Creating new containers/vms blocked by apparmor on NixOS

broizter · October 20, 2024, 12:33pm

When creating new containers or VMs on a NixOS host you first have to disable apparmor, otherwise you get errors and the creation fails. Is there any better workaround than disabling apparmor every time I wanna create something?

incus create images:debian/12 test
Creating test
Error: Failed instance creation: Failed creating instance from image: Unpack failed: Failed to run: tar --anchored --wildcards --exclude=dev/* --exclude=/dev/* --exclude=./dev/* --exclude=rootfs/dev/* --exclude=/rootfs/dev/* --exclude=./rootfs/dev/* --restrict --force-local -C /var/lib/incus/storage-pools/default/images/149e0ff3a1ca46db20336210704104db4c9409f2f33369dea26174d908757c29 --numeric-owner --xattrs-include=* -Jxf -: exit status 127 (tar: error while loading shared libraries: libacl.so.1: cannot open shared object file: No such file or directory)

dmesg -T
[sön okt 20 14:32:58 2024] audit: type=1400 audit(1729427573.016:126): apparmor="STATUS" operation="profile_load" profile="unconfined" name="incus_archive-d6df5eea-1a10-4ad0-b163-43dbbc49e4b1" pid=2582270 comm="apparmor_parser"
[sön okt 20 14:32:58 2024] audit: type=1400 audit(1729427573.018:127): apparmor="DENIED" operation="open" class="file" profile="incus_archive-d6df5eea-1a10-4ad0-b163-43dbbc49e4b1" name="/nix/store/7px4n99mcmdzx8nygx59f28j8g7vj0kb-acl-2.3.2/lib/libacl.so.1.1.2302" pid=2582272 comm="tar" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[sön okt 20 14:32:58 2024] audit: type=1400 audit(1729427573.057:128): apparmor="STATUS" operation="profile_remove" profile="unconfined" name="incus_archive-d6df5eea-1a10-4ad0-b163-43dbbc49e4b1" pid=2582276 comm="apparmor_parser"

stgraber · October 21, 2024, 2:50am

So normally the AppArmor abstractions/base contains what’s needed for dynamic libraries to be loaded. All our profiles include that abstraction so we don’t need to specifically allow every single library.

There must be something odd going on with NixOS which causes that abstraction to not include a correct pattern for where Nix stores its libraries (/nix/storage/*/lib/so or something like that).

broizter · October 21, 2024, 9:28am

I see! Well I created an issue in NixOS/nixpkgs since I assume it’s something they need to fix with their packaging?

stgraber · October 21, 2024, 3:47pm

Yeah, you may be able to work around it with a /etc/apparmor.d/local/ file, though I’m not sure if that exists and/or work on Nix.

broizter · October 21, 2024, 3:54pm

It should be possible to implement a custom file. Do you mind helping me with what I should populate it with?

stgraber · October 21, 2024, 4:00pm

/nix/storage/*/lib/*so* mr,

That should do the trick, allows for reading and mapping of all shared objects.

broizter · October 21, 2024, 4:32pm

Looking into it I couldn’t find an easy to way to implement a custom file. It’s not a huge bug since I very rarely create new containers at this point. Hopefully it will be fixed upstream soon enough. Thanks for your help Stéphane!