I’m trying to start a unprivileged Archlinux container on a Manjaro host. All of the settings are default or set according to the arch wiki.
My problem is that no matter what, the Archlinux container does not get an ipv4 address assigned. An Ubuntu container, on the other hand, works out of the box.
`lxc launch images:ubuntu/20.04 hlos-ubuntu` # gets ipv4, internet works out of the box
`lxc launch images:archlinux hlos-arch` # no ipv4 -> no internet
There are A LOT of wrong leads on the internet because there was a bug in systemd for a while, which prevented networking in lxc.
My best guess (after working trough dozens of google results, github issues and countless mailing lists) that there is something broken in the archlinux container. journalctl inside the container has some leads but looking them up lead me back to old/fixed issues.
Some lines of interst:
Jun 16 19:44:04 hlos-arch systemd-udevd[50]: Failed to chown '/dev/net/tun' 0 0: Operation not permitted
Jun 16 19:44:04 hlos-arch systemd-udevd[50]: Failed to apply permissions on static device nodes: Operation not permitted
Jun 16 19:44:04 hlos-arch systemd[1]: Started udev Kernel Device Manager.
Jun 16 19:44:04 hlos-arch systemd-udevd[58]: ethtool: autonegotiation is unset or enabled, the speed and duplex are not writable.
...
Jun 16 19:44:04 hlos-arch systemd[59]: systemd-networkd.service: Failed to set up mount namespacing: /run/systemd/unit-root/: Permission denied
Jun 16 19:44:04 hlos-arch systemd[59]: systemd-networkd.service: Failed at step NAMESPACE spawning /usr/lib/systemd/systemd-networkd: Permission denied
...
Jun 16 19:44:04 hlos-arch systemd[1]: Starting Network Service...
Jun 16 19:44:04 hlos-arch systemd[61]: systemd-logind.service: Failed to set up mount namespacing: /run/systemd/unit-root/: Permission denied
Jun 16 19:44:04 hlos-arch systemd[61]: systemd-logind.service: Failed at step NAMESPACE spawning /usr/lib/systemd/systemd-logind: Permission denied
Could somebody please verify, if the Archlinux container works for them? Any hint is greatly appreciated.
Just tested the Arch image on an Ubuntu host and it works just fine here.
What LXD version is this?
One workaround for such issue would be to set security.nesting=true on the container but it’s not something I’ve needed to do here so still wondering why it’s behaving differently on your system.
Our apparmor policy for the container specifically allows that set of flags and path in the base profile so it’s quite weird…
Can you look for the relevant profile in /var/snap/lxd/common/lxd/security and confirm that you see the ro,remount,noatime,bind mount entries in there?
Yeah, the profile looks correct with the exact thing you tried to do being allowed according to it… This feels like an apparmor-parser or kernel bug in this case.
The security.nesting=true workaround should be fine in this case but you probably should file a bug against apparmor in your distro.