[HELP Needed]failed to launch the lxd container

chaoran_Li · November 18, 2022, 3:36am

I’m a lxd&lxc newbei, im trying to make a openeuler lxd from docker, my yaml

Then i run:

distrobuilder build-dir openeuler.yaml rootfs
distrobuilder  pack-lxd openeuler.yaml rootfs

build the squashfs.img and import it with:

lxc image import lxd.tar.xz rootfs.squashfs --alias openeuler

But when i start the container meet a fail:

# lxc launch openeuler e1                                                                                                                                                                                          
Creating e1                                                                                                                                                                                                                                                           
Error: Failed creating instance from image: Unpack failed: Failed to run: unsquashfs -f -d /var/snap/lxd/common/lxd/storage-pools/default/containers/e1/rootfs -n /var/snap/lxd/common/lxd/images/a444df2d0df07f05922ef1624f52df170a6fd05f0220678dfbef93090e5ecb5c.rootfs: Process exited with non-zero value 1 (FATAL ERROR:write_xattr: failed to write xattr security.ima for file /var/snap/lxd/common/lxd/storage-pools/default/containers/e1/rootfs/etc/ima/digest_lists/0-metadata_list-rpm-NetworkManager-1.32.12-12.oe2203.x86_64 because Operation not permitted)

Any helps are appreciated!

chaoran_Li · November 18, 2022, 3:44am

found some info in sys logs:

# journalctl -a |grep a444df2d0df07f05922ef1624f52df170a6fd05f0220678dfbef93090e5ecb5c                                                                                                                             
Nov 18 10:25:13 ubuntu-develop-for-lichaoran lxd.daemon[1607935]: time="2022-11-18T10:25:13+08:00" level=warning msg="Unpack failed" allowedCmds="[]" err="Failed to run: unsquashfs -f -d /var/snap/lxd/common/lxd/storage-pools/default/containers/e1/rootfs -n /var/snap/lxd/common/lxd/images/a444df2d0df07f05922ef1624f52df170a6fd05f0220678dfbef93090e5ecb5c.rootfs: Process exited with non-zero value 1 (FATAL ERROR:write_xattr: failed to write xattr security.ima for file /var/snap/lxd/common/lxd/storage-pools/default/containers/e1/rootfs/etc/ima/digest_lists/0-metadata_list-rpm-NetworkManager-1.32.12-12.oe2203.x86_64 because Operation not permitted)" extension=.squashfs file=/var/snap/lxd/common/lxd/images/a444df2d0df07f05922ef1624f52df170a6fd05f0220678dfbef93090e5ecb5c.rootfs path=/var/snap/lxd/common/lxd/storage-pools/default/containers/e1/rootfs  

# dmesg|grep DENIED                                                                                                                                                                                                
[1986894.347436] audit: type=1400 audit(1668685795.677:75): apparmor="DENIED" operation="capable" profile="lxd_archive-var-snap-lxd-common-lxd-storage-pools-default-containers-oe-rootfs" pid=1608920 comm="unsquashfs" capability=21  capname="sys_admin"           
[1986997.314375] audit: type=1400 audit(1668685898.646:80): apparmor="DENIED" operation="capable" profile="lxd_archive-var-snap-lxd-common-lxd-storage-pools-default-containers-oe-rootfs" pid=1609623 comm="unsquashfs" capability=21  capname="sys_admin"

Seems a apparmor denied, and when i run this cmd directly, it works well.

tomp · November 18, 2022, 8:44am

@monstermunchkin can distrobuilder package to something other than squashfs, to allow us to rule out a more general problem with the image first?

monstermunchkin · November 18, 2022, 8:53am

Yes, distrobuilder can create a unified tarball using distrobuilder pack-lxd --type=unified ....

@chaoran_Li I’ll look into this.

monstermunchkin · November 18, 2022, 11:03am

@chaoran_Li The issue is that setting the security.ima xattr requires the CAP_SYS_ADMIN capability. LXD doesn’t allow this capability when unpacking the image.

A workaround for this would be to remove the security.ima xattr on files when building the image with distrobuilder.

You can add the following to your openeuler.yaml:

actions:
  - trigger: post-files
    action: |-
      #!/bin/sh
      set -eu
      for f in $(find /etc/ima/ -type f); do
        setfattr -x security.ima "${f}" >/dev/null 2>&1 || true
      done
    types:
      - container

chaoran_Li · November 21, 2022, 3:12am

Thanks for your help!!
Are there any reason to fobiden CAP_SYS_ADMIN capability?
Can it be configured by yaml?

tomp · November 21, 2022, 9:17am

We don’t want to allow unpacker processes (that unpack potentially untrusted images) to have sysadmin or root access in case the images exploit vulnerabilities in the unpacker program.