[HELP Needed]failed to launch the lxd container

I’m a lxd&lxc newbei, im trying to make a openeuler lxd from docker, my yaml

Then i run:

distrobuilder build-dir openeuler.yaml rootfs
distrobuilder  pack-lxd openeuler.yaml rootfs

build the squashfs.img and import it with:

lxc image import lxd.tar.xz rootfs.squashfs --alias openeuler

But when i start the container meet a fail:

# lxc launch openeuler e1                                                                                                                                                                                          
Creating e1                                                                                                                                                                                                                                                           
Error: Failed creating instance from image: Unpack failed: Failed to run: unsquashfs -f -d /var/snap/lxd/common/lxd/storage-pools/default/containers/e1/rootfs -n /var/snap/lxd/common/lxd/images/a444df2d0df07f05922ef1624f52df170a6fd05f0220678dfbef93090e5ecb5c.rootfs: Process exited with non-zero value 1 (FATAL ERROR:write_xattr: failed to write xattr security.ima for file /var/snap/lxd/common/lxd/storage-pools/default/containers/e1/rootfs/etc/ima/digest_lists/0-metadata_list-rpm-NetworkManager-1.32.12-12.oe2203.x86_64 because Operation not permitted)          

Any helps are appreciated!

found some info in sys logs:

# journalctl -a |grep a444df2d0df07f05922ef1624f52df170a6fd05f0220678dfbef93090e5ecb5c                                                                                                                             
Nov 18 10:25:13 ubuntu-develop-for-lichaoran lxd.daemon[1607935]: time="2022-11-18T10:25:13+08:00" level=warning msg="Unpack failed" allowedCmds="[]" err="Failed to run: unsquashfs -f -d /var/snap/lxd/common/lxd/storage-pools/default/containers/e1/rootfs -n /var/snap/lxd/common/lxd/images/a444df2d0df07f05922ef1624f52df170a6fd05f0220678dfbef93090e5ecb5c.rootfs: Process exited with non-zero value 1 (FATAL ERROR:write_xattr: failed to write xattr security.ima for file /var/snap/lxd/common/lxd/storage-pools/default/containers/e1/rootfs/etc/ima/digest_lists/0-metadata_list-rpm-NetworkManager-1.32.12-12.oe2203.x86_64 because Operation not permitted)" extension=.squashfs file=/var/snap/lxd/common/lxd/images/a444df2d0df07f05922ef1624f52df170a6fd05f0220678dfbef93090e5ecb5c.rootfs path=/var/snap/lxd/common/lxd/storage-pools/default/containers/e1/rootfs  

# dmesg|grep DENIED                                                                                                                                                                                                
[1986894.347436] audit: type=1400 audit(1668685795.677:75): apparmor="DENIED" operation="capable" profile="lxd_archive-var-snap-lxd-common-lxd-storage-pools-default-containers-oe-rootfs" pid=1608920 comm="unsquashfs" capability=21  capname="sys_admin"           
[1986997.314375] audit: type=1400 audit(1668685898.646:80): apparmor="DENIED" operation="capable" profile="lxd_archive-var-snap-lxd-common-lxd-storage-pools-default-containers-oe-rootfs" pid=1609623 comm="unsquashfs" capability=21  capname="sys_admin"  

Seems a apparmor denied, and when i run this cmd directly, it works well.

@monstermunchkin can distrobuilder package to something other than squashfs, to allow us to rule out a more general problem with the image first?

Yes, distrobuilder can create a unified tarball using distrobuilder pack-lxd --type=unified ....

@chaoran_Li I’ll look into this.

1 Like

@chaoran_Li The issue is that setting the security.ima xattr requires the CAP_SYS_ADMIN capability. LXD doesn’t allow this capability when unpacking the image.

A workaround for this would be to remove the security.ima xattr on files when building the image with distrobuilder.

You can add the following to your openeuler.yaml:

  - trigger: post-files
    action: |-
      set -eu
      for f in $(find /etc/ima/ -type f); do
        setfattr -x security.ima "${f}" >/dev/null 2>&1 || true
      - container
1 Like

Thanks for your help!!
Are there any reason to fobiden CAP_SYS_ADMIN capability?
Can it be configured by yaml?

We don’t want to allow unpacker processes (that unpack potentially untrusted images) to have sysadmin or root access in case the images exploit vulnerabilities in the unpacker program.