How to make macvlan accessible to user projects

Viability · October 7, 2024, 6:39pm

I have setup two users with the incus group. I then used root to create a macvlan network in incus with enp1s0 as the parent. How can i make that nework available to the projects of those two users? I tried editing the projects but it never worked. Or is this not possible due to permissions?

Also as part of my troubeshooting i tired to incus project delete user-1001 and i tried to recreate the project by running incus as that user again but the user now appears to be broken always resulting in Error: Get "http://unix.socket/1.0?project=user-1001": read unix @->/var/lib/incus/unix.socket.user: read: connection reset by peer

I’m running 6.0.2 on debian sid.

stgraber · October 14, 2024, 3:28am

You’d want a managed macvlan network in the default project (incus network list should show managed as YES), then you can add the network name to the restricted.networks.access config key on the project.

Viability · October 19, 2024, 7:28pm

thank you for your response!

When i set my macvlannetwork under restricted.networks.access for the user project then i get an error message

Config parsing error: Conflict detected when changing “restricted.networks.access” in project “user-1003”: Invalid device “eth0” on profile “default” of project “user-1003”: Network not allowed in project

stgraber · October 20, 2024, 2:58am

What’s the previous value for that config key and what are you setting it to now?

Viability · October 20, 2024, 10:52am

Here is how i got that error message

I created anew user with the incus group

useradd testuser002
usermod -aG incus testuser002

i then logged in as testuser002 and ran incus list to initialize the project for testuser002

then as root again i ran


incus project list 

|       NAME        | IMAGES | PROFILES | STORAGE VOLUMES | STORAGE BUCKETS | NETWORKS | NETWORK ZONES |                   DESCRIPTION                    | USED BY |
+-------------------+--------+----------+-----------------+-----------------+----------+---------------+--------------------------------------------------+---------+
| default (current) | YES    | YES      | YES             | YES             | YES      | YES           | Default Incus project                            | 18      |
| user-1004         | YES    | YES      | YES             | YES             | NO       | YES           | User restricted project for "testuser002" (1004) | 1       |

and

incus network list

+----------------+----------+---------+-----------------+---------------------------+-----------------------------------------------+---------+---------+
|      NAME      |   TYPE   | MANAGED |      IPV4       |           IPV6            |                  DESCRIPTION                  | USED BY |  STATE  |
+----------------+----------+---------+-----------------+---------------------------+-----------------------------------------------+---------+---------+
| enp1s0         | physical | NO      |                 |                           |                                               | 1       |         |
+----------------+----------+---------+-----------------+---------------------------+-----------------------------------------------+---------+---------+
| incusbr0       | bridge   | YES     | 10.165.167.1/24 | fd42:3a11:68b5:e89c::1/64 |                                               | 0       | CREATED |
+----------------+----------+---------+-----------------+---------------------------+-----------------------------------------------+---------+---------+
| incusbr-1004   | bridge   | YES     | 10.209.135.1/24 | fd42:cb83:fcce:3d95::1/64 | Network for user restricted project user-1004 | 1       | CREATED |
+----------------+----------+---------+-----------------+---------------------------+-----------------------------------------------+---------+---------+
| lo             | loopback | NO      |                 |                           |                                               | 0       |         |
+----------------+----------+---------+-----------------+---------------------------+-----------------------------------------------+---------+---------+
| macvlannetwork | macvlan  | YES     |                 |                           |                                               | 10      | CREATED |
+----------------+----------+---------+-----------------+---------------------------+-----------------------------------------------+---------+---------+

i then ran

 incus project edit user-1004

and chnaged it to


config:
  features.images: "true"
  features.networks: "false"
  features.networks.zones: "true"
  features.profiles: "true"
  features.storage.buckets: "true"
  features.storage.volumes: "true"
  restricted: "true"
  restricted.containers.nesting: allow
  restricted.devices.disk: allow
  restricted.devices.disk.paths: /home/testuser002
  restricted.devices.gpu: allow
  restricted.idmap.gid: "1004"
  restricted.idmap.uid: "1004"
  restricted.networks.access: incusbr-1004,macvlannetwork
description: User restricted project for "testuser002" (1004)
name: user-1004
used_by:
- /1.0/profiles/default?project=user-1004

then as the user again i ran the command to create the instance

incus launch --network macvlannetwork images:alpine/edge alp1
Launching alp1
Error: Failed loading network "macvlannetwork": User does not have permission for project "default"

stgraber · October 21, 2024, 2:44am

I’m pretty sure that this is something we’ve actually fixed since 6.0.2, the fix will be in 6.0.3.

I think if you create a profile which uses that network and then use --profile at launch time rather than --network, it should work around the API call that’s failing in your case.