to initialize container "test1"
lxc-start test1 20210611133722.951 NOTICE utils - utils.c:lxc_setgroups:1420 - Dropped additional groups
lxc-start test1 20210611133722.951 INFO conf - conf.c:run_script_argv:330 - Executing script "/usr/share/lxcfs/lxc.reboot.hook" for container "test1", config section "lxc"
lxc-start test1 20210611133723.454 ERROR lxccontainer - lxccontainer.c:wait_on_daemonized_start:851 - No such file or directory - Failed to receive the container state
lxc-start test1 20210611133723.454 ERROR lxc_start - tools/lxc_start.c:main:308 - The container failed to start
lxc-start test1 20210611133723.454 ERROR lxc_start - tools/lxc_start.c:main:311 - To get more details, run the container in foreground mode
lxc-start test1 20210611133723.454 ERROR lxc_start - tools/lxc_start.c:main:313 - Additional information can be obtained by setting the --logfile and --logpriority options
lxc-start test1 20210611133821.478 INFO confile - confile.c:set_config_idmaps:1942 - Read uid map: type u nsid 0 hostid 100000 range 65536
lxc-start test1 20210611133821.478 INFO confile - confile.c:set_config_idmaps:1942 - Read uid map: type g nsid 0 hostid 100000 range 65536
lxc-start test1 20210611133821.478 INFO lxccontainer - lxccontainer.c:do_lxcapi_start:979 - Set process title to [lxc monitor] /home/bobby/.local/share/lxc test1
lxc-start test1 20210611133821.479 WARN apparmor - lsm/apparmor.c:lsm_apparmor_ops_init:1269 - Per-container AppArmor profiles are disabled because the mac_admin capability is missing
lxc-start test1 20210611133821.479 INFO lsm - lsm/lsm.c:lsm_init:40 - Initialized LSM security driver AppArmor
lxc-start test1 20210611133821.480 INFO conf - conf.c:add_idmap_entry:4462 - Adding id map: type u nsid 0 hostid 100000 range 1
lxc-start test1 20210611133821.480 INFO conf - conf.c:add_idmap_entry:4462 - Adding id map: type u nsid 1000 hostid 1000 range 1
lxc-start test1 20210611133821.480 INFO conf - conf.c:add_idmap_entry:4462 - Adding id map: type g nsid 0 hostid 100000 range 1
lxc-start test1 20210611133821.480 INFO conf - conf.c:add_idmap_entry:4462 - Adding id map: type g nsid 1000 hostid 1000 range 1
lxc-start test1 20210611133821.480 INFO conf - conf.c:add_idmap_entry:4462 - Adding id map: type g nsid 5 hostid 100005 range 1
lxc-start test1 20210611133821.487 NOTICE utils - utils.c:lxc_switch_uid_gid:1398 - Switched to gid 0
lxc-start test1 20210611133821.487 NOTICE utils - utils.c:lxc_switch_uid_gid:1407 - Switched to uid 0
lxc-start test1 20210611133821.487 NOTICE utils - utils.c:lxc_setgroups:1420 - Dropped additional groups
lxc-start test1 20210611133821.488 INFO seccomp - seccomp.c:parse_config_v2:807 - Processing "reject_force_umount # comment this to allow umount -f; not recommended"
lxc-start test1 20210611133821.488 INFO seccomp - seccomp.c:do_resolve_add_rule:524 - Set seccomp rule to reject force umounts
lxc-start test1 20210611133821.488 INFO seccomp - seccomp.c:do_resolve_add_rule:524 - Set seccomp rule to reject force umounts
lxc-start test1 20210611133821.488 INFO seccomp - seccomp.c:do_resolve_add_rule:524 - Set seccomp rule to reject force umounts
lxc-start test1 20210611133821.488 INFO seccomp - seccomp.c:parse_config_v2:807 - Processing "[all]"
lxc-start test1 20210611133821.488 INFO seccomp - seccomp.c:parse_config_v2:807 - Processing "kexec_load errno 1"
lxc-start test1 20210611133821.488 INFO seccomp - seccomp.c:do_resolve_add_rule:564 - Adding native rule for syscall[246:kexec_load] action[327681:errno] arch[0]
lxc-start test1 20210611133821.488 INFO seccomp - seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[246:kexec_load] action[327681:errno] arch[1073741827]
lxc-start test1 20210611133821.488 INFO seccomp - seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[246:kexec_load] action[327681:errno] arch[1073741886]
lxc-start test1 20210611133821.488 INFO seccomp - seccomp.c:parse_config_v2:807 - Processing "open_by_handle_at errno 1"
lxc-start test1 20210611133821.488 INFO seccomp - seccomp.c:do_resolve_add_rule:564 - Adding native rule for syscall[304:open_by_handle_at] action[327681:errno] arch[0]
lxc-start test1 20210611133821.488 INFO seccomp - seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[304:open_by_handle_at] action[327681:errno] arch[1073741827]
lxc-start test1 20210611133821.488 INFO seccomp - seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[304:open_by_handle_at] action[327681:errno] arch[1073741886]
lxc-start test1 20210611133821.488 INFO seccomp - seccomp.c:parse_config_v2:807 - Processing "init_module errno 1"
lxc-start test1 20210611133821.488 INFO seccomp - seccomp.c:do_resolve_add_rule:564 - Adding native rule for syscall[175:init_module] action[327681:errno] arch[0]
lxc-start test1 20210611133821.488 INFO seccomp - seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[175:init_module] action[327681:errno] arch[1073741827]
lxc-start test1 20210611133821.488 INFO seccomp - seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[175:init_module] action[327681:errno] arch[1073741886]
lxc-start test1 20210611133821.488 INFO seccomp - seccomp.c:parse_config_v2:807 - Processing "finit_module errno 1"
lxc-start test1 20210611133821.488 INFO seccomp - seccomp.c:do_resolve_add_rule:564 - Adding native rule for syscall[313:finit_module] action[327681:errno] arch[0]
lxc-start test1 20210611133821.488 INFO seccomp - seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[313:finit_module] action[327681:errno] arch[1073741827]
lxc-start test1 20210611133821.488 INFO seccomp - seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[313:finit_module] action[327681:errno] arch[1073741886]
lxc-start test1 20210611133821.488 INFO seccomp - seccomp.c:parse_config_v2:807 - Processing "delete_module errno 1"
lxc-start test1 20210611133821.488 INFO seccomp - seccomp.c:do_resolve_add_rule:564 - Adding native rule for syscall[176:delete_module] action[327681:errno] arch[0]
lxc-start test1 20210611133821.488 INFO seccomp - seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[176:delete_module] action[327681:errno] arch[1073741827]
lxc-start test1 20210611133821.488 INFO seccomp - seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[176:delete_module] action[327681:errno] arch[1073741886]
lxc-start test1 20210611133821.488 INFO seccomp - seccomp.c:parse_config_v2:1017 - Merging compat seccomp contexts into main context
lxc-start test1 20210611133821.568 ERROR apparmor - lsm/apparmor.c:make_apparmor_namespace:840 - Permission denied - Error creating AppArmor namespace: /sys/kernel/security/apparmor/policy/namespaces/lxc-test1_<-home-bobby-.local-share-lxc>
lxc-start test1 20210611133821.568 ERROR apparmor - lsm/apparmor.c:apparmor_prepare:1057 - Failed to load generated AppArmor profile
lxc-start test1 20210611133821.568 ERROR start - start.c:lxc_init:832 - Failed to initialize LSM
lxc-start test1 20210611133821.568 ERROR start - start.c:__lxc_start:1945 - Failed to initialize container "test1"
lxc-start test1 20210611133821.575 NOTICE utils - utils.c:lxc_setgroups:1420 - Dropped additional groups
lxc-start test1 20210611133821.576 INFO conf - conf.c:run_script_argv:330 - Executing script "/usr/share/lxcfs/lxc.reboot.hook" for container "test1", config section "lxc"
lxc-start test1 20210611133822.796 ERROR lxccontainer - lxccontainer.c:wait_on_daemonized_start:851 - No such file or directory - Failed to receive the container state
lxc-start test1 20210611133822.798 ERROR lxc_start - tools/lxc_start.c:main:308 - The container failed to start
lxc-start test1 20210611133822.801 ERROR lxc_start - tools/lxc_start.c:main:311 - To get more details, run the container in foreground mode
lxc-start test1 20210611133822.802 ERROR lxc_start - tools/lxc_start.c:main:313 - Additional information can be obtained by setting the --logfile and --logpriority options
lxc-start test1 20210611133926.195 INFO confile - confile.c:set_config_idmaps:1942 - Read uid map: type u nsid 0 hostid 100000 range 65536
lxc-start test1 20210611133926.195 INFO confile - confile.c:set_config_idmaps:1942 - Read uid map: type g nsid 0 hostid 100000 range 65536
lxc-start test1 20210611133926.196 INFO lxccontainer - lxccontainer.c:do_lxcapi_start:979 - Set process title to [lxc monitor] /home/bobby/.local/share/lxc test1
lxc-start test1 20210611133926.196 WARN apparmor - lsm/apparmor.c:lsm_apparmor_ops_init:1269 - Per-container AppArmor profiles are disabled because the mac_admin capability is missing
lxc-start test1 20210611133926.196 INFO lsm - lsm/lsm.c:lsm_init:40 - Initialized LSM security driver AppArmor
lxc-start test1 20210611133926.196 INFO conf - conf.c:add_idmap_entry:4462 - Adding id map: type u nsid 0 hostid 100000 range 1
lxc-start test1 20210611133926.196 INFO conf - conf.c:add_idmap_entry:4462 - Adding id map: type u nsid 1000 hostid 1000 range 1
lxc-start test1 20210611133926.196 INFO conf - conf.c:add_idmap_entry:4462 - Adding id map: type g nsid 0 hostid 100000 range 1
lxc-start test1 20210611133926.196 INFO conf - conf.c:add_idmap_entry:4462 - Adding id map: type g nsid 1000 hostid 1000 range 1
lxc-start test1 20210611133926.196 INFO conf - conf.c:add_idmap_entry:4462 - Adding id map: type g nsid 5 hostid 100005 range 1
lxc-start test1 20210611133926.199 NOTICE utils - utils.c:lxc_switch_uid_gid:1398 - Switched to gid 0
lxc-start test1 20210611133926.199 NOTICE utils - utils.c:lxc_switch_uid_gid:1407 - Switched to uid 0
lxc-start test1 20210611133926.200 NOTICE utils - utils.c:lxc_setgroups:1420 - Dropped additional groups
lxc-start test1 20210611133926.200 INFO seccomp - seccomp.c:parse_config_v2:807 - Processing "reject_force_umount # comment this to allow umount -f; not recommended"
lxc-start test1 20210611133926.200 INFO seccomp - seccomp.c:do_resolve_add_rule:524 - Set seccomp rule to reject force umounts
lxc-start test1 20210611133926.200 INFO seccomp - seccomp.c:do_resolve_add_rule:524 - Set seccomp rule to reject force umounts
lxc-start test1 20210611133926.200 INFO seccomp - seccomp.c:do_resolve_add_rule:524 - Set seccomp rule to reject force umounts
lxc-start test1 20210611133926.200 INFO seccomp - seccomp.c:parse_config_v2:807 - Processing "[all]"
lxc-start test1 20210611133926.200 INFO seccomp - seccomp.c:parse_config_v2:807 - Processing "kexec_load errno 1"
lxc-start test1 20210611133926.200 INFO seccomp - seccomp.c:do_resolve_add_rule:564 - Adding native rule for syscall[246:kexec_load] action[327681:errno] arch[0]
lxc-start test1 20210611133926.200 INFO seccomp - seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[246:kexec_load] action[327681:errno] arch[1073741827]
lxc-start test1 20210611133926.200 INFO seccomp - seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[246:kexec_load] action[327681:errno] arch[1073741886]
lxc-start test1 20210611133926.200 INFO seccomp - seccomp.c:parse_config_v2:807 - Processing "open_by_handle_at errno 1"
lxc-start test1 20210611133926.200 INFO seccomp - seccomp.c:do_resolve_add_rule:564 - Adding native rule for syscall[304:open_by_handle_at] action[327681:errno] arch[0]
lxc-start test1 20210611133926.200 INFO seccomp - seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[304:open_by_handle_at] action[327681:errno] arch[1073741827]
lxc-start test1 20210611133926.200 INFO seccomp - seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[304:open_by_handle_at] action[327681:errno] arch[1073741886]
lxc-start test1 20210611133926.200 INFO seccomp - seccomp.c:parse_config_v2:807 - Processing "init_module errno 1"
lxc-start test1 20210611133926.200 INFO seccomp - seccomp.c:do_resolve_add_rule:564 - Adding native rule for syscall[175:init_module] action[327681:errno] arch[0]
lxc-start test1 20210611133926.200 INFO seccomp - seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[175:init_module] action[327681:errno] arch[1073741827]
lxc-start test1 20210611133926.200 INFO seccomp - seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[175:init_module] action[327681:errno] arch[1073741886]
lxc-start test1 20210611133926.200 INFO seccomp - seccomp.c:parse_config_v2:807 - Processing "finit_module errno 1"
lxc-start test1 20210611133926.200 INFO seccomp - seccomp.c:do_resolve_add_rule:564 - Adding native rule for syscall[313:finit_module] action[327681:errno] arch[0]
lxc-start test1 20210611133926.200 INFO seccomp - seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[313:finit_module] action[327681:errno] arch[1073741827]
lxc-start test1 20210611133926.200 INFO seccomp - seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[313:finit_module] action[327681:errno] arch[1073741886]
lxc-start test1 20210611133926.200 INFO seccomp - seccomp.c:parse_config_v2:807 - Processing "delete_module errno 1"
lxc-start test1 20210611133926.200 INFO seccomp - seccomp.c:do_resolve_add_rule:564 - Adding native rule for syscall[176:delete_module] action[327681:errno] arch[0]
lxc-start test1 20210611133926.200 INFO seccomp - seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[176:delete_module] action[327681:errno] arch[1073741827]
lxc-start test1 20210611133926.200 INFO seccomp - seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[176:delete_module] action[327681:errno] arch[1073741886]
lxc-start test1 20210611133926.200 INFO seccomp - seccomp.c:parse_config_v2:1017 - Merging compat seccomp contexts into main context
lxc-start test1 20210611133926.201 ERROR apparmor - lsm/apparmor.c:make_apparmor_namespace:840 - Permission denied - Error creating AppArmor namespace: /sys/kernel/security/apparmor/policy/namespaces/lxc-test1_<-home-bobby-.local-share-lxc>
lxc-start test1 20210611133926.201 ERROR apparmor - lsm/apparmor.c:apparmor_prepare:1057 - Failed to load generated AppArmor profile
lxc-start test1 20210611133926.201 ERROR start - start.c:lxc_init:832 - Failed to initialize LSM
lxc-start test1 20210611133926.201 ERROR start - start.c:__lxc_start:1945 - Failed to initialize container "test1"
lxc-start test1 20210611133926.204 NOTICE utils - utils.c:lxc_setgroups:1420 - Dropped additional groups
lxc-start test1 20210611133926.204 INFO conf - conf.c:run_script_argv:330 - Executing script "/usr/share/lxcfs/lxc.reboot.hook" for container "test1", config section "lxc"
lxc-start test1 20210611133926.706 ERROR lxccontainer - lxccontainer.c:wait_on_daemonized_start:851 - No such file or directory - Failed to receive the container state
lxc-start test1 20210611133926.707 ERROR lxc_start - tools/lxc_start.c:main:308 - The container failed to start
lxc-start test1 20210611133926.707 ERROR lxc_start - tools/lxc_start.c:main:311 - To get more details, run the container in foreground mode
lxc-start test1 20210611133926.707 ERROR lxc_start - tools/lxc_start.c:main:313 - Additional information can be obtained by setting the --logfile and --logpriority options
답변1
나는 Debian Buster에서 똑같은 문제를 겪었고 내 해결책은 이 링크에서 본 것처럼 또는 /usr/sbin( 왼쪽에 남아 있기 /sbin때문에 apparmor_*) 을 넣는 것이었습니다:$PATH
https://github.com/lxc/lxc/issues/3049
~/.bashrc현재 사용자 또는 모든 사용자에 대해 마지막 줄에 다음 명령을 입력하세요 /etc/profile(감사합니다, Thomas N!):
export PATH=/sbin:/usr/sbin:$PATH
그런 다음 터미널을 업데이트 source ~/.bashrc하거나 source /etc/profile.
답변2
권한이 없는 사용자생성할 수 없습니다. apparmor네임스페이스. 사용 lxc.apparmor.profile = unconfined. 이것은 또한데비안 위키가 제안하는 것. 시도해 볼 수도 있지만 lxc.apparmor.profile = lxc-container-default-cgns이 경우 네트워크가 컨테이너에서 작동하지 않습니다.
답변3
이것은 의견입니다. 단지 내 구성을 첨부하고 싶었습니다. 도움이 될 것입니다. Debian의 LXC Stable - Buster, 의류 없음, 사용하기 전에 lxc를 제거했기 때문에 lxc + 의류에 대한 제안을 할 수 없습니다. 하지만 의류가 없는 lxc도 가능합니다.
/etc/lxc/default.conf
lxc.apparmor.profile = unconfined
lxc.apparmor.allow_nesting = 0
lxc.mount.auto = proc:mixed sys:ro cgroup:mixed
lxc.net.0.type = veth
lxc.net.0.link = lxcbr0
lxc.net.0.flags = up
lxc.net.0.hwaddr = 00:FF:xx:xx:xx:xx