Lxc config show writing to file doesn't work for remotes?

idef1x · June 9, 2019, 7:44am

Something silly I guess, but when I do a :

lxc config show asterix:monitoring --expanded

I see the output, but when I write it to a file like:

lxc config show asterix:monitoring --expanded > monitoring.yaml

The file monitoring.yaml is empty.
When I do it on the host itself it works fine

I am using snap 3.13 10756 on ubuntu 18.10

stgraber · June 11, 2019, 4:09pm

That’s odd:

stgraber@castiana:~$ lxc config show s-vorash:rproxy01 --expanded > out.yaml
stgraber@castiana:~$ ls -lh out.yaml 
-rw-r--r-- 1 stgraber domain admins 1.3K Jun 11 12:09 out.yaml

stgraber · June 11, 2019, 4:10pm

The writing is handled by the shell so this should work just fine.
Are you seeing any apparmor related rejection in dmesg perhaps?

idef1x · June 12, 2019, 6:45am

Good point about apparmor, especially since I am running it whithin a container. I checked and indeed apparmor denies me to:

[154292.221491] audit: type=1400 audit(1560320728.188:163): apparmor=“DENIED” operation=“file_inherit” namespace=“root//lxd-backupper_” profile=“/snap/core/6964/usr/lib/
snapd/snap-confine” name=“/root/test.yaml” pid=1410 comm=“snap-confine” requested_mask=“w” denied_mask=“w” fsuid=0 ouid=0
[154292.239518] audit: type=1400 audit(1560320728.208:164): apparmor=“DENIED” operation=“file_inherit” namespace=“root//lxd-backupper_” profile=“snap.lxd.lxc” name=“/app
armor/.null” pid=1410 comm=“snap-exec” requested_mask=“wr” denied_mask=“wr” fsuid=0 ouid=0
[154292.303840] audit: type=1400 audit(1560320728.272:165): apparmor=“DENIED” operation=“file_inherit” namespace=“root//lxd-backupper_” profile=“/snap/core/6964/usr/lib/
snapd/snap-confine” name=“/apparmor/.null” pid=1410 comm=“aa-exec” requested_mask=“wr” denied_mask=“wr” fsuid=0 ouid=0

Running it on the host instead of in a container works fine indeed. Still weird though since indeed it should be handled by the shell and I can create/edit it normally. Only lxc output doesn’t seem to be allowed to write:

root@backupper:~# lxc list asterix: > again.test
root@backupper:~# cat again.test
root@backupper:~# ls -lh again.test
-rw-r–r-- 1 root root 0 Jun 12 08:32 again.test

root@backupper:~# echo “hello world!” > again.test
root@backupper:~# cat again.test
hello world!

(yeah I run it under root, since I also rsync host configuration files as backup while keeping ownership and permissions in the process)

Anyway this works within the container :

lxc config show asterix:monitoring --expanded | cat > test.yaml
ls -lh test.yaml
-rw-r–r-- 1 root root 2.9K Jun 12 08:42 test.yaml

NB: It’s a privileged container