LXC command on CentOS 8 as non root user - Permission denied error

hsbawa · January 23, 2020, 7:22am

I successfully installed and initialized LXD on CentOS 8.
But, I am not able to run lxc commands as a non root user. Seems to be permission issue. Thoughts?

$ lxc list
    If this is your first time running LXD on this machine, you should also run: lxd init
    To start your first container, try: lxc launch ubuntu:18.04

    Error: Get http://unix.socket/1.0: dial unix /var/snap/lxd/common/lxd/unix.socket: connect: permission denied
    $

gpatel-fr · January 23, 2020, 7:37am

Have you given a look at

https://linuxcontainers.org/lxd/getting-started-cli/

and more specifically to the ‘Access control’ part about the lxd group ?

hsbawa · January 23, 2020, 8:46am

@gpatel-fr
Yes. I was able to figure that out. But seems like every time I open new terminal, i have to run commands again.

I am running LXD 3.18 (Snap) on CentOS 8.

gpatel-fr · January 23, 2020, 9:40am

When you open a new terminal and run ‘groups’, you don’t see the lxd group ? if it’s not listed, try to disconnect / reconnect.

hsbawa · January 23, 2020, 7:28pm

@gpatel-fr I do see lxd in the groups. I did LXD re-install few times. Restart helped. Now I can run lxc on any terminal.

But, when I restarted system again, I lost the storage ‘default’.

Not sure if any of the CentOS security polic(*y/ies) may cause some LXD issues. Previously I had to add snap bin to secure path.

I was able to run LXD well on CentOS 7.x on a Virtual Box. Not sure what I may be doing wrong here on CentOS 8.

Also looping in @stgraber . I used his article for LXD on CentOS 7 and followed same for CentOS 8

Thank you!

hsbawa · January 23, 2020, 7:47pm

Just now, I removed LXD (purged), restarted system and installed LXD again. This time v3.19 (up from v3.18). I also added /snap soft link, that I missed earlier.

Now when I create container, IPV4 address isn’t assigned. I think I have encountered that issue in the past. hmmm

simos · January 23, 2020, 8:08pm

The lxc client needs access to the LXD Unix socket.
Run the following. Here, the group is lxd, and has rw- access to the socket.

$ ls -l /var/snap/lxd/common/lxd/unix.socket
srw-rw---- 1 root lxd 0 Jan  23 20:24 /var/snap/lxd/common/lxd/unix.socket

Therefore, if you get again Permission denied, please post both the output of groups and ls -l /var/snap/lxd/common/lxd/unix.socket.

Regarding the removal and reinstallation of LXD, as a snap package. If you use a loop file for the storage of the containers, then I think the removal of the snap package would remove the loop file as well. But if you use a dedicated partition or disk, then these are not removed.
There is no purging with snap packages.

Regarding the IPv4 IP addresses, I can guess that the port 53 was not freed when you initially removed the snap package, so when you installed again, dnsmasq from LXD could not start. At this point, this is a theory. If you are OK to reinstall, can you please reboot before installing LXD again?

hsbawa · January 23, 2020, 10:09pm

@simos I just removed lxd, reboot and reinstalled LXD. Following are the steps I performed on CentOS 8 Host:

$ sudo snap remove lxd --purge
$ sudo reboot now

POST REBOOT

$ sudo netstat -tulpn | grep :53
[sudo] password for xxxxx:
tcp 0 0 0.0.0.0:5355 0.0.0.0:* LISTEN 5656/systemd-resolv
tcp 0 0 192.xxx.xxx.1:53 0.0.0.0:* LISTEN 5117/dnsmasq
tcp6 0 0 :::5355 :::* LISTEN 5656/systemd-resolv
udp 0 0 127.0.0.53:53 0.0.0.0:* 5656/systemd-resolv
udp 0 0 192.xxx.xxx.1:53 0.0.0.0:* 5117/dnsmasq
udp 0 0 224.0.0.251:5353 0.0.0.0:* 6988/chrome --type=
udp 0 0 224.0.0.251:5353 0.0.0.0:* 6811/chrome
udp 0 0 0.0.0.0:5353 0.0.0.0:* 4258/avahi-daemon:
udp 0 0 0.0.0.0:5355 0.0.0.0:* 5656/systemd-resolv
udp6 0 0 :::5353 :::* 4258/avahi-daemon:
udp6 0 0 :::5355 :::* 5656/systemd-resolv

$ sudo snap install lxd
lxd 3.19 from Canonical✓ installed

$ sudo cat lxd-init.txt | lxd init --preseed

$ lxc profile list
To start your first instance, try: lxc launch ubuntu:18.04

±--------±--------+
| NAME | USED BY |
±--------±--------+
| default | 0 |
±--------±--------+

$ lxc storage list
±--------±------------±-------±-------------------------------------------±--------+
| NAME | DESCRIPTION | DRIVER | SOURCE | USED BY |
±--------±------------±-------±-------------------------------------------±--------+
| default | | lvm | /var/snap/lxd/common/lxd/disks/default.img | 1 |
±--------±------------±-------±-------------------------------------------±--------+

$ lxc network list
±--------±---------±--------±------------±--------+
| NAME | TYPE | MANAGED | DESCRIPTION | USED BY |
±--------±---------±--------±------------±--------+
| enp37s0 | physical | NO | | 0 |
±--------±---------±--------±------------±--------+
| lxdbr0 | bridge | YES | | 0 |
±--------±---------±--------±------------±--------+
| virbr0 | bridge | NO | | 0 |
±--------±---------±--------±------------±--------+

$ ps ax | grep dnsmasq
5117 ? S 0:00 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/libexec/libvirt_leaseshelper
5119 ? S 0:00 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/libexec/libvirt_leaseshelper
9086 ? S 0:00 dnsmasq --strict-order --bind-interfaces --pid-file=/var/snap/lxd/common/lxd/networks/lxdbr0/dnsmasq.pid --except-interface=lo --no-ping --interface=lxdbr0 --quiet-dhcp --quiet-dhcp6 --quiet-ra --listen-address=10.122.251.1 --dhcp-no-override --dhcp-authoritative --dhcp-leasefile=/var/snap/lxd/common/lxd/networks/lxdbr0/dnsmasq.leases --dhcp-hostsfile=/var/snap/lxd/common/lxd/networks/lxdbr0/dnsmasq.hosts --dhcp-range 10.122.251.2,10.122.251.254,1h -s lxd -S /lxd/ --conf-file=/var/snap/lxd/common/lxd/networks/lxdbr0/dnsmasq.raw -u lxd
9370 pts/0 S+ 0:00 grep --color=auto dnsmasq

$ lxc network show lxdbr0
config:
ipv4.address: 10.122.251.1/24
ipv4.nat: “true”
ipv6.address: none
description: “”
name: lxdbr0
type: bridge
used_by:
managed: true
status: Created
locations:

none

$ lxc launch ubuntu:bionic/amd64
Creating the instance
Instance name is: square-narwhal
Starting square-narwhal

$ lxc list
±---------------±--------±-----±-----±----------±----------+
| NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS |
±---------------±--------±-----±-----±----------±----------+
| square-narwhal | RUNNING | | | CONTAINER | 0 |
±---------------±--------±-----±-----±----------±----------+

hsbawa · January 24, 2020, 12:36am

$ lxc network list
±--------±---------±--------±------------±--------+
| NAME | TYPE | MANAGED | DESCRIPTION | USED BY |
±--------±---------±--------±------------±--------+
| enp37s0 | physical | NO | | 0 |
±--------±---------±--------±------------±--------+
| lxdbr0 | bridge | YES | | 1 |
±--------±---------±--------±------------±--------+
| virbr0 | bridge | NO | | 0 |
±--------±---------±--------±------------±--------+
$
$ lxc profile show default
config: {}
description: Default LXD profile
devices:
eth0:
name: eth0
nictype: bridged
parent: lxdbr0
type: nic
root:
path: /
pool: default
type: disk
name: default
used_by:

/1.0/instances/square-narwhal

hsbawa · January 24, 2020, 2:06am

Finally, I figured out the reason behind this issue -----> Firewall
This issue is now resolved.

Kamaljit_Singh · April 30, 2022, 9:04am

Hi can you show what you did to the firewall to fix the issue? @hsbawa