Ohai, On Wed, Nov 01, 2017 at 12:00:12PM -0200, Antonio Terceiro wrote: > > lxc-start 20171101123914.655 ERROR lxc_apparmor - > > lsm/apparmor.c:apparmor_process_label_set:220 - If you really want to start > > this container, set > > lxc-start 20171101123914.655 ERROR lxc_apparmor - > > lsm/apparmor.c:apparmor_process_label_set:221 - lxc.aa_allow_incomplete = 1 > > lxc-start 20171101123914.655 ERROR lxc_apparmor - > > lsm/apparmor.c:apparmor_process_label_set:222 - in your container > > configuration file > So, I tried downgrading the kernel to the one in testing, rebooted, and > now I can start containers again, So this is being caused by a change in > the kernel between 4.13.4-2 and 4.13.10-1 > > I still need to study the lxc code path that is being triggered to be > able to provide more useful information. Since the issue is definitively > related to apparmor, I am also copying the apparmor team in case they > have any input to provide.
Can you try to set "lxc.aa_allow_incomplete = 1" in your config? LXC expects Ubuntus patched kernels when it comes to AppArmor, not the upstream ones :( And I think Debian enabled AppArmor by default in the latest kernels. Evgeni
