LXC container not starting

It actually sounds like you stumbled across a bug. The referenced link directs to a patch which helps prevent these AppArmor failures. However, you'll need to know how to compile LXC from source to make use of it. I'm not sure if this patch made it into the binaries as of yet.


The workaround was to append lxc.aa_allow_incomplete = 1 into /var/lib/lxc/[container-name]/config file.

This setting will lower the security offered by apparmor. This is an excerpt from the lxc.container.conf(5) man page.

   lxc.aa_allow_incomplete
          Apparmor profiles are pathname based. Therefore many file
          restrictions require mount restrictions to be effective
          against a determined attacker. However, these mount
          restrictions are not yet implemented in the upstream kernel.
          Without the mount restrictions, the apparmor profiles still
          protect against accidental damager.

          If this flag is 0 (default), then the container will not be
          started if the kernel lacks the apparmor mount features, so
          that a regression after a kernel upgrade will be detected. To
          start the container under partial apparmor protection, set
          this flag to 1.