`mount: /root/proc: cannot mount proc read-only.` with LXD `5.21.2-22f93f4` from snap

Hi. With the latest release of 5.21 LTS LXD this no longer works:

root@new-lxd:~# mkdir ~/proc
root@new-lxd:~# mount -tproc proc ~/proc
mount: /root/proc: cannot mount proc read-only.

This seems the relevant dmesg output:

[23758.009253] audit: type=1400 audit(1724780821.596:858): apparmor="DENIED" operation="mount" class="mount" info="failed perms check" error=-13 profile="lxd-new-lxd_</var/snap/lxd/common/lxd>" name="/root/proc/" pid=56209 comm="mount" fstype="proc" srcname="proc"

One detail here is that this works with LXD 5.21.2-22f93f4 if I run it in an older instance - that is, an instance that was not created with LXD 5.21.2-22f93f4. Here with an older instance fresh-jammy:

root@fresh-jammy:~# mkdir proc
root@fresh-jammy:~# mount -tproc proc ~/proc
root@fresh-jammy:~# ls ~/proc
1    15   18   198...

I can also confirm that if I snap revert lxd to 5.21.2-34459c8, creating a new instance and mounting works:

❯ lxc shell from-lxd-34459c8 
root@from-lxd-34459c8:~# mkdir proc
root@from-lxd-34459c8:~# mount -tproc proc ~/proc
1    219...

… although even in this successful case I see a bunch of related DENIED messages in dmesg:

[24028.168328] audit: type=1400 audit(1724781091.757:1103): apparmor="DENIED" operation="mount" class="mount" info="failed flags match" error=-13 profile="lxd-from-lxd-34459c8_</var/snap/lxd/common/lxd>" name="/run/systemd/unit-root/proc/" pid=59223 comm="(networkd)" fstype="proc" srcname="proc" flags="rw, nosuid, nodev, noexec"
[24028.219465] audit: type=1400 audit(1724781091.808:1104): apparmor="DENIED" operation="mount" class="mount" info="failed flags match" error=-13 profile="lxd-from-lxd-34459c8_</var/snap/lxd/common/lxd>" name="/run/systemd/unit-root/proc/" pid=59225 comm="(resolved)" fstype="proc" srcname="proc" flags="rw, nosuid, nodev, noexec"
[24029.052061] audit: type=1400 audit(1724781092.641:1105): apparmor="DENIED" operation="mount" class="mount" info="failed flags match" error=-13 profile="lxd-from-lxd-34459c8_</var/snap/lxd/common/lxd>" name="/run/systemd/unit-root/proc/" pid=59268 comm="(d-logind)" fstype="proc" srcname="proc" flags="rw, nosuid, nodev, noexec"
[24029.056286] audit: type=1400 audit(1724781092.645:1106): apparmor="DENIED" operation="mount" class="mount" info="failed flags match" error=-13 profile="lxd-from-lxd-34459c8_</var/snap/lxd/common/lxd>" name="/run/systemd/unit-root/tmp/" pid=59261 comm="(crub_all)" flags="rw, nosuid, remount, bind"
[24029.072447] audit: type=1400 audit(1724781092.661:1107): apparmor="DENIED" operation="mount" class="mount" info="failed flags match" error=-13 profile="lxd-from-lxd-34459c8_</var/snap/lxd/common/lxd>" name="/run/systemd/unit-root/proc/" pid=59298 comm="(ostnamed)" fstype="proc" srcname="proc" flags="rw, nosuid, nodev, noexec"

Any ideas? Is there anything else I can do to help debug this? Thanks!

Ive asked a colleague to look into this. Was it caused by the latest interim release?

Correct, the affected version is 22f93f4. I thought I’d comment on that topic specifically but wasn’t sure if you wanted the announcement post “polluted” with support requests, heh

1 Like

Hey Tiago,

thanks for your report. This bug caused by AppArmor upgrade in LXD, I have prepared a PR with a fix:

Kind regards,
Alex

2 Likes

Thanks @amikhalitsyn

We’ll get this merged and backported into 5.21/stable ASAP.

1 Like

Thanks guys, this is very quick turnaround! Great customer service :wink:
If you want I can test the fix once it hits 5.21/edge - just let me know.

Thanks again.

2 Likes

The fix for this is in latest/edge (equivalent to > 6.1) so feel free to test that in a throwaway environment.

1 Like

Fix for this is now in 5.21/candidate and latest/candidate.

1 Like

This is now progressively rolling out to latest/stable and 5.21/stable see