This page documents how to disable AppArmor confinement for existing and new Incus containers in the raid1 project. This eliminates AppArmor DENIED spam in kernel logs and journald.
Overview
Incus generates per-container AppArmor profiles. Many containers produce constant AppArmor DENIED messages (e.g. systemd-logind mount attempts). To stop this, containers can be switched to the unconfined AppArmor profile using:
lxc.apparmor.profile=unconfined
This must be applied via each container’s raw.lxc configuration. To ensure new containers are also unconfined, the same setting is placed in the project’s default profile.
1. Disable AppArmor for Existing Containers
Check current raw.lxc configuration
incus config get <container> raw.lxc
If it contains:
lxc.apparmor.profile=generated
it must be replaced with:
lxc.apparmor.profile=unconfined
Apply unconfined profile to all containers
This loop safely merges the setting into raw.lxc without overwriting other entries:
for C in $(incus list -c n --format=csv); do
echo ">>> Processing container: $C"
RAW=$(incus config get "$C" raw.lxc)
if printf '%s\n' "$RAW" | grep -q '^lxc.apparmor.profile='; then
NEW=$(printf '%s\n' "$RAW" | sed 's/^lxc.apparmor.profile=.*/lxc.apparmor.profile=unconfined/')
elif [ -n "$RAW" ]; then
NEW=$(printf 'lxc.apparmor.profile=unconfined\n%s\n' "$RAW")
else
NEW='lxc.apparmor.profile=unconfined'
fi
incus config set "$C" raw.lxc "$NEW"
done
Restart only running containers
for C in $(incus list -c n,s --format=csv | awk -F, '$2=="RUNNING"{print $1}'); do
echo ">>> Restarting $C"
incus restart "$C"
done
2. Apply Unconfined AppArmor to All New Containers
New containers inherit the default profile. Add the unconfined setting there.
Switch to project raid1
incus project switch raid1
Check if raw.lxc already exists
incus profile get default raw.lxc
If raw.lxc is empty
incus profile set default raw.lxc "lxc.apparmor.profile=unconfined"
If raw.lxc contains other settings (merge manually)
Edit the default profile:
incus profile edit default
Add or adjust the block:
config:
raw.lxc: |
lxc.apparmor.profile=unconfined
<existing raw.lxc lines>
Save and exit.
Verify configuration
incus profile get default raw.lxc
Should include:
lxc.apparmor.profile=unconfined
3. Test With a New Container
incus launch images:debian/12 test-unconf
incus config get test-unconf raw.lxc
Expected output contains:
lxc.apparmor.profile=unconfined
Delete test container:
incus delete -f test-unconf
4. Verify No More AppArmor DENIED Messages
journalctl -k -f | grep 'apparmor="DENIED"'
If nothing appears, AppArmor confinement was successfully removed for all containers.
5. Additional Useful Commands While Debugging Logs
These commands are useful for watching kernel and journald activity while tuning AppArmor and Incus:
- Follow kernel messages but hide the noisy "callbacks suppressed" summaries:
dmesg -w | grep -v "callbacks suppressed"
- Follow only kernel messages via journald:
journalctl -k -f
- Edit journald configuration (to adjust log levels, wall messages, etc.):
vim /etc/systemd/journald.conf
Example journald.conf tuned to reduce noise
[Journal]
Storage=auto
RateLimitIntervalSec=30s
RateLimitBurst=10000
SystemMaxUse=1G
MaxRetentionSec=1week
ForwardToConsole=no
MaxLevelStore=warning
MaxLevelSyslog=warning
MaxLevelKMsg=warning
MaxLevelConsole=warning
MaxLevelWall=emerg
MaxLevelSocket=warning
vim /etc/systemd/journald.conf
Notes
- Only containers become unconfined. Host AppArmor stays active.
- Namespace + cgroup isolation remain in effect.
- Useful for container clusters where systemd inside containers causes noisy AppArmor rules.
End of document