Incus-user and permission to share folders

juippis · February 3, 2024, 5:47pm

Hey,

I’d like to share a common “distfile” directory to a container. The particular folder is owned by my user, and has 0777 permissions to test, but still incus can’t add it with:

devices:
  distfiles:
    path: /var/cache/distfiles/
    source: /var/cache/distfiles/
    type: disk

I get:

Config parsing error: Failed checking if instance update allowed: Invalid device “distfiles” on container “my-gentoo-gh-test-container” of project “user-1000”: Disk source path “/var/cache/distfiles/” not allowed

I’m pretty sure this is somehow an incus-user issue. As the user I can write to /var/cache/distfiles/ on host just fine. Could Incus need more permission folders from parent directories?

I can add directories under my ~ just fine.

juippis · February 3, 2024, 6:08pm

As the user, I’m also getting:

Error: Certificate is restricted

When trying to create or view incus storage info. Might be related.

simos · February 3, 2024, 8:24pm

It looks like you get here, with allow:

github.com

lxc/incus/blob/main/internal/server/project/permissions.go#L625


      
          				}
          
          				switch restrictionValue {
          				case "block":
          					return fmt.Errorf("Disk devices are forbidden")
          				case "managed":
          					if device["pool"] == "" {
          						return fmt.Errorf("Attaching disks not backed by a pool is forbidden")
          					}
          
          				case "allow":
          					var allowed bool
          					allowed, _ = CheckRestrictedDevicesDiskPaths(project.Config, device["source"])
          					if !allowed {
          						return fmt.Errorf("Disk source path %q not allowed", device["source"])
          					}
          				}
          
          				return nil
          			}

but then, CheckRestrictedDevicesDiskPaths() says no.

github.com

lxc/incus/blob/main/internal/server/project/permissions.go#L766


      
          	}
          
          	return nil
          }
          
          // CheckRestrictedDevicesDiskPaths checks whether the disk's source path is within the allowed paths specified in
          // the project's restricted.devices.disk.paths config setting.
          // If no allowed paths are specified in project, then it allows all paths, and returns true and empty string.
          // If allowed paths are specified, and one matches, returns true and the matching allowed parent source path.
          // Otherwise if sourcePath not allowed returns false and empty string.
          func CheckRestrictedDevicesDiskPaths(projectConfig map[string]string, sourcePath string) (bool, string) {
          	if projectConfig["restricted.devices.disk.paths"] == "" {
          		return true, ""
          	}
          
          	// Clean, then add trailing slash, to ensure we are prefix matching on whole path.
          	sourcePath = fmt.Sprintf("%s/", filepath.Clean(sourcePath))
          	for _, parentSourcePath := range strings.SplitN(projectConfig["restricted.devices.disk.paths"], ",", -1) {
          		// Clean, then add trailing slash, to ensure we are prefix matching on whole path.
          		parentSourcePathTrailing := fmt.Sprintf("%s/", filepath.Clean(parentSourcePath))
          		if strings.HasPrefix(sourcePath, parentSourcePathTrailing) {

What’s the output of the following (assuming the default project is default).

incus project get default restricted.devices.disk.paths

juippis · February 3, 2024, 8:40pm

Niice find, indeed I had only my home directory in that restricted.devices.disk.paths listing. It’s a comma-separated list, so now with /home/me,/var/cache/distfiles,more,andmore I get access elsewhere

My user is in user-1000 project.

Thanks!