ACLs not saved and restored to/from container image

kimbo · April 12, 2023, 4:18am

I have noticed that if ACLs are applied inside a running container, e.g. setfacl -m g:foo:rwx /var/httpd/conf.d they will persist within the container instance:

[root@bar ~]# getfacl /etc/httpd/conf.d
getfacl: Removing leading '/' from absolute path names
# file: etc/httpd/conf.d
# owner: root
# group: root
user::rwx
group::rwx
group:foo:rwx
mask::rwx
other::r-x

But if you stop the instance and publish as an image, then launch a new instance from the image (lxc publish bar --alias=bar; lxc launch bar bar2) if you look at the ACLs on the new container they are not there:

[root@bar2 ~]# getfacl /etc/httpd/conf.d
getfacl: Removing leading '/' from absolute path names
# file: etc/httpd/conf.d
# owner: root
# group: root
user::rwx
group::rwx
other::r-x

I have some software that sets some ACLs as part of it’s RPM installation %post. As a workaround I am saving a bunch of @reboot root setfacl -m ... cronjobs in /etc/cron.d/fixacls that re-sets the same ACLs.

Is there a more elegant solution that automatically saves and restores ACLs to/from images, or perhaps only runs first boot following a lxd init/launch?

hifly · April 13, 2023, 3:00pm

ACLs are stored in xattrs on the filesystem. I think there needs to be some magic which happens to remap the acls when you start up a new image, ie the old “foo” group is not the same as the new “foo” group on the new image.

It seems as though there is a relevant bug report about this in the past, so some features of acls are presumed to be supported:
https://github.com/lxc/lxd/issues/4862

However, I wonder if either the publish task forgets to actually save the xattrs (check inside the tarball I guess?) or whether they get stripped and incorrectly adjusted as part of the publish?

I guess you could figure out where the xattr is getting dropped would be a starting point to getting this supported?

kimbo · April 18, 2023, 7:49am

When you say “save the attrs” do you mean something like getfacl -R / runs to save them to a file within the tarball?

Or would it be using the --xattrs feature of tar, e.g. https://www.gnu.org/software/tar/manual/html_node/Extended-File-Attributes.html

I used the lxc export bar bar.tar.gz to create a tarball of a container that had some ACLs set, then re-imported it with lxc import bar.tar.gz bar3 to a different container. The new container bar3 did not contain the ACLs.

If I just restore the tarball directly with tar --xattrs -xf bar.tar.gz the ACLs are not present.

amikhalitsyn · April 18, 2023, 1:00pm

please try to unpack with the --acls tar option and check if ACLs are preserved.

kimbo · April 18, 2023, 1:47pm

The ACLs were not restored and got the following errors:

$ tar --acls -xf bar.tar.gz
tar: backup/container/rootfs/etc/httpd/conf.d: Warning: Cannot acl_from_text: Invalid argument
tar: backup/container/rootfs/var/log/journal/8a711eb96bd944d4a15e7de7280637d2/system.journal: Warning: Cannot acl_from_text: Invalid argument
tar: backup/container/rootfs/var/log/journal: Warning: Cannot acl_from_text: Invalid argument

amikhalitsyn · April 18, 2023, 2:27pm

Hm, that’s good! Couldn’t you try this tar --acls -vvvxf bar.tar.gz and show output near these warnings?

Hypothesis: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1004430

kimbo · April 18, 2023, 11:54pm

drwxrwxr-x+ 1000000/1000000     0 2023-04-12 13:06 backup/container/rootfs/etc/httpd/conf.d
  a: ^B
-rw-r--r--  1000000/1000000   400 2023-04-07 02:41 backup/container/rootfs/etc/httpd/conf.d/README
-rw-r--r--  1000000/1000000  2926 2023-04-07 02:38 backup/container/rootfs/etc/httpd/conf.d/autoindex.conf
-rw-r--r--  1000000/1000000  8720 2023-04-07 02:36 backup/container/rootfs/etc/httpd/conf.d/ssl.conf
-rw-rw-r--  1000998/1000995  2026 2022-12-23 15:54 backup/container/rootfs/etc/httpd/conf.d/tims-html.conf
-rw-rw-r--  1000998/1000995   569 2022-11-09 17:31 backup/container/rootfs/etc/httpd/conf.d/tims-mailhog.conf
-rw-rw-r--  1000998/1000995    74 2020-02-05 12:36 backup/container/rootfs/etc/httpd/conf.d/timsnews.conf
-rw-rw-r--  1000998/1000995   194 2020-02-05 12:36 backup/container/rootfs/etc/httpd/conf.d/trapeze.conf
-rw-r--r--  1000000/1000000  1252 2023-04-07 02:36 backup/container/rootfs/etc/httpd/conf.d/userdir.conf
-rw-r--r--  1000000/1000000   574 2023-04-07 02:36 backup/container/rootfs/etc/httpd/conf.d/welcome.conf
drwxr-xr-x  1000000/1000000     0 2023-04-12 13:06 backup/container/rootfs/etc/httpd/conf.modules.d
tar: backup/container/rootfs/etc/httpd/conf.d: Warning: Cannot acl_from_text: Invalid argument
-rw-r--r--  1000000/1000000  3311 2023-04-07 02:36 backup/container/rootfs/etc/httpd/conf.modules.d/00-base.conf
-rw-r--r--  1000000/1000000   139 2023-04-07 02:36 backup/container/rootfs/etc/httpd/conf.modules.d/00-dav.conf

-rw-r--r--  1000000/1000000         0 2023-04-12 13:06 backup/container/rootfs/var/log/httpd/ssl_request_log
drwxr-sr-x+ 1000000/1000190         0 2023-04-12 13:09 backup/container/rootfs/var/log/journal
  a: ^B,default:^B
tar: backup/container/rootfs/var/log/httpd: Warning: Cannot acl_from_text: Invalid argument
drwxr-sr-x+ 1000000/1000190         0 2023-04-18 17:54 backup/container/rootfs/var/log/journal/8a711eb96bd944d4a15e7de7280637d2
  a: ^B,default:^B
-rw-r-----+ 1000000/1000190   8388608 2023-04-18 23:36 backup/container/rootfs/var/log/journal/8a711eb96bd944d4a15e7de7280637d2/system.journal
  a: ^B
tar: backup/container/rootfs/var/log/journal/8a711eb96bd944d4a15e7de7280637d2/system.journal: Warning: Cannot acl_from_text: Invalid argument
-rw-r-----  1000000/1000000   8388608 2023-04-18 17:54 backup/container/rootfs/var/log/journal/8a711eb96bd944d4a15e7de7280637d2/system@0005f9979c77ea80-b83f56a77ccb15f1.journal~
-rw-rw-r--  1000000/1000022    292584 2023-04-18 17:54 backup/container/rootfs/var/log/lastlog
tar: backup/container/rootfs/var/log/journal/8a711eb96bd944d4a15e7de7280637d2: Warning: Cannot acl_from_text: Invalid argument
tar: backup/container/rootfs/var/log/journal/8a711eb96bd944d4a15e7de7280637d2: Warning: Cannot acl_from_text: Invalid argument
tar: backup/container/rootfs/var/log/journal: Warning: Cannot acl_from_text: Invalid argument
tar: backup/container/rootfs/var/log/journal: Warning: Cannot acl_from_text: Invalid argument
-rw-------  1000000/1000000      9126 2023-04-18 23:12 backup/container/rootfs/var/log/maillog
-rw-------  1000000/1000000    578842 2023-04-18 23:36 backup/container/rootfs/var/log/messages

amikhalitsyn · April 19, 2023, 8:12am

yes, looks related to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1004430

amikhalitsyn · April 24, 2023, 9:57am

cc @tomp

tomp · May 12, 2023, 10:53am

I just tried this on Ubuntu Jammy and doesn’t appear to be an issue there:

lxc launch images:ubuntu/jammy c1
lxc exec c1 -- apt install acl -y
lxc exec c1 -- groupadd foo
lxc exec c1 -- setfacl -m g:foo:rwx ./foo
lxc exec c1 -- getfacl foo
# file: foo
# owner: root
# group: root
user::rw-
group::r--
group:foo:rwx
mask::rwx
other::r--
lxc stop c1

lxc publish c1
Instance published with fingerprint: e20a9ff0b6e6877d2680ee8798db97a0ab0cd735f72047988ea3a4dfe95a60d5
lxc delete -f c1
lxc launch e20a9ff0b6e6877d2680ee8798db97a0ab0cd735f72047988ea3a4dfe95a60d5 c1
Creating c1
Starting c1                                
lxc exec c1 -- getfacl foo
# file: foo
# owner: root
# group: root
user::rw-
group::r--
group:foo:rwx
mask::rwx
other::r--

lxc export c1 /home/user/c1.tar.gz
lxc delete -f c1
lxc import /home/user/c1.tar.gz
lxc start c1
lxc exec c1 -- getfacl foo
# file: foo
# owner: root
# group: root
user::rw-
group::r--
group:foo:rwx
mask::rwx
other::r--

What LXD version and host OS is this?

kimbo · May 15, 2023, 7:18am

What LXD version and host OS is this?

I tried again today using LXD 5.13 on Ubuntu Jammy host and guest. ACLs were not restored same as original post.

tomp · May 18, 2023, 8:22am

Are you able to run a test using a fresh LXD VM, and then install LXD inside it and test with a LXD container?

lxc launch images:ubuntu/jammy v1 --vm
lxc exec v1 -- apt install snapd -y
lxc exec v1 -- snap install lxd
lxc exev v1 -- lxd init
...etc

It will be interesting to see if you have this issue on a fresh VM running LXD.

kimbo · June 14, 2023, 3:42am

I created a VM named v1 and installed LXD inside that as per your suggestion above. I then executed the test on both side by side in a tmux session. Same issue occurs on both.

The following image is my tmux session. Left is tgapsyd1dbd03, the base LXD host, a Ubuntu Jammy Vmware VM with LXD 5.14 installed via snap. Right is v1 the LXD VM created within tgapsyd1dbd03 as per your prior comment.

jimi · June 15, 2023, 2:00pm

Not preserved for me either (lxd 5.14), tested with fresh Ubuntu 22.04.2 LTS servers on two different bare bone machines and mask and other gets lost when export / importing a normal container.

tomp · June 26, 2023, 3:53pm

Thanks.

Are you able to log an issue over at https://github.com/lxc/lxd/issues with the reproducer steps so we dont lose track of it.

Thanks

kimbo · June 28, 2023, 2:10am

Done https://github.com/lxc/lxd/issues/11901