Acl and LXC container [SOLVED]

1

Hi,
I was trying to setup deployer based on this guide.

I keep getting,

setfacl: bootstrap/cache: Operation not supported

Upon investigating for solutions I came across this .
The result of
mount | grep acl

is

lxd/containers/dev0 on / type zfs (rw,relatime,xattr,noacl)

Does that mean acl is not supported inside containers ?
Could this be the issue with setfacl not being supported.

I am still looking to see if it could be an issue with permissions.

2

Found the problem. Zfs by default does not allow acl. At least the setfacl part.

Upon researching some more I came across this post by @stgraber on github. The post is back from 2016 but there could still be potential problems with acl + zfs and the solution I am posting should not be used for data-sensitive situations until @stgraber clears it.

Use

zfs list

on your server to list all container names.

You should see something like this :

NAME
lxd
lxd/containers
lxd/containers/dev0
lxd/containers/dev1
lxd/custom
lxd/deleted
lxd/images

To allow acl in zfs file system of one of your containers one can use :

zfs set acltype=posixacl lxd/containers/X

where X is the name of your container.

Restart your container.

Check acl presence using :
mount | grep acl

Mine showed :
lxd/containers/dev0 on / type zfs (rw,relatime,xattr,posixacl)

This can also be set to default using the following command.

sudo zfs set acltype=posixacl lxd/containers

1 Like
3

This is fine, LXD actually does set those attributes for you in new storage pools.

4

Hello Varad,

Based on the error message setfacl: bootstrap/cache: Operation not supported and the output of mount | grep acl showing noacl, it appears that Access Control Lists (ACLs) are not enabled on the filesystem where you are trying to set up Deployer. This is likely causing the issue with setfacl not being supported.

  1. ACL Not Supported Inside Containers: Your output indicates that the filesystem (in this case, ZFS) is mounted with the noacl option. This implies that ACLs, which provide more fine-grained permission control than traditional Unix permissions, are not active in your container environment (lxd/containers/dev0).
  2. Could This Be the Issue?: Yes, the absence of ACL support is likely the reason why you are encountering the setfacl error. The setfacl command is used to set access control lists on files and directories, and if the filesystem doesn’t support ACLs, the operation cannot be performed.
  3. Checking Permission Issues: Even if ACLs are not supported, you can still manage permissions using standard Unix file permissions (read, write, execute for owner, group, others). It’s worth checking if the user running the Deployer process has the necessary permissions on the bootstrap/cache directory. Ensure that the directory is writable by the user or group running the Deployer.
  4. Solutions:
  • Enable ACL on the Filesystem: If possible, you might consider enabling ACL support on your ZFS filesystem. This would involve changing the mount options to remove noacl. However, this action depends on your system’s configuration and administrative policies.
  • Workaround Without ACL: If enabling ACL is not feasible, you may need to find a workaround that does not rely on setfacl. This might involve setting broader permissions on the necessary directories, though it’s less secure than using ACLs.
  1. Further Investigation: If you continue to face issues, it might be helpful to review the documentation or forums specific to Deployer, ZFS, and your containerization platform for more tailored advice.

Remember that making changes to filesystem configurations and permissions can have significant effects, especially in a containerized environment, so proceed with caution and consider the security implications of any changes.

You can check also ACL container Tracker