Incus network bridge create command error

Hello,

Since the Incus update to version 6.8 (from pkgs.zabbly.com). The following command to create a “Incus Network bridge” gives me an error:

incus network create incusbr0 --type=bridge
Error: The DNS and DHCP service exited prematurely: exit status 1 ("Error: cannot read UID_MIN and/or GID_MIN from /etc/login.defs, using 1000 by default")

Error logs “journalctl -u incus”

level=error msg="Failed initializing network" err="Failed starting: The DNS and DHCP service exited prematurely: exit status 1 (\"Error: cannot read UID_MIN and/or GID_MIN from /etc/login.defs, using 1000 by default\")" network=incusbr0 project=default

UID_MIN and/or GID_MIN from /etc/login.defs are correctly configured, with the correct access rights, in read mode. And dnsmasq service is working fine.

My system :

Debian GNU/Linux 12 (bookworm)
Linux 6.1.0-29-amd64

Incus 6.8 (1:6.8-debian12-202412192308)

Incus was working fine before the update. I don’t find where the problem is. Can you help me troubleshoot the problem.

Thanks

On a clean Debian 12 install:

root@d12:~# dpkg -l | grep incus
ii  incus                                1:6.8-debian12-202412192308    amd64        Incus - Container and virtualization daemon
ii  incus-base                           1:6.8-debian12-202412192308    amd64        Incus - Container and virtualization daemon (container-only)
ii  incus-client                         1:6.8-debian12-202412192308    amd64        Incus - Command line client
root@d12:~# incus version
If this is your first time running Incus on this machine, you should also run: incus admin init
To start your first container, try: incus launch images:ubuntu/22.04
Or for a virtual machine: incus launch images:ubuntu/22.04 --vm

Client version: 6.8
Server version: 6.8
root@d12:~# incus network create incusbr0 --type=bridge
Network incusbr0 created
root@d12:~# 

Maybe check your /var/log/syslog for a better error?

Hi @stgraber, thanks for your reply,

After checking the system logs, apparmor seems to be the problem.

Bookworm audit[12187]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="incus_dnsmasq-incusbr0_</var/lib/incus>" pid=12187 comm="apparmor_parser"
Bookworm kernel: audit: type=1400 audit(1736328423.437:129): apparmor="STATUS" operation="profile_load" profile="unconfined" name="incus_dnsmasq-incusbr0_</var/lib/incus>" pid=12187 comm="apparmor_parser"
Bookworm audit[12198]: AVC apparmor="DENIED" operation="open" profile="incus_dnsmasq-incusbr0_</var/lib/incus>" name="/etc/login.defs" pid=12198 comm="dnsmasq" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Bookworm audit[12198]: AVC apparmor="DENIED" operation="exec" profile="incus_dnsmasq-incusbr0_</var/lib/incus>" name="/usr/sbin/dnsmasq" pid=12198 comm="dnsmasq" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
Bookworm systemd-networkd[886]: incusbr0: Link DOWN
Bookworm kernel: audit: type=1400 audit(1736328423.441:130): apparmor="DENIED" operation="open" profile="incus_dnsmasq-incusbr0_</var/lib/incus>" name="/etc/login.defs" pid=12198 comm="dnsmasq" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Bookworm kernel: audit: type=1400 audit(1736328423.441:131): apparmor="DENIED" operation="exec" profile="incus_dnsmasq-incusbr0_</var/lib/incus>" name="/usr/sbin/dnsmasq" pid=12198 comm="dnsmasq" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
Bookworm NetworkManager[988]: <info>  [1736328423.5094] device (incusbr0): state change: activated -> unmanaged (reason 'unmanaged', sys-iface-state: 'removed')
Bookworm audit[12207]: AVC apparmor="STATUS" operation="profile_remove" profile="unconfined" name="incus_dnsmasq-incusbr0_</var/lib/incus>" pid=12207 comm="apparmor_parser"
Bookworm kernel: audit: type=1400 audit(1736328423.629:132): apparmor="STATUS" operation="profile_remove" profile="unconfined" name="incus_dnsmasq-incusbr0_</var/lib/incus>" pid=12207 comm="apparmor_parser"

I added an apparmor profile for Incus (Unofficial, self-created) :

profile incus_dnsmasq-incusbr0_ "/var/lib/incus/**" {
    # Allow execution of dnsmasq
    /usr/sbin/dnsmasq rix,

    # Allow reading of login.defs
    /etc/login.defs r,

    # Allow access to sockets and necessary files
    /var/lib/incus/** rw,
    /run/** rw,
    /etc/** r,
    /dev/** rw,
    /sys/** r,
    /proc/** r,

    # Allow reading of libraries and necessary binaries
    /lib/** r,
    /usr/lib/** r,
    /usr/bin/** r,

    # DNS resolution and temporary files
    /etc/resolv.conf r,
    /tmp/** rw,
    /var/tmp/** rw,
}

Unload the previous Apparmor profile to avoid conflicts:

sudo apparmor_parser -R /etc/apparmor.d/incus

Reload the new profile:

sudo apparmor_parser -r /etc/apparmor.d/incus

Check that the profile is active and loaded:

sudo aa-status

But the error is still present

To tests furthermore, I manually unload all active AppArmor profiles:

sudo aa-teardown

And also tested Apparmor in “complain” mode to identify all violations:

sudo aa-complain /etc/apparmor.d/incus

But error not fixed

I think, some processes such as dnsmasq or incus, may specifically attempt to load AppArmor profiles even when they are disable.

In Debian 12 Bookworm, the kernel is compiled with AppArmor enabled by default as a security feature. AppArmor is integrated into the kernel.

CONFIG_SECURITY_APPARMOR=y
CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1

For security reasons, I don’t want to completely disable AppArmor on my Linux system. Can you help me to fix my apparmor profile for Incus? Or do you have another solution?

Thanks

My example above is a clean Debian 12 system with Incus 6.8 running with apparmor enabled and things work perfectly fine, so there’s something else that’s unusual about your system somehow.

(I develop Incus on a Debian 12 system myself and all my production servers run on Debian 12 with the Incus stable packages)

After several tests between Incus backup files and fresh install, I found where the problem is. AppArmor was just a consequence, the main cause was a misconfiguration in the /var/lib/incus/ directory.

Now Incus is ok again.