Cannot start Incus container after add security.syscalls.intercept.mount: "true"

x32767 · August 24, 2024, 11:39am

I am trying to install Waydroid headlessly into my Incus container on a Debian bookworm VM hosted on my Raspberry PI 5. I want the container itself be as secure as possible.

First thing I encountered is that Waydroid needs binder devices. I finally handled this with:

linux.kernel_modules: binder_linux
devices:
  binder:
    source: /dev/binder
    type: unix-char
  hwbinder:
    source: /dev/hwbinder
    type: unix-char
  vndbinder:
    source: /dev/vndbinder
    type: unix-char

I’m not sure if this is a secure solution by exposing these devices from my host. But Debian 12 Linux kernel seems to support only binder_linux but not binderfs.

Second thing I encountered is that after I tried to start, Waydroid tried mount:

$ waydroid session start
RuntimeError: Command failed: % mount -o ro /var/lib/waydroid/images/system.img /var/lib/waydroid/rootfs

I found the file is in ext2 format:

$ file /var/lib/waydroid/images/system.img
/var/lib/waydroid/images/system.img: Linux rev 1.0 ext2 filesystem data, UUID=xxx (extents) (large files) (huge files)

So after stopping the container, I added:

security.syscalls.intercept.mount: "true"
security.syscalls.intercept.mount.fuse: "ext2=fuse2fs"
security.syscalls.intercept.mount.shift: "true"

Then I cannot start my container again by issuing “incus start …”. Every time after I use the command, “incus list” reports it’s not starting. Also “incus info … --show-log” and /var/log/incus/ has nothing related in log.

I narrow this down and find even if I only enable the mount option itself, I still cannot start the container:

security.syscalls.intercept.mount: "true"

I use bookworm-backports with Incus version 6.0.1.
Is this config option not supported by this version of Incus or some other reason?

simos · August 24, 2024, 3:49pm

I am also interested in this (running Waydroid in Incus instead of the default with LXC).

x32767 · August 24, 2024, 4:04pm

Yeah, that’s interesting. But the problem I encountered now is that I can not even start the container after adding security.syscalls.intercept.mount: "true". I just tried other container without Waydroid and same thing happened.
I also upgraded to use the version 6.4 from Zabbly. Nothing changed.

simos · August 24, 2024, 4:16pm

If you have some reproducible example, it would help to get more people to try things out.

For the case of mounting an image, does this help? incus storage volume import - Incus documentation

x32767 · August 24, 2024, 4:46pm

The setup is:
Host: Raspberry PI 5 Model B 8GB with Raspberry Pi OS Lite 64bit (without desktop).
Then create VM with libvirt from Debian bookworm net-inst iso without desktop.
And just install the official incus, create a container (I use images:ubuntu/noble) and then add the option under config: section:

security.syscalls.intercept.mount: "true"

I don’t think I added something special into them. I may try this setup on brand new VM later to see if same thing happens.

I just want to let the container mount the images itself. Because the images are inside the container’s control, if I mount them from outside, I need to make sure it cannot modify them directly to prevent security concern. Also, it will be convenient if it can mount them by itself.

x32767 · August 25, 2024, 3:12am

I tested on brand new VM on my another machine Raspberry Pi 400, and I can reproduce it on that. Actually I also installed another Ubuntu VM and this is also presented on that too. (Just FYI, I tried LXD also and that has same problem on that VM, but we cannot do anything about LXD.) Maybe this is presented on all arm64 machines?
I have created an issue on github.

bruce78 · September 20, 2024, 8:27am

So I’m also trying to run Waydroid in an incus container… Re-reading the above, am I right to assume that loading the ashmem_linux and binder_linux kernel modules are done on the host and then exposed to the container above as per the first post?

sudo modprobe ashmem_linux
sudo modprobe binder_linux

It also seems that the github issue linked in this thread implies a solution has been found if you are running the latest version of incus 6.0?

github.com/lxc/incus

Cannot start Incus container in arm64 VM created on top of Raspberry Pi OS after adding security.syscalls.intercept.mount: "true"

opened 03:02AM - 25 Aug 24 UTC

closed 02:28AM - 05 Sep 24 UTC

x32767

Bug Incomplete

# Required information * Distribution: Debian * Distribution version: Debi…an 12 (bookworm) arm64 (installed from debian-12.6.0-arm64-netinst.iso) ``` Linux debian 6.1.0-23-arm64 #1 SMP Debian 6.1.99-1 (2024-07-15) aarch64 GNU/Linux ``` * The output of "incus info" or if that fails: ``` test@debian:~$ incus info config: {} api_extensions: - storage_zfs_remove_snapshots - container_host_shutdown_timeout - container_stop_priority - container_syscall_filtering - auth_pki - container_last_used_at - etag - patch - usb_devices - https_allowed_credentials - image_compression_algorithm - directory_manipulation - container_cpu_time - storage_zfs_use_refquota - storage_lvm_mount_options - network - profile_usedby - container_push - container_exec_recording - certificate_update - container_exec_signal_handling - gpu_devices - container_image_properties - migration_progress - id_map - network_firewall_filtering - network_routes - storage - file_delete - file_append - network_dhcp_expiry - storage_lvm_vg_rename - storage_lvm_thinpool_rename - network_vlan - image_create_aliases - container_stateless_copy - container_only_migration - storage_zfs_clone_copy - unix_device_rename - storage_lvm_use_thinpool - storage_rsync_bwlimit - network_vxlan_interface - storage_btrfs_mount_options - entity_description - image_force_refresh - storage_lvm_lv_resizing - id_map_base - file_symlinks - container_push_target - network_vlan_physical - storage_images_delete - container_edit_metadata - container_snapshot_stateful_migration - storage_driver_ceph - storage_ceph_user_name - resource_limits - storage_volatile_initial_source - storage_ceph_force_osd_reuse - storage_block_filesystem_btrfs - resources - kernel_limits - storage_api_volume_rename - network_sriov - console - restrict_dev_incus - migration_pre_copy - infiniband - dev_incus_events - proxy - network_dhcp_gateway - file_get_symlink - network_leases - unix_device_hotplug - storage_api_local_volume_handling - operation_description - clustering - event_lifecycle - storage_api_remote_volume_handling - nvidia_runtime - container_mount_propagation - container_backup - dev_incus_images - container_local_cross_pool_handling - proxy_unix - proxy_udp - clustering_join - proxy_tcp_udp_multi_port_handling - network_state - proxy_unix_dac_properties - container_protection_delete - unix_priv_drop - pprof_http - proxy_haproxy_protocol - network_hwaddr - proxy_nat - network_nat_order - container_full - backup_compression - nvidia_runtime_config - storage_api_volume_snapshots - storage_unmapped - projects - network_vxlan_ttl - container_incremental_copy - usb_optional_vendorid - snapshot_scheduling - snapshot_schedule_aliases - container_copy_project - clustering_server_address - clustering_image_replication - container_protection_shift - snapshot_expiry - container_backup_override_pool - snapshot_expiry_creation - network_leases_location - resources_cpu_socket - resources_gpu - resources_numa - kernel_features - id_map_current - event_location - storage_api_remote_volume_snapshots - network_nat_address - container_nic_routes - cluster_internal_copy - seccomp_notify - lxc_features - container_nic_ipvlan - network_vlan_sriov - storage_cephfs - container_nic_ipfilter - resources_v2 - container_exec_user_group_cwd - container_syscall_intercept - container_disk_shift - storage_shifted - resources_infiniband - daemon_storage - instances - image_types - resources_disk_sata - clustering_roles - images_expiry - resources_network_firmware - backup_compression_algorithm - ceph_data_pool_name - container_syscall_intercept_mount - compression_squashfs - container_raw_mount - container_nic_routed - container_syscall_intercept_mount_fuse - container_disk_ceph - virtual-machines - image_profiles - clustering_architecture - resources_disk_id - storage_lvm_stripes - vm_boot_priority - unix_hotplug_devices - api_filtering - instance_nic_network - clustering_sizing - firewall_driver - projects_limits - container_syscall_intercept_hugetlbfs - limits_hugepages - container_nic_routed_gateway - projects_restrictions - custom_volume_snapshot_expiry - volume_snapshot_scheduling - trust_ca_certificates - snapshot_disk_usage - clustering_edit_roles - container_nic_routed_host_address - container_nic_ipvlan_gateway - resources_usb_pci - resources_cpu_threads_numa - resources_cpu_core_die - api_os - container_nic_routed_host_table - container_nic_ipvlan_host_table - container_nic_ipvlan_mode - resources_system - images_push_relay - network_dns_search - container_nic_routed_limits - instance_nic_bridged_vlan - network_state_bond_bridge - usedby_consistency - custom_block_volumes - clustering_failure_domains - resources_gpu_mdev - console_vga_type - projects_limits_disk - network_type_macvlan - network_type_sriov - container_syscall_intercept_bpf_devices - network_type_ovn - projects_networks - projects_networks_restricted_uplinks - custom_volume_backup - backup_override_name - storage_rsync_compression - network_type_physical - network_ovn_external_subnets - network_ovn_nat - network_ovn_external_routes_remove - tpm_device_type - storage_zfs_clone_copy_rebase - gpu_mdev - resources_pci_iommu - resources_network_usb - resources_disk_address - network_physical_ovn_ingress_mode - network_ovn_dhcp - network_physical_routes_anycast - projects_limits_instances - network_state_vlan - instance_nic_bridged_port_isolation - instance_bulk_state_change - network_gvrp - instance_pool_move - gpu_sriov - pci_device_type - storage_volume_state - network_acl - migration_stateful - disk_state_quota - storage_ceph_features - projects_compression - projects_images_remote_cache_expiry - certificate_project - network_ovn_acl - projects_images_auto_update - projects_restricted_cluster_target - images_default_architecture - network_ovn_acl_defaults - gpu_mig - project_usage - network_bridge_acl - warnings - projects_restricted_backups_and_snapshots - clustering_join_token - clustering_description - server_trusted_proxy - clustering_update_cert - storage_api_project - server_instance_driver_operational - server_supported_storage_drivers - event_lifecycle_requestor_address - resources_gpu_usb - clustering_evacuation - network_ovn_nat_address - network_bgp - network_forward - custom_volume_refresh - network_counters_errors_dropped - metrics - image_source_project - clustering_config - network_peer - linux_sysctl - network_dns - ovn_nic_acceleration - certificate_self_renewal - instance_project_move - storage_volume_project_move - cloud_init - network_dns_nat - database_leader - instance_all_projects - clustering_groups - ceph_rbd_du - instance_get_full - qemu_metrics - gpu_mig_uuid - event_project - clustering_evacuation_live - instance_allow_inconsistent_copy - network_state_ovn - storage_volume_api_filtering - image_restrictions - storage_zfs_export - network_dns_records - storage_zfs_reserve_space - network_acl_log - storage_zfs_blocksize - metrics_cpu_seconds - instance_snapshot_never - certificate_token - instance_nic_routed_neighbor_probe - event_hub - agent_nic_config - projects_restricted_intercept - metrics_authentication - images_target_project - images_all_projects - cluster_migration_inconsistent_copy - cluster_ovn_chassis - container_syscall_intercept_sched_setscheduler - storage_lvm_thinpool_metadata_size - storage_volume_state_total - instance_file_head - instances_nic_host_name - image_copy_profile - container_syscall_intercept_sysinfo - clustering_evacuation_mode - resources_pci_vpd - qemu_raw_conf - storage_cephfs_fscache - network_load_balancer - vsock_api - instance_ready_state - network_bgp_holdtime - storage_volumes_all_projects - metrics_memory_oom_total - storage_buckets - storage_buckets_create_credentials - metrics_cpu_effective_total - projects_networks_restricted_access - storage_buckets_local - loki - acme - internal_metrics - cluster_join_token_expiry - remote_token_expiry - init_preseed - storage_volumes_created_at - cpu_hotplug - projects_networks_zones - network_txqueuelen - cluster_member_state - instances_placement_scriptlet - storage_pool_source_wipe - zfs_block_mode - instance_generation_id - disk_io_cache - amd_sev - storage_pool_loop_resize - migration_vm_live - ovn_nic_nesting - oidc - network_ovn_l3only - ovn_nic_acceleration_vdpa - cluster_healing - instances_state_total - auth_user - security_csm - instances_rebuild - numa_cpu_placement - custom_volume_iso - network_allocations - zfs_delegate - storage_api_remote_volume_snapshot_copy - operations_get_query_all_projects - metadata_configuration - syslog_socket - event_lifecycle_name_and_project - instances_nic_limits_priority - disk_initial_volume_configuration - operation_wait - image_restriction_privileged - cluster_internal_custom_volume_copy - disk_io_bus - storage_cephfs_create_missing - instance_move_config - ovn_ssl_config - certificate_description - disk_io_bus_virtio_blk - loki_config_instance - instance_create_start - clustering_evacuation_stop_options - boot_host_shutdown_action - agent_config_drive - network_state_ovn_lr - image_template_permissions - storage_bucket_backup - storage_lvm_cluster - shared_custom_block_volumes - auth_tls_jwt - oidc_claim - device_usb_serial - numa_cpu_balanced - image_restriction_nesting - network_integrations - instance_memory_swap_bytes - network_bridge_external_create - network_zones_all_projects - storage_zfs_vdev - container_migration_stateful - profiles_all_projects - instances_scriptlet_get_instances - instances_scriptlet_get_cluster_members - instances_scriptlet_get_project - network_acl_stateless - instance_state_started_at - networks_all_projects - network_acls_all_projects - storage_buckets_all_projects - resources_load - instance_access - project_access - projects_force_delete - resources_cpu_flags - disk_io_bus_cache_filesystem - instance_oci - clustering_groups_config - instances_lxcfs_per_instance - clustering_groups_vm_cpu_definition - disk_volume_subpath - projects_limits_disk_pool - network_ovn_isolated api_status: stable api_version: "1.0" auth: trusted public: false auth_methods: - tls auth_user_name: test auth_user_method: unix environment: addresses: [] architectures: - aarch64 - armv6l - armv7l - armv8l certificate: | -----BEGIN CERTIFICATE----- MIIB/jCCAYSgAwIBAgIRAPqnxLtjZ4g0E5CjfZstl28wCgYIKoZIzj0EAwMwMTEZ MBcGA1UEChMQTGludXggQ29udGFpbmVyczEUMBIGA1UEAwwLcm9vdEBkZWJpYW4w HhcNMjQwODI1MDE1MjE2WhcNMzQwODIzMDE1MjE2WjAxMRkwFwYDVQQKExBMaW51 eCBDb250YWluZXJzMRQwEgYDVQQDDAtyb290QGRlYmlhbjB2MBAGByqGSM49AgEG BSuBBAAiA2IABNOqpWps74h3NFJSTY+PyekYBlDnwNK15sArvYa5qGvqVrT9L5un Q7Hd1Yt82QiMlQNYXt1P0rpU1EN7+9Vf7KpDyijBtfpBGo6Gbn2YAn5gqF2RPKEx c281q0yEKSDo66NgMF4wDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUF BwMBMAwGA1UdEwEB/wQCMAAwKQYDVR0RBCIwIIIGZGViaWFuhwR/AAABhxAAAAAA AAAAAAAAAAAAAAABMAoGCCqGSM49BAMDA2gAMGUCMDOhbWdO1RV0K5Xaftr7zVNM PdJAImQQCgDBOSX2FKjvV9mywJ6GbeFSkv03t6RXKQIxAM+cMui2cd+RYP7Jt9iJ xvUDqPdXaGFr+8jdxrEJaVLFdOKkeUKV98AJdjCYQKR0gQ== -----END CERTIFICATE----- certificate_fingerprint: cafa26b29f6f3cb4b88cffd3c34be6c2faf401a77433ff2221f3324b6cbd9f12 driver: lxc driver_version: 6.0.1 firewall: nftables kernel: Linux kernel_architecture: aarch64 kernel_features: idmapped_mounts: "true" netnsid_getifaddrs: "true" seccomp_listener: "true" seccomp_listener_continue: "true" uevent_injection: "true" unpriv_binfmt: "false" unpriv_fscaps: "true" kernel_version: 6.1.0-23-arm64 lxc_features: cgroup2: "true" core_scheduling: "true" devpts_fd: "true" idmapped_mounts_v2: "true" mount_injection_file: "true" network_gateway_device_route: "true" network_ipvlan: "true" network_l2proxy: "true" network_phys_macvlan_mtu: "true" network_veth_router: "true" pidfd: "true" seccomp_allow_deny_syntax: "true" seccomp_notify: "true" seccomp_proxy_send_notify_fd: "true" os_name: Debian GNU/Linux os_version: "12" project: default server: incus server_clustered: false server_event_mode: full-mesh server_name: debian server_pid: 399 server_version: "6.4" storage: dir storage_version: "1" storage_supported_drivers: - name: dir version: "1" remote: false ``` * Incus version: ``` incus/bookworm,now 1:6.4-202408230443-debian12 arm64 [installed] ``` * Storage backend in use: `dir` # Issue description Container in above environment cannot start after setting `security.syscalls.intercept.mount: "true"` to config. Firstly I was trying to install Waydroid headlessly into an Incus container inside a libvirt VM on Raspberry Pi OS Lite. Later I encounter this issue when trying to enable mount capability for the container. [More info](https://discuss.linuxcontainers.org/t/cannot-start-incus-container-after-add-security-syscalls-intercept-mount-true/21437). Later I found even for brand new VM, this issue still occurs. # Steps to reproduce 1. Create a libvirt VM of arm64 with above environment on Raspberry Pi OS on Raspberry Pi 400 (or Raspberry Pi OS Lite on Raspberry Pi 5 Model B 8GB, both tested). Actually I think you may also reproduce it with any kind of arm64 machine or VM, but the above are the environments I tested. 2. Install Incus stable (6.4) from [https://github.com/zabbly/incus](https://github.com/zabbly/incus) or 6.0.1 from bookworm-backports. 3. ``` test@debian:~$ incus admin init Would you like to use clustering? (yes/no) [default=no]: Do you want to configure a new storage pool? (yes/no) [default=yes]: Name of the new storage pool [default=default]: Would you like to create a new local network bridge? (yes/no) [default=yes]: What should the new bridge be called? [default=incusbr0]: What IPv4 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]: What IPv6 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]: Would you like the server to be available over the network? (yes/no) [default=no]: Would you like stale cached images to be updated automatically? (yes/no) [default=yes]: Would you like a YAML "init" preseed to be printed? (yes/no) [default=no]: test@debian:~$ incus list +------+-------+------+------+------+-----------+ | NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS | +------+-------+------+------+------+-----------+ test@debian:~$ incus launch images:ubuntu/22.04 Launching the instance Instance name is: square-crayfish test@debian:~$ incus list +-----------------+---------+---------------------+-----------------------------------------------+-----------+-----------+ | NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS | +-----------------+---------+---------------------+-----------------------------------------------+-----------+-----------+ | square-crayfish | RUNNING | 10.27.74.228 (eth0) | fd42:c039:54ad:a040:216:3eff:feae:da39 (eth0) | CONTAINER | 0 | +-----------------+---------+---------------------+-----------------------------------------------+-----------+-----------+ test@debian:~$ incus stop square-crayfish test@debian:~$ incus config set square-crayfish security. security.guestapi security.protection.delete test@debian:~$ incus config set square-crayfish security.syscalls.intercept.mount=true test@debian:~$ incus list +-----------------+---------+------+------+-----------+-----------+ | NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS | +-----------------+---------+------+------+-----------+-----------+ | square-crayfish | STOPPED | | | CONTAINER | 0 | +-----------------+---------+------+------+-----------+-----------+ test@debian:~$ incus start square-crayfish test@debian:~$ incus list +-----------------+---------+------+------+-----------+-----------+ | NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS | +-----------------+---------+------+------+-----------+-----------+ | square-crayfish | STOPPED | | | CONTAINER | 0 | +-----------------+---------+------+------+-----------+-----------+ test@debian:~$ incus start square-crayfish --console To detach from the console, press: <ctrl>+a q Error: Failed running forkconsole: "container is not running: \"square-crayfish\"" Error: stat /proc/-1: no such file or directory test@debian:~$ ``` # Information to attach `incus monitor --pretty` log when starting the container. It seems the container started and then quickly stopped. ``` test@debian:~$ incus monitor --pretty DEBUG [2024-08-24T21:36:57-05:00] Event listener server handler started id=e8436c89-2b61-4c76-83b8-8d4156718e04 local=/var/lib/incus/unix.socket remote=@ DEBUG [2024-08-24T21:37:01-05:00] Handling API request ip=@ method=GET protocol=unix url=/1.0 username=test DEBUG [2024-08-24T21:37:01-05:00] Handling API request ip=@ method=GET protocol=unix url=/1.0/instances/square-crayfish username=test DEBUG [2024-08-24T21:37:01-05:00] Handling API request ip=@ method=GET protocol=unix url=/1.0/events username=test DEBUG [2024-08-24T21:37:01-05:00] Event listener server handler started id=1076e0a6-5a43-4ac0-b5a0-d4d627e4497d local=/var/lib/incus/unix.socket remote=@ DEBUG [2024-08-24T21:37:01-05:00] Handling API request ip=@ method=PUT protocol=unix url=/1.0/instances/square-crayfish/state username=test DEBUG [2024-08-24T21:37:01-05:00] New operation class=task description="Starting instance" operation=dd34990a-865e-4fa8-bace-b90ccc987f08 project=default INFO [2024-08-24T21:37:01-05:00] ID: dd34990a-865e-4fa8-bace-b90ccc987f08, Class: task, Description: Starting instance CreatedAt="2024-08-24 21:37:01.575465124 -0500 CDT" Err= Location=none MayCancel=false Metadata="map[]" Resources="map[instances:[/1.0/instances/square-crayfish]]" Status=Pending StatusCode=Pending UpdatedAt="2024-08-24 21:37:01.575465124 -0500 CDT" INFO [2024-08-24T21:37:01-05:00] Starting instance action=start created="2024-08-25 01:53:39.678839496 +0000 UTC" ephemeral=false instance=square-crayfish instanceType=container project=default stateful=false used="2024-08-25 02:35:20.347393563 +0000 UTC" DEBUG [2024-08-24T21:37:01-05:00] Started operation class=task description="Starting instance" operation=dd34990a-865e-4fa8-bace-b90ccc987f08 project=default INFO [2024-08-24T21:37:01-05:00] ID: dd34990a-865e-4fa8-bace-b90ccc987f08, Class: task, Description: Starting instance CreatedAt="2024-08-24 21:37:01.575465124 -0500 CDT" Err= Location=none MayCancel=false Metadata="map[]" Resources="map[instances:[/1.0/instances/square-crayfish]]" Status=Running StatusCode=Running UpdatedAt="2024-08-24 21:37:01.575465124 -0500 CDT" DEBUG [2024-08-24T21:37:01-05:00] Start started instance=square-crayfish instanceType=container project=default stateful=false DEBUG [2024-08-24T21:37:01-05:00] Instance operation lock created action=start instance=square-crayfish project=default reusable=false DEBUG [2024-08-24T21:37:01-05:00] Handling API request ip=@ method=GET protocol=unix url=/1.0/operations/dd34990a-865e-4fa8-bace-b90ccc987f08 username=test DEBUG [2024-08-24T21:37:01-05:00] MountInstance started driver=dir instance=square-crayfish pool=default project=default DEBUG [2024-08-24T21:37:01-05:00] MountInstance finished driver=dir instance=square-crayfish pool=default project=default DEBUG [2024-08-24T21:37:01-05:00] Starting device device=eth0 instance=square-crayfish instanceType=container project=default type=nic DEBUG [2024-08-24T21:37:01-05:00] Starting device device=root instance=square-crayfish instanceType=container project=default type=disk DEBUG [2024-08-24T21:37:01-05:00] UpdateInstanceBackupFile started driver=dir instance=square-crayfish pool=default project=default DEBUG [2024-08-24T21:37:01-05:00] UpdateInstanceBackupFile finished driver=dir instance=square-crayfish pool=default project=default DEBUG [2024-08-24T21:37:01-05:00] Skipping unmount as in use driver=dir pool=default refCount=1 volName=square-crayfish DEBUG [2024-08-24T21:37:01-05:00] Handling API request ip=@ method=GET protocol=unix url="/internal/containers/square-crayfish/onstart?project=default" username=root DEBUG [2024-08-24T21:37:02-05:00] Scheduler: container square-crayfish started: re-balancing DEBUG [2024-08-24T21:37:02-05:00] Connected to seccomp socket: pid=2740 DEBUG [2024-08-24T21:37:02-05:00] Event listener server handler stopped listener=1076e0a6-5a43-4ac0-b5a0-d4d627e4497d local=/var/lib/incus/unix.socket remote=@ INFO [2024-08-24T21:37:02-05:00] Started instance action=start created="2024-08-25 01:53:39.678839496 +0000 UTC" ephemeral=false instance=square-crayfish instanceType=container project=default stateful=false used="2024-08-25 02:35:20.347393563 +0000 UTC" INFO [2024-08-24T21:37:02-05:00] Action: instance-started, Source: /1.0/instances/square-crayfish, Requestor: unix/test (@) DEBUG [2024-08-24T21:37:02-05:00] Instance operation lock finished action=start err="<nil>" instance=square-crayfish project=default reusable=false DEBUG [2024-08-24T21:37:02-05:00] Start finished instance=square-crayfish instanceType=container project=default stateful=false DEBUG [2024-08-24T21:37:02-05:00] Success for operation class=task description="Starting instance" operation=dd34990a-865e-4fa8-bace-b90ccc987f08 project=default INFO [2024-08-24T21:37:02-05:00] ID: dd34990a-865e-4fa8-bace-b90ccc987f08, Class: task, Description: Starting instance CreatedAt="2024-08-24 21:37:01.575465124 -0500 CDT" Err= Location=none MayCancel=false Metadata="map[]" Resources="map[instances:[/1.0/instances/square-crayfish]]" Status=Success StatusCode=Success UpdatedAt="2024-08-24 21:37:01.575465124 -0500 CDT" DEBUG [2024-08-24T21:37:02-05:00] Syscall handler received fds 37(/proc/<pid>), 38(/proc/<pid>/mem), and 40([seccomp notify]) DEBUG [2024-08-24T21:37:02-05:00] Send seccomp notification for id(12030653473909927087) DEBUG [2024-08-24T21:37:02-05:00] Syscall handler received fds 43(/proc/<pid>), 44(/proc/<pid>/mem), and 45([seccomp notify]) DEBUG [2024-08-24T21:37:02-05:00] Send seccomp notification for id(12030653473909927088) DEBUG [2024-08-24T21:37:02-05:00] Syscall handler received fds 37(/proc/<pid>), 38(/proc/<pid>/mem), and 40([seccomp notify]) DEBUG [2024-08-24T21:37:02-05:00] Send seccomp notification for id(12030653473909927089) DEBUG [2024-08-24T21:37:02-05:00] Handling API request ip=@ method=GET protocol=unix url="/internal/containers/square-crayfish/onstopns?netns=%2Fproc%2F2740%2Ffd%2F4&project=default&target=stop" username=root DEBUG [2024-08-24T21:37:02-05:00] Instance operation lock created action=stop instance=square-crayfish project=default reusable=false DEBUG [2024-08-24T21:37:02-05:00] Instance initiated stop action=stop instance=square-crayfish instanceType=container project=default DEBUG [2024-08-24T21:37:02-05:00] Stopping device device=eth0 instance=square-crayfish instanceType=container project=default type=nic DEBUG [2024-08-24T21:37:03-05:00] Handling API request ip=@ method=GET protocol=unix url="/internal/containers/square-crayfish/onstop?project=default&target=stop" username=root DEBUG [2024-08-24T21:37:03-05:00] Instance operation lock inherited for stop action=stop instance=square-crayfish instanceType=container project=default DEBUG [2024-08-24T21:37:03-05:00] Instance stopped, cleaning up instance=square-crayfish instanceType=container project=default DEBUG [2024-08-24T21:37:03-05:00] Stopping device device=root instance=square-crayfish instanceType=container project=default type=disk DEBUG [2024-08-24T21:37:03-05:00] Disconnected from seccomp socket after failed receive: pid=2740, err=EOF DEBUG [2024-08-24T21:37:03-05:00] UnmountInstance started driver=dir instance=square-crayfish pool=default project=default DEBUG [2024-08-24T21:37:03-05:00] UnmountInstance finished driver=dir instance=square-crayfish pool=default project=default DEBUG [2024-08-24T21:37:03-05:00] Instance operation lock finished action=stop err="<nil>" instance=square-crayfish project=default reusable=false INFO [2024-08-24T21:37:03-05:00] Shut down instance action=stop created="2024-08-25 01:53:39.678839496 +0000 UTC" ephemeral=false instance=square-crayfish instanceType=container project=default stateful=false used="2024-08-25 02:37:02.017136701 +0000 UTC" INFO [2024-08-24T21:37:03-05:00] Action: instance-shutdown, Source: /1.0/instances/square-crayfish DEBUG [2024-08-24T21:37:03-05:00] Scheduler: container square-crayfish stopped: re-balancing ``` Here is the `incus monitor --pretty` log if I didn't add `security.syscalls.intercept.mount: "true"`. ``` test@debian:~$ incus monitor --pretty DEBUG [2024-08-24T21:35:17-05:00] Event listener server handler started id=053cb52a-969e-43ed-b339-81929f1aa9d7 local=/var/lib/incus/unix.socket remote=@ DEBUG [2024-08-24T21:35:19-05:00] Handling API request ip=@ method=GET protocol=unix url=/1.0 username=test DEBUG [2024-08-24T21:35:19-05:00] Handling API request ip=@ method=GET protocol=unix url=/1.0/instances/square-crayfish username=test DEBUG [2024-08-24T21:35:19-05:00] Handling API request ip=@ method=GET protocol=unix url=/1.0/events username=test DEBUG [2024-08-24T21:35:19-05:00] Event listener server handler started id=2ebbb767-cda2-4927-afc3-914402dbc7d4 local=/var/lib/incus/unix.socket remote=@ DEBUG [2024-08-24T21:35:19-05:00] Handling API request ip=@ method=PUT protocol=unix url=/1.0/instances/square-crayfish/state username=test DEBUG [2024-08-24T21:35:19-05:00] New operation class=task description="Starting instance" operation=a1873f7f-03d4-4331-bfbc-b04cee350e93 project=default INFO [2024-08-24T21:35:19-05:00] ID: a1873f7f-03d4-4331-bfbc-b04cee350e93, Class: task, Description: Starting instance CreatedAt="2024-08-24 21:35:19.934425656 -0500 CDT" Err= Location=none MayCancel=false Metadata="map[]" Resources="map[instances:[/1.0/instances/square-crayfish]]" Status=Pending StatusCode=Pending UpdatedAt="2024-08-24 21:35:19.934425656 -0500 CDT" INFO [2024-08-24T21:35:19-05:00] ID: a1873f7f-03d4-4331-bfbc-b04cee350e93, Class: task, Description: Starting instance CreatedAt="2024-08-24 21:35:19.934425656 -0500 CDT" Err= Location=none MayCancel=false Metadata="map[]" Resources="map[instances:[/1.0/instances/square-crayfish]]" Status=Running StatusCode=Running UpdatedAt="2024-08-24 21:35:19.934425656 -0500 CDT" DEBUG [2024-08-24T21:35:19-05:00] Started operation class=task description="Starting instance" operation=a1873f7f-03d4-4331-bfbc-b04cee350e93 project=default DEBUG [2024-08-24T21:35:19-05:00] Start started instance=square-crayfish instanceType=container project=default stateful=false INFO [2024-08-24T21:35:19-05:00] Starting instance action=start created="2024-08-25 01:53:39.678839496 +0000 UTC" ephemeral=false instance=square-crayfish instanceType=container project=default stateful=false used="2024-08-25 02:34:11.233590415 +0000 UTC" DEBUG [2024-08-24T21:35:19-05:00] Handling API request ip=@ method=GET protocol=unix url=/1.0/operations/a1873f7f-03d4-4331-bfbc-b04cee350e93 username=test DEBUG [2024-08-24T21:35:19-05:00] Instance operation lock created action=start instance=square-crayfish project=default reusable=false DEBUG [2024-08-24T21:35:19-05:00] MountInstance started driver=dir instance=square-crayfish pool=default project=default DEBUG [2024-08-24T21:35:19-05:00] MountInstance finished driver=dir instance=square-crayfish pool=default project=default DEBUG [2024-08-24T21:35:19-05:00] Starting device device=eth0 instance=square-crayfish instanceType=container project=default type=nic DEBUG [2024-08-24T21:35:20-05:00] Starting device device=root instance=square-crayfish instanceType=container project=default type=disk DEBUG [2024-08-24T21:35:20-05:00] UpdateInstanceBackupFile started driver=dir instance=square-crayfish pool=default project=default DEBUG [2024-08-24T21:35:20-05:00] UpdateInstanceBackupFile finished driver=dir instance=square-crayfish pool=default project=default DEBUG [2024-08-24T21:35:20-05:00] Skipping unmount as in use driver=dir pool=default refCount=1 volName=square-crayfish DEBUG [2024-08-24T21:35:20-05:00] Handling API request ip=@ method=GET protocol=unix url="/internal/containers/square-crayfish/onstart?project=default" username=root DEBUG [2024-08-24T21:35:20-05:00] Scheduler: container square-crayfish started: re-balancing INFO [2024-08-24T21:35:20-05:00] ID: a1873f7f-03d4-4331-bfbc-b04cee350e93, Class: task, Description: Starting instance CreatedAt="2024-08-24 21:35:19.934425656 -0500 CDT" Err= Location=none MayCancel=false Metadata="map[]" Resources="map[instances:[/1.0/instances/square-crayfish]]" Status=Success StatusCode=Success UpdatedAt="2024-08-24 21:35:19.934425656 -0500 CDT" INFO [2024-08-24T21:35:20-05:00] Started instance action=start created="2024-08-25 01:53:39.678839496 +0000 UTC" ephemeral=false instance=square-crayfish instanceType=container project=default stateful=false used="2024-08-25 02:34:11.233590415 +0000 UTC" INFO [2024-08-24T21:35:20-05:00] Action: instance-started, Source: /1.0/instances/square-crayfish, Requestor: unix/test (@) DEBUG [2024-08-24T21:35:20-05:00] Instance operation lock finished action=start err="<nil>" instance=square-crayfish project=default reusable=false DEBUG [2024-08-24T21:35:20-05:00] Start finished instance=square-crayfish instanceType=container project=default stateful=false DEBUG [2024-08-24T21:35:20-05:00] Success for operation class=task description="Starting instance" operation=a1873f7f-03d4-4331-bfbc-b04cee350e93 project=default DEBUG [2024-08-24T21:35:20-05:00] Event listener server handler stopped listener=2ebbb767-cda2-4927-afc3-914402dbc7d4 local=/var/lib/incus/unix.socket remote=@ ```

I’m also running on x86_64

So I guess my question is, is it now possible to run Waydroid in an incus container (Debian 12) on x86_64?