(topic withdrawn by author, will be automatically deleted in 24 hours unless flagged)
You might need to disable secure boot:
lxc config set <instance> security.secureboot=false
If I am understanding correctly, VMs created by KVM have this disabled by default, and VMs created by LXD have this enabled by default.
Correct. We primarily support secure boot by default. But some images cannot support secure boot because their kernels don’t support it, so you have to disable it.
We’ve had discussions about adding support to our image format to either automatically disable secure boot for the images that need it, or at least show a warning.
@tomp : Is it possible to know from somewhere in the LXD env as to the reasons as to why something is not working. In this case that it is due to secureboot=true? I would like to be able to discover the reasons behind issues that I am having at the moment. For instance, journalctl -xfu snap.lxd.daemon.service does not show anything while the VM is booting. Also lxc info --show-log does not show anything useful except for “warning: tap: open vhost char device failed: Permission denied”. So, if those would be dumped somewhere that would be nice to know. Thanks in advance for any kind of tips/leads.
Unfortunately, no because it’s all happening within the VM and LXD has no visibility inside of it. Your only real hint is if you use lxc console and see the Access Denied error from the firmware.
That’s definitely a difference between VM and containers. With containers we can inspect everything from the host and most of the boot time setup is done directly by us so we have pretty reasonable logging.
For VMs, once the virtual hardware configuration is done and the firmware is put in place, it’s all a big black box. From LXD’s point of view, it’s just one big fat process running on the system and it only get to know something about the guest once the lxd-agent starts after boot (assuming it’s present at all).
1 Like