I can't run dovecot in lxc on Buster. I turn off PrivateTmp, but it isn't enough... Still :
[ 4850.883141] audit: type=1400 audit(1563803461.322:34): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=23810 comm="(dovecot)" flags="rw, rslave"
Updating the service unit to avoid PrivateTmp doesn't work in LXC unfortunately without granting the necessary privileges via AppArmor on the host.
After exploring the options it seems there's no longer a way to make this work from purely within the container.
To make it work I removed all edits in the container (so got rid of the PrivateTmp config) and moved to modifying the AppArmor policies as follows:
On the host, create a new AppArmor policy at /etc/apparmor.d/lxc/lxc-dovecot and populate it with the following:
# Do not load this file. Rather, load /etc/apparmor.d/lxc-containers, which
# will source all profiles under /etc/apparmor.d/lxc
profile lxc-container-dovecot flags=(attach_disconnected,mediate_deleted) {
#include <abstractions/lxc/container-base>
#include <abstractions/lxc/start-container>
deny mount fstype=devpts,
mount fstype=cgroup -> /sys/fs/cgroup/**,
mount fstype=cgroup2 -> /sys/fs/cgroup/**,
mount options=(rw,bind),
mount options=(rw,rbind),
mount options=(rw,rshared),
mount options=(ro,nosuid,noexec,remount,bind,strictatime),
}
Reload AppArmor with
$ systemctl restart apparmor.service
Set the container to use the new profile by adding the following line to your LXC container config, typically at /var/lib/lxc/$container/config:
# Add or edit the following line to set the apparmor profile used
lxc.apparmor.profile = lxc-container-dovecot
Restart your container:
$ lxc-stop -n $container && sleep 1 && lxc-start -d -n $container
Did you tried with the unconfined AppArmor value ?
lxc.apparmor.profile: unconfined
Set it into your /etc/pve/lxc/CTID.conf
