How to setup a non-admin Incus user on Fedora 40

For a while now I have been using Incus with full admin rights (user group incus-admin). On a new Fedora 40 system I want to setup a non-admin user. So I added the user to the incus group. The incus server is up and running (did incus admin init). `

What else do I need to do? How is the socket unix.socket.user created? I’ve restarted incus but that didn’t help. I’m getting a permission error.

$ id
uid=1001(keesbtest) gid=1001(keesbtest) groups=1001(keesbtest),100(users),966(incus) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

$ incus ls
If this is your first time running Incus on this machine, you should also run: incus admin init
To start your first container, try: incus launch images:ubuntu/22.04
Or for a virtual machine: incus launch images:ubuntu/22.04 --vm

Error: You don't have the needed permissions to talk to the incus daemon (socket path: /var/lib/incus/unix.socket)

Of course, this user can’t do incus admin init

$ incus admin init
Error: Failed to connect to local daemon: Get "http://unix.socket/1.0": dial unix /var/lib/incus/unix.socket: connect: permission denied
$ incus launch images:ubuntu/22.04 u22
Error: You don't have the needed permissions to talk to the incus daemon (socket path: /var/lib/incus/unix.socket)

On some other system (Ubuntu) I have two non-admin incus users, but I don’t recall I had to do anything special.

That sounds like a packaging issue of some kind?
Can you check if there is a systemd unit named incus-user or something along those lines?

The way the user-specific incus works (incus group) is that it doesn’t grant access to the main /var/lib/incus/unix.socket but grants access to a secondary /var/lib/incus/unix.socket.user socket which the CLI client knows to try to reach on failure to reach the main one.

Accessing that secondary socket then triggers the automatic creation of a per-user project and restrictions your user to it.

Ah, there is a incus-user, but (at least on Fedora) it is disable by default.

Maybe it is something we can add to the documentation somewhere (perhaps Authorization - Incus documentation ??)

I’d consider this to be a bug in the Fedora package. Having the group exist but not have the unit be enabled kinda defeats the purpose… incus-user is meant to be socket activated so it should come at no resource cost to have it enabled.

Packaging recommendations - Incus documentation is the packager documentation and clearly mentions both the group and the incus-user units.

Sorry to keep bothering.

What systemd mechanism makes the incus-user.socket become “enabled” at startup? I mean, without typing systemctl enable incus-user.socket.

On a fresh Ubuntu 24 plus installation of incus, I see that both incus.socket and incus-user.socket are enabled. But on Fedora 40 (with Incus from copr ganto/lxc4), none of the two are enabled. User ganto doesn’t want to change his packaging [1]. He points me to the upcoming Incus support in Fedora 41. I want to be able to see if that support has the sockets enabled.

BTW. In the mean time I installed incus-6.2-1.fc41.x86_64.rpm and it has the same problem as the copr package.

[1] incus-user.socket is not enabled at startup · Issue #47 · ganto/copr-lxc4 · GitHub

That’s normally handled by packaging scripts. Effectively doing the equivalent of a systemctl enable incus-user.socket at installation time.

systemd service management in Fedora spec files are done via %systemd_post RPM macro. This macro is defined in systemd (src/rpm/macros.systemd.in:L45).

After the incus RPM is installed on a system the name incus-user.socket as well as all other incus systemd units are then passed to /usr/lib/systemd/systemd-update-helper install-system-units which will eventually decide what’s happening. That’s a shell script that will perform a systemctl preset on the each unit. Via systemd.preset mechanism a system administrator or Linux distribution can define if or which systemd units should be enabled or disabled by default. Also see Features/PackagePresets.

On Fedora there is /usr/lib/systemd/system-preset/99-default-disable.preset which contains:

disable *

If you prefer your systemd units (or only incus-user.socket) to be enabled by default then you can create a file /etc/systemd/system-preset/00-incus.preset with content:

enable incus-user.socket

If you do this before you install Incus it should be enable automagically without anyone needing to touch the RPM.

If you still believe this unit should be enabled by default then you can open a bug report against the incus Fedora package at https://bugzilla.redhat.com/

1 Like