LXD socket activation, Error: not authorized

Hi,

  1. Socket activation:

When LXD is set to use socket activation, its first command run follows with the “not authorized”. All the subsequent commands work fine. Checked on LXD latest/stable and latest/edge (Ubuntu 22.04.2):

> systemctl start snap.lxd.daemon.unix.socket
> lxc list -f compact
Error: not authorized
> lxc list -f compact
          NAME           STATE   IPV4  IPV6    TYPE     SNAPSHOTS
  ros2-humble-10933ed3  STOPPED              CONTAINER  0
  1. Using LXD API

Using socket activation with my LXD API client fails with:

Error: Get "http://unix.socket/1.0": dial unix /var/snap/lxd/common/lxd/unix.socket: connect: permission denied

However, once LXD triggered and started with a lxc list, the client works normally. Is there any specific permission to have to be able to activate the daemon via the socket?

Unable to reproduce this on a clean Ubuntu 22.04 system.

stgraber@dakara:~$ lxc launch images:ubuntu/22.04/cloud test --vm
Creating test
Starting test
stgraber@dakara:~$ lxc exec test bash
root@test:~# apt install snapd --yes
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
  apparmor dbus-user-session liblzo2-2 squashfs-tools
Suggested packages:
  apparmor-profiles-extra apparmor-utils zenity | kdialog
The following NEW packages will be installed:
  apparmor dbus-user-session liblzo2-2 snapd squashfs-tools
0 upgraded, 5 newly installed, 0 to remove and 0 not upgraded.
Need to get 24.6 MB of archives.
After this operation, 106 MB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 apparmor amd64 3.0.4-2ubuntu2.2 [595 kB]
Get:2 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 dbus-user-session amd64 1.12.20-2ubuntu4.1 [9442 B]
Get:3 http://archive.ubuntu.com/ubuntu jammy/main amd64 liblzo2-2 amd64 2.10-2build3 [53.7 kB]
Get:4 http://archive.ubuntu.com/ubuntu jammy/main amd64 squashfs-tools amd64 1:4.5-3build1 [159 kB]
Get:5 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 snapd amd64 2.58+22.04 [23.8 MB]
Fetched 24.6 MB in 2s (11.4 MB/s)
Preconfiguring packages ...
Selecting previously unselected package apparmor.
(Reading database ... 21770 files and directories currently installed.)
Preparing to unpack .../apparmor_3.0.4-2ubuntu2.2_amd64.deb ...
Unpacking apparmor (3.0.4-2ubuntu2.2) ...
Selecting previously unselected package dbus-user-session.
Preparing to unpack .../dbus-user-session_1.12.20-2ubuntu4.1_amd64.deb ...
Unpacking dbus-user-session (1.12.20-2ubuntu4.1) ...
Selecting previously unselected package liblzo2-2:amd64.
Preparing to unpack .../liblzo2-2_2.10-2build3_amd64.deb ...
Unpacking liblzo2-2:amd64 (2.10-2build3) ...
Selecting previously unselected package squashfs-tools.
Preparing to unpack .../squashfs-tools_1%3a4.5-3build1_amd64.deb ...
Unpacking squashfs-tools (1:4.5-3build1) ...
Selecting previously unselected package snapd.
Preparing to unpack .../snapd_2.58+22.04_amd64.deb ...
Unpacking snapd (2.58+22.04) ...
Setting up liblzo2-2:amd64 (2.10-2build3) ...
Setting up apparmor (3.0.4-2ubuntu2.2) ...
Created symlink /etc/systemd/system/sysinit.target.wants/apparmor.service → /lib/systemd/system/apparmor.service.
Reloading AppArmor profiles 
Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd
Setting up dbus-user-session (1.12.20-2ubuntu4.1) ...
Setting up squashfs-tools (1:4.5-3build1) ...
Setting up snapd (2.58+22.04) ...
Created symlink /etc/systemd/system/multi-user.target.wants/snapd.aa-prompt-listener.service → /lib/systemd/system/snapd.aa-prompt-listener.service.
Created symlink /etc/systemd/system/multi-user.target.wants/snapd.apparmor.service → /lib/systemd/system/snapd.apparmor.service.
Created symlink /etc/systemd/system/multi-user.target.wants/snapd.autoimport.service → /lib/systemd/system/snapd.autoimport.service.
Created symlink /etc/systemd/system/multi-user.target.wants/snapd.core-fixup.service → /lib/systemd/system/snapd.core-fixup.service.
Created symlink /etc/systemd/system/multi-user.target.wants/snapd.recovery-chooser-trigger.service → /lib/systemd/system/snapd.recovery-chooser-trigger.service
.
Created symlink /etc/systemd/system/multi-user.target.wants/snapd.seeded.service → /lib/systemd/system/snapd.seeded.service.
Created symlink /etc/systemd/system/cloud-final.service.wants/snapd.seeded.service → /lib/systemd/system/snapd.seeded.service.
Created symlink /etc/systemd/system/multi-user.target.wants/snapd.service → /lib/systemd/system/snapd.service.
Created symlink /etc/systemd/system/timers.target.wants/snapd.snap-repair.timer → /lib/systemd/system/snapd.snap-repair.timer.
Created symlink /etc/systemd/system/sockets.target.wants/snapd.socket → /lib/systemd/system/snapd.socket.
Created symlink /etc/systemd/system/final.target.wants/snapd.system-shutdown.service → /lib/systemd/system/snapd.system-shutdown.service.
snapd.failure.service is a disabled or a static unit, not starting it.
snapd.mounts-pre.target is a disabled or a static unit, not starting it.
snapd.mounts.target is a disabled or a static unit, not starting it.
snapd.snap-repair.service is a disabled or a static unit, not starting it.
Processing triggers for dbus (1.12.20-2ubuntu4.1) ...
Processing triggers for libc-bin (2.35-0ubuntu3.1) ...
root@test:~# snap install lxd
2023-04-17T05:12:38Z INFO Waiting for automatic snapd restart...
Warning: /snap/bin was not found in your $PATH. If you've not restarted your session since you
         installed snapd, try doing that. Please see https://forum.snapcraft.io/t/9469 for more
         details.

lxd 5.12-c63881f from Canonical✓ installed
root@test:~# 
exit
stgraber@dakara:~$ lxc exec test bash
root@test:~# systemctl status snap.lxd.daemon.unix.socket
● snap.lxd.daemon.unix.socket - Socket unix for snap application lxd.daemon
     Loaded: loaded (/etc/systemd/system/snap.lxd.daemon.unix.socket; enabled; vendor preset: enabled)
     Active: active (listening) since Mon 2023-04-17 05:13:05 UTC; 12s ago
   Triggers: ● snap.lxd.daemon.service
     Listen: /var/snap/lxd/common/lxd/unix.socket (Stream)
     CGroup: /system.slice/snap.lxd.daemon.unix.socket

Apr 17 05:13:05 test systemd[1]: Listening on Socket unix for snap application lxd.daemon.
root@test:~# systemctl status snap.lxd.daemon
○ snap.lxd.daemon.service - Service for snap application lxd.daemon
     Loaded: loaded (/etc/systemd/system/snap.lxd.daemon.service; static)
     Active: inactive (dead)
TriggeredBy: ● snap.lxd.daemon.unix.socket
root@test:~# lxc list -f compact
If this is your first time running LXD on this machine, you should also run: lxd init
To start your first container, try: lxc launch ubuntu:22.04
Or for a virtual machine: lxc launch ubuntu:22.04 --vm

  NAME  STATE  IPV4  IPV6  TYPE  SNAPSHOTS  
root@test:~# systemctl status snap.lxd.daemon
● snap.lxd.daemon.service - Service for snap application lxd.daemon
     Loaded: loaded (/etc/systemd/system/snap.lxd.daemon.service; static)
     Active: active (running) since Mon 2023-04-17 05:13:24 UTC; 7s ago
TriggeredBy: ● snap.lxd.daemon.unix.socket
   Main PID: 2258 (daemon.start)
      Tasks: 0 (limit: 1100)
     Memory: 28.0M
        CPU: 409ms
     CGroup: /system.slice/snap.lxd.daemon.service
             ‣ 2258 /bin/sh /snap/lxd/24643/commands/daemon.start

Apr 17 05:13:24 test lxd.daemon[2411]: - proc_uptime
Apr 17 05:13:24 test lxd.daemon[2411]: - proc_slabinfo
Apr 17 05:13:24 test lxd.daemon[2411]: - shared_pidns
Apr 17 05:13:24 test lxd.daemon[2411]: - cpuview_daemon
Apr 17 05:13:24 test lxd.daemon[2411]: - loadavg_daemon
Apr 17 05:13:24 test lxd.daemon[2411]: - pidfds
Apr 17 05:13:25 test lxd.daemon[2258]: => Starting LXD
Apr 17 05:13:27 test lxd.daemon[2424]: time="2023-04-17T05:13:27Z" level=warning msg=" - Couldn't find the CGroup network priority controller, network priorit>
Apr 17 05:13:29 test lxd.daemon[2258]: => First LXD execution on this system
Apr 17 05:13:29 test lxd.daemon[2258]: => LXD is ready
root@test:~# 

The LXD socket is set to be writable for anyone in the lxd group, this is enforced by the snap.lxd.activate service which is always started on LXD installation, refreshes and on boot.

Maybe make sure that the various daemons are correctly enabled?
We’ve seen cases where snapd messes that up somehow.

root@test:~# snap services lxd
Service          Startup  Current   Notes
lxd.activate     enabled  inactive  -
lxd.daemon       enabled  active    socket-activated
lxd.user-daemon  enabled  inactive  socket-activated