Hey guys,
I have an awesome OpenStack Ansible (Ussuri, on top of Ubuntu 20.04.1) deployment that not only my Compute Nodes (Libvirt/QEMU) are LXD containers, but also, the Neutron-*-Agents (Linux Bridges) and even Ceph OSDs!
This week something happened and I don’t know what exactly but, Libvirt started to throw the following error while trying to launch a virtual machine:
Nov 13 16:09:40 coscmpt-3 nova-compute[478]: 2020-11-13 16:09:40.991 478 ERROR nova.virt.libvirt.driver [req-a337a254-b9bc-4d86-ba6f-44e3afe5a21e b602d41580b94810bb41f2d752789b81 280b9117b1a74d389f232aff1b8cee98 - default default] [instance: 2c2dfde7-4750-4cab-961e-ae7c153c3765] Failed to start libvirt guest: libvirt.libvirtError: internal error: child reported (status=125): Unable to set XATTR trusted.libvirt.security.dac on /var/lib/libvirt/qemu/domain-1-instance-00000003: Operation not permitted
To fix this, I had to enable security.privileged: "true", then it works again! Thing is, I’ve always used Libvirt/QEMU (with KVM) inside of LXD containers without any problem!
Any idea about what is happening?
Worth to mention that I also have security.nesting: "true", so the ip netns (i.e., the Neutron Agents) can create the required Linux Namespaces inside of the LXD containers (my Network Nodes are running the same Compute Nodes containers as well similar to an OVN topology with OpenvSwitch).
I also have exposed /dev/kvm as unix-char to the LXD Container (like I always do, otherwise the KVM wouldn’t ever work).
Cheers!
Thiago