# lxc launch openeuler e1
Creating e1
Error: Failed creating instance from image: Unpack failed: Failed to run: unsquashfs -f -d /var/snap/lxd/common/lxd/storage-pools/default/containers/e1/rootfs -n /var/snap/lxd/common/lxd/images/a444df2d0df07f05922ef1624f52df170a6fd05f0220678dfbef93090e5ecb5c.rootfs: Process exited with non-zero value 1 (FATAL ERROR:write_xattr: failed to write xattr security.ima for file /var/snap/lxd/common/lxd/storage-pools/default/containers/e1/rootfs/etc/ima/digest_lists/0-metadata_list-rpm-NetworkManager-1.32.12-12.oe2203.x86_64 because Operation not permitted)
@chaoran_Li The issue is that setting the security.ima xattr requires the CAP_SYS_ADMIN capability. LXD doesn’t allow this capability when unpacking the image.
A workaround for this would be to remove the security.ima xattr on files when building the image with distrobuilder.
You can add the following to your openeuler.yaml:
actions:
- trigger: post-files
action: |-
#!/bin/sh
set -eu
for f in $(find /etc/ima/ -type f); do
setfattr -x security.ima "${f}" >/dev/null 2>&1 || true
done
types:
- container
We don’t want to allow unpacker processes (that unpack potentially untrusted images) to have sysadmin or root access in case the images exploit vulnerabilities in the unpacker program.