Installing Passbolt in ProxMox LXC with OpenSuse 15.6 fails

BlackAdderDK · January 10, 2025, 2:45pm

Hi

I have tried to install Passbolt Community Edition in a ProxMox LXC using the prebuild Repos for OpenSuse.

When executing “passbolt-repo-setup.ce.sh” I receive the following error:

sysctl: permission denied on key 'kernel.apparmor_display_secid_mode' sysctl: permission denied on key 'kernel.apparmor_restrict_unprivileged_io_uring' sysctl: permission denied on key 'kernel.apparmor_restrict_unprivileged_userns_complain' sysctl: permission denied on key 'kernel.apparmor_restrict_unprivileged_userns_force' sysctl: permission denied on key 'kernel.cad_pid' sysctl: permission denied on key 'kernel.unprivileged_userns_apparmor_policy' sysctl: permission denied on key 'kernel.usermodehelper.bset' sysctl: permission denied on key 'kernel.usermodehelper.inheritable' sysctl: permission denied on key 'vm.mmap_rnd_bits' sysctl: permission denied on key 'vm.mmap_rnd_compat_bits' sysctl: permission denied on key 'vm.stat_refresh'

Furthermore I tried to finished the install, but ended up with an installation where there were no filerights in place.

Is there something that should be done before running passbolt ce in a Unprivileged Containers in ProxMox? or do it need to be running as a fully virtualized machine?

I should add that I’m not very interested in running docker containers in this setup.

Best regards
'Adder

cavechicken · January 11, 2025, 5:34am

Hi Adder,

seems like your container doesn‘t have the necessary permissions, either you permit the container to modify the sysctl changes or you create a VM for it, thats what i would do

I‘m not an expert when it comes to Proxmox, but if you want to allow it, you could try to add these options to the Container

lxc.apparmor.profile: unconfined
lxc.cgroup.devices.allow: a
lxc.cap.drop:
lxc.cap.drop: mac_admin mac_override sys_time

best regards

BlackAdderDK · January 21, 2025, 4:24pm

Hi CaveChicken

I guess you are right by making a fully virtualized VM instead of an LXC container… I guess the changes needed would comprise the idea of LXC, and make it a bit unsecure.

I hoped there was a script for installing in LXC, and I would mean it would be a great idea as ProxMox is gaining terrain after Broadcoms aquisition of VMware.

Best regards
'Adder

cavechicken · January 21, 2025, 9:24pm

Hi again,

maybe there is another solution / less insecure, this was just one thing which came into my mind at first.
I’m using separated vm’s for most of my services, since its easier for me to maintain.
Maybe you’ll find a suitable solution for yourself, if you need help with sth, don’t mind contacting me.

Best regards