[PVE-User] Proxmox 5, LXC, Ubuntu 18.04: mess and weirdness

Fri Jan 3 17:33:48 CET 2020

Hello!

Being sceptical about LXC's low isolation level I typically preferred KVM.
There's a circumstance (and some more of course) where KVM doesn't fit
well though:

    ZFS backed storage of hardware node.

It's either a call to pass it "as filesystem" with some networking FS
sharing protocols, or, say "9p",
or to format another FS over ZFS used as block device and have it all
working together rather "so-so".
None of the above is optimal. Neither building up ZFS pool inside of a VM is.

So, that's why I've decided to try to use LXC this time:
    Debian GNU/Linux 9.11 (stretch)
    4.15.18-24-pve x86_64
-- the latest Proxmox 5 IOW.

I've chosen 18.04 Ubuntu template that comes with Proxmox 5 and at
first it all ...
... looked good. :)

Then I realised there are strange quirks (all quirks are strange of course) with
DNS resolving inside the CT, I ran tcpdump and ...
... it just quit w/o printing a line of output (but not immediately as
if it waited for packets first).

dmesg on hardware node (HN) has this:

... audit: type=1400 audit(1578064533.151:56): apparmor="DENIED"
operation="file_inherit" namespace="root//lxc-30100_<-var-lib-lxc>"
profile="/usr/sbin/tcpdump" name="/dev/pts/6" pid=43675 comm="tcpdump"
requested_mask="wr" denied_mask="wr" fsuid=100000 ouid=101000
... audit: type=1400 audit(1578064538.331:60): apparmor="DENIED"
operation="getattr" info="Failed name lookup - disconnected path"
error=-13 namespace="root//lxc-30100_<-var-lib-lxc>"
profile="/usr/sbin/tcpdump" name="apparmor/.null" pid=43675
comm="tcpdump" requested_mask="r" denied_mask="r" fsuid=165534 ouid=0

and it's not the only line related to the CT!
In fact there are some even about my manuals reading there too:

... audit: type=1400 audit(1578064494.766:49): apparmor="STATUS"
operation="profile_load"
label="lxc-30100_</var/lib/lxc>//&:lxc-30100_<-var-lib-lxc>:unconfined"
name="/usr/bin/man" pid=42514 comm="apparmor_parser"

and so on.

-- Obviously it's kinda *crippled environment* no one would be gladly using.
(There's another question why would someone ship the system that by
default gives you just this
but probably it just wasn't tested.)

What in your opinion is the best way to have it fixed?

Proxmox 6?

Relaxing AppArmor's ruleset?
Turning it off completely? (I'm unsure if it's supported mode of
operation at all.)
I tried turning on "feature" named "nesting" but it fixed neither
tcpdump malfunction nor DNS quirks themselves.

Shall a privileged CT work just fine instead?

Or is bringing KVM back instead the only sane option?
Unsure if 9p will handle a few TB storage gracefully.

-- 
End of message. Next message?