Proxmox 4.2 i-MSCP inside LXC container

  • Hello,


    I have been trying to get i-MSCP working in an LXC container that has been cloned from an OpenVZ host node. I am running i-MSCP 1.3.0. I have tried to run ./imscp-reconfigure to configure new IP address, but it fails with a mount error when mounting from /var/log/apache2. I have tried different AppArmor profile changes on the host, latest being following this note:


    https://github.com/i-MSCP/imsc…ca314a5b632e994846d52cec4


    I have also reloaded AppArmor on the host node after the changes.


    I have also tried with (rw, ro, remount, bind), which should give the container enough privileges to mount the log directories. Any advice, should 1.3.0 work inside LXC?

  • Tried to add a different AppArmor profile (the one with nesting enabled, it seemed to have proper mount options) to VE configuration file under /etc/pve/local/lxc/<VMID>.conf and even after reload and restart of both the AppArmor and the LXC container it seems that in dmesg there is still A DENIED error and it refers to the old profile. It is as if AppArmor somehow does not honour the configuration files or truly reload them. I will try to reboot the server next.

  • After reboot it seems that AppArmor did change the profile, but still I am getting same errors about mounting /var/log directories. I did add ro and remount to the mount options of the default-with-nesting apparmor policy and did a reboot again. Still getting this in dmesg:


    [ 651.389206] audit: type=1400 audit(1470042501.831:144): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-with-nesting" name="/var/www/virtual/website.org/logs/website.org/" pid=9264 comm="mount" flags="ro, remount, bind"


  • I have also tried to add an empty "lxc.cap.drop:" line to the end of VE LXC configuration to make sure that no capabilities are dropped for the VE. This has not solved the issue either.

  • @c64wolf


    There is already a thread opened for those issues. I must investigate.


    See Usage de i-MSCP dans un conteneur LXC

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • @c64wolf


    There is already a thread opened for those issues. I must investigate.


    See Usage de i-MSCP dans un conteneur LXC

    Thanks for the quick reply. I saw that thread earlier and tried the VE capability trick, but it did not work. I will keep following the situation. I am in no hurry with the VPS transfer to new platform and in worst case I will continue using OpenVZ. However I would like to use i-MSCP with the LXC as I desire newer kernels than the ones provided by OpenVZ.

  • LXC ... is horrable. You can use Proxmox 4.2 and I-MSCP with KVM Container. You can grownup the KVM Container suche easy like OpenVZ or LXC and use the newest Kernel Versions inside the Container. We have also changed all OpenVZ to KVM and it works fine. Also with Dist Upgrades. Dist Upgrades are sometimes horrable with LXC or OpenVZ.

  • @MichaelSchinzel


    The LXC containers are perfect as long as you manage them correctly ;) i-MSCP run smoothly in LXC containers if you configure them correctly. KVM solution is not always possible.


    Anyway here, the issue is about LXC, not KVM ;)

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • Perfect in restrict thinks which should not be restricted :) We had so much issues with this VT, but i think Proxmox change something at the new version of proxmox with LXC. Before some month there were much issues with mail services, dns services, ... more work for sysadmins which is in much cases sensless.

  • @MichaelSchinzel


    You're free to not restrict them by simply setting the apparmor profile to unconfined (which is not recommended), or by creating your own apparmor profile. Also, you can give any permissions you want for the container.


    @c64wolf


    See i-MSCP inside an LXC container (Managed by Proxmox 4.2)

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206