Applying "security.privileged" via profile does not have an effect

lxd

(Norman Kabir) #1

I created a profile called privileged:

config:
  security.privileged: "true"
description: create privileged container
devices: {}
name: privileged

When I stop a container and apply the profile, it has no effect. However, if I explicitly set security.privileged to true via command line, it works as expected.

I have another profile called nesting that works as expected when the profile is applied for the security.nesting value.

security.nesting profile has desired effect
security.privileged profile does not

Is security.privileged a special value that must be explicitly set outside of a profile?


(Stéphane Graber) #2

What does lxc config show --expanded NAME for the container?


(Norman Kabir) #3

Thank you for your reply!

In the session below, I do the following:

  1. Show config --expanded
  2. Show privileged profile
  3. Apply privileged profile
  4. Show config --expanded again (no change)
[feature/mockup-to-bash U:4] $ lxc config show x0ipacentos-scaffold --expanded
architecture: x86_64
config:
  image.architecture: amd64
  image.description: ubuntu 18.04 LTS amd64 (release) (20180724)
  image.label: release
  image.os: ubuntu
  image.release: bionic
  image.serial: "20180724"
  image.version: "18.04"
  raw.idmap: both 1001 1001
  security.nesting: "true"
  security.privileged: "no"
  volatile.apply_template: copy
  volatile.base_image: 38219778c2cf02521f34f950580ce3af0e4b61fbaf2b4411a7a6c4f0736071f9
  volatile.eth0.hwaddr: 00:16:3e:f6:2d:44
  volatile.idmap.base: "0"
  volatile.idmap.next: '[{"Isuid":true,"Isgid":false,"Hostid":100000,"Nsid":0,"Maprange":1001},{"Isuid":true,"Isgid":true,"Hostid":1001,"Nsid":1001,"Maprange":1},{"Isuid":true,"Isgid":false,"Hostid":101002,"Nsid":1002,"Maprange":64534},{"Isuid":false,"Isgid":true,"Hostid":100000,"Nsid":0,"Maprange":1001},{"Isuid":true,"Isgid":true,"Hostid":1001,"Nsid":1001,"Maprange":1},{"Isuid":false,"Isgid":true,"Hostid":101002,"Nsid":1002,"Maprange":64534}]'
  volatile.last_state.idmap: '[{"Isuid":true,"Isgid":false,"Hostid":100000,"Nsid":0,"Maprange":65536},{"Isuid":false,"Isgid":true,"Hostid":100000,"Nsid":0,"Maprange":65536}]'
  volatile.last_state.power: STOPPED
devices:
  backup:
    path: /srv/backup
    source: /home/nkabir/.local/srv/backup
    type: disk
  bench:
    path: /opt/bench
    source: /home/nkabir/labkey/bench
    type: disk
  eth0:
    name: eth0
    nictype: bridged
    parent: lxdbr0
    type: nic
  homedir:
    path: /opt/user
    source: /home/nkabir
    type: disk
  kvm:
    path: /dev/kvm
    type: unix-char
  lxd:
    path: /opt/lxd
    source: /home/nkabir/labkey/bench/xpack/unstable/net/x0ipacentos/container/lxd/x0ipacentos
    type: disk
  project:
    path: /opt/project
    source: /home/nkabir/labkey/bench/xpack/unstable/net/x0ipacentos
    type: disk
  repo:
    path: /opt/repo
    source: /home/nkabir/.local/share/xaptly/public
    type: disk
  root:
    path: /
    pool: default
    type: disk
  vhost-net:
    path: /dev/vhost-net
    type: unix-char
ephemeral: false
profiles:
- default
- privileged
- nesting
stateful: false
description: ""


[feature/mockup-to-bash U:4] $ lxc profile show privileged
config:
  security.privileged: "true"
description: create privileged container
devices: {}
name: privileged
used_by:
- /1.0/containers/demo
- /1.0/containers/x0ipacentos-scaffold

~/labkey/bench/xpack/unstable/net/x0ipacentos
[feature/mockup-to-bash U:4] $ lxc profile apply x0ipacentos-scaffold default,privileged
Profiles default,privileged applied to x0ipacentos-scaffold

[feature/mockup-to-bash U:4] $ lxc config show x0ipacentos-scaffold --expanded
architecture: x86_64
config:
  image.architecture: amd64
  image.description: ubuntu 18.04 LTS amd64 (release) (20180724)
  image.label: release
  image.os: ubuntu
  image.release: bionic
  image.serial: "20180724"
  image.version: "18.04"
  raw.idmap: both 1001 1001
  security.privileged: "no"
  volatile.apply_template: copy
  volatile.base_image: 38219778c2cf02521f34f950580ce3af0e4b61fbaf2b4411a7a6c4f0736071f9
  volatile.eth0.hwaddr: 00:16:3e:f6:2d:44
  volatile.idmap.base: "0"
  volatile.idmap.next: '[{"Isuid":true,"Isgid":false,"Hostid":100000,"Nsid":0,"Maprange":1001},{"Isuid":true,"Isgid":true,"Hostid":1001,"Nsid":1001,"Maprange":1},{"Isuid":true,"Isgid":false,"Hostid":101002,"Nsid":1002,"Maprange":64534},{"Isuid":false,"Isgid":true,"Hostid":100000,"Nsid":0,"Maprange":1001},{"Isuid":true,"Isgid":true,"Hostid":1001,"Nsid":1001,"Maprange":1},{"Isuid":false,"Isgid":true,"Hostid":101002,"Nsid":1002,"Maprange":64534}]'
  volatile.last_state.idmap: '[{"Isuid":true,"Isgid":false,"Hostid":100000,"Nsid":0,"Maprange":65536},{"Isuid":false,"Isgid":true,"Hostid":100000,"Nsid":0,"Maprange":65536}]'
  volatile.last_state.power: STOPPED
devices:
  backup:
    path: /srv/backup
    source: /home/nkabir/.local/srv/backup
    type: disk
  bench:
    path: /opt/bench
    source: /home/nkabir/labkey/bench
    type: disk
  eth0:
    name: eth0
    nictype: bridged
    parent: lxdbr0
    type: nic
  homedir:
    path: /opt/user
    source: /home/nkabir
    type: disk
  kvm:
    path: /dev/kvm
    type: unix-char
  lxd:
    path: /opt/lxd
    source: /home/nkabir/labkey/bench/xpack/unstable/net/x0ipacentos/container/lxd/x0ipacentos
    type: disk
  project:
    path: /opt/project
    source: /home/nkabir/labkey/bench/xpack/unstable/net/x0ipacentos
    type: disk
  repo:
    path: /opt/repo
    source: /home/nkabir/.local/share/xaptly/public
    type: disk
  root:
    path: /
    pool: default
    type: disk
  vhost-net:
    path: /dev/vhost-net
    type: unix-char
ephemeral: false
profiles:
- default
- privileged
stateful: false
description: ""



(Stéphane Graber) #4

Local container configuration always overrides whatever the profiles contain.

It looks like your container has security.privileged set directly in its config, so no matter what profiles say, it’s what you’ll get.

Run lxc config edit x0ipacentos-scaffold and delete that key (and any other that you want to have come through profiles), --expanded should then show you the value that’s coming through profiles.


(Norman Kabir) #5

Ah. I was under the impression that “last profile wins”. Thank you very much for the clarification!