When LXD is set to use socket activation, its first command run follows with the “not authorized”. All the subsequent commands work fine. Checked on LXD latest/stable and latest/edge (Ubuntu 22.04.2):
> systemctl start snap.lxd.daemon.unix.socket
> lxc list -f compact
Error: not authorized
> lxc list -f compact
NAME STATE IPV4 IPV6 TYPE SNAPSHOTS
ros2-humble-10933ed3 STOPPED CONTAINER 0
Using LXD API
Using socket activation with my LXD API client fails with:
Error: Get "http://unix.socket/1.0": dial unix /var/snap/lxd/common/lxd/unix.socket: connect: permission denied
However, once LXD triggered and started with a lxc list, the client works normally. Is there any specific permission to have to be able to activate the daemon via the socket?
Unable to reproduce this on a clean Ubuntu 22.04 system.
stgraber@dakara:~$ lxc launch images:ubuntu/22.04/cloud test --vm
Creating test
Starting test
stgraber@dakara:~$ lxc exec test bash
root@test:~# apt install snapd --yes
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
apparmor dbus-user-session liblzo2-2 squashfs-tools
Suggested packages:
apparmor-profiles-extra apparmor-utils zenity | kdialog
The following NEW packages will be installed:
apparmor dbus-user-session liblzo2-2 snapd squashfs-tools
0 upgraded, 5 newly installed, 0 to remove and 0 not upgraded.
Need to get 24.6 MB of archives.
After this operation, 106 MB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 apparmor amd64 3.0.4-2ubuntu2.2 [595 kB]
Get:2 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 dbus-user-session amd64 1.12.20-2ubuntu4.1 [9442 B]
Get:3 http://archive.ubuntu.com/ubuntu jammy/main amd64 liblzo2-2 amd64 2.10-2build3 [53.7 kB]
Get:4 http://archive.ubuntu.com/ubuntu jammy/main amd64 squashfs-tools amd64 1:4.5-3build1 [159 kB]
Get:5 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 snapd amd64 2.58+22.04 [23.8 MB]
Fetched 24.6 MB in 2s (11.4 MB/s)
Preconfiguring packages ...
Selecting previously unselected package apparmor.
(Reading database ... 21770 files and directories currently installed.)
Preparing to unpack .../apparmor_3.0.4-2ubuntu2.2_amd64.deb ...
Unpacking apparmor (3.0.4-2ubuntu2.2) ...
Selecting previously unselected package dbus-user-session.
Preparing to unpack .../dbus-user-session_1.12.20-2ubuntu4.1_amd64.deb ...
Unpacking dbus-user-session (1.12.20-2ubuntu4.1) ...
Selecting previously unselected package liblzo2-2:amd64.
Preparing to unpack .../liblzo2-2_2.10-2build3_amd64.deb ...
Unpacking liblzo2-2:amd64 (2.10-2build3) ...
Selecting previously unselected package squashfs-tools.
Preparing to unpack .../squashfs-tools_1%3a4.5-3build1_amd64.deb ...
Unpacking squashfs-tools (1:4.5-3build1) ...
Selecting previously unselected package snapd.
Preparing to unpack .../snapd_2.58+22.04_amd64.deb ...
Unpacking snapd (2.58+22.04) ...
Setting up liblzo2-2:amd64 (2.10-2build3) ...
Setting up apparmor (3.0.4-2ubuntu2.2) ...
Created symlink /etc/systemd/system/sysinit.target.wants/apparmor.service → /lib/systemd/system/apparmor.service.
Reloading AppArmor profiles
Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd
Setting up dbus-user-session (1.12.20-2ubuntu4.1) ...
Setting up squashfs-tools (1:4.5-3build1) ...
Setting up snapd (2.58+22.04) ...
Created symlink /etc/systemd/system/multi-user.target.wants/snapd.aa-prompt-listener.service → /lib/systemd/system/snapd.aa-prompt-listener.service.
Created symlink /etc/systemd/system/multi-user.target.wants/snapd.apparmor.service → /lib/systemd/system/snapd.apparmor.service.
Created symlink /etc/systemd/system/multi-user.target.wants/snapd.autoimport.service → /lib/systemd/system/snapd.autoimport.service.
Created symlink /etc/systemd/system/multi-user.target.wants/snapd.core-fixup.service → /lib/systemd/system/snapd.core-fixup.service.
Created symlink /etc/systemd/system/multi-user.target.wants/snapd.recovery-chooser-trigger.service → /lib/systemd/system/snapd.recovery-chooser-trigger.service
.
Created symlink /etc/systemd/system/multi-user.target.wants/snapd.seeded.service → /lib/systemd/system/snapd.seeded.service.
Created symlink /etc/systemd/system/cloud-final.service.wants/snapd.seeded.service → /lib/systemd/system/snapd.seeded.service.
Created symlink /etc/systemd/system/multi-user.target.wants/snapd.service → /lib/systemd/system/snapd.service.
Created symlink /etc/systemd/system/timers.target.wants/snapd.snap-repair.timer → /lib/systemd/system/snapd.snap-repair.timer.
Created symlink /etc/systemd/system/sockets.target.wants/snapd.socket → /lib/systemd/system/snapd.socket.
Created symlink /etc/systemd/system/final.target.wants/snapd.system-shutdown.service → /lib/systemd/system/snapd.system-shutdown.service.
snapd.failure.service is a disabled or a static unit, not starting it.
snapd.mounts-pre.target is a disabled or a static unit, not starting it.
snapd.mounts.target is a disabled or a static unit, not starting it.
snapd.snap-repair.service is a disabled or a static unit, not starting it.
Processing triggers for dbus (1.12.20-2ubuntu4.1) ...
Processing triggers for libc-bin (2.35-0ubuntu3.1) ...
root@test:~# snap install lxd
2023-04-17T05:12:38Z INFO Waiting for automatic snapd restart...
Warning: /snap/bin was not found in your $PATH. If you've not restarted your session since you
installed snapd, try doing that. Please see https://forum.snapcraft.io/t/9469 for more
details.
lxd 5.12-c63881f from Canonical✓ installed
root@test:~#
exit
stgraber@dakara:~$ lxc exec test bash
root@test:~# systemctl status snap.lxd.daemon.unix.socket
● snap.lxd.daemon.unix.socket - Socket unix for snap application lxd.daemon
Loaded: loaded (/etc/systemd/system/snap.lxd.daemon.unix.socket; enabled; vendor preset: enabled)
Active: active (listening) since Mon 2023-04-17 05:13:05 UTC; 12s ago
Triggers: ● snap.lxd.daemon.service
Listen: /var/snap/lxd/common/lxd/unix.socket (Stream)
CGroup: /system.slice/snap.lxd.daemon.unix.socket
Apr 17 05:13:05 test systemd[1]: Listening on Socket unix for snap application lxd.daemon.
root@test:~# systemctl status snap.lxd.daemon
○ snap.lxd.daemon.service - Service for snap application lxd.daemon
Loaded: loaded (/etc/systemd/system/snap.lxd.daemon.service; static)
Active: inactive (dead)
TriggeredBy: ● snap.lxd.daemon.unix.socket
root@test:~# lxc list -f compact
If this is your first time running LXD on this machine, you should also run: lxd init
To start your first container, try: lxc launch ubuntu:22.04
Or for a virtual machine: lxc launch ubuntu:22.04 --vm
NAME STATE IPV4 IPV6 TYPE SNAPSHOTS
root@test:~# systemctl status snap.lxd.daemon
● snap.lxd.daemon.service - Service for snap application lxd.daemon
Loaded: loaded (/etc/systemd/system/snap.lxd.daemon.service; static)
Active: active (running) since Mon 2023-04-17 05:13:24 UTC; 7s ago
TriggeredBy: ● snap.lxd.daemon.unix.socket
Main PID: 2258 (daemon.start)
Tasks: 0 (limit: 1100)
Memory: 28.0M
CPU: 409ms
CGroup: /system.slice/snap.lxd.daemon.service
‣ 2258 /bin/sh /snap/lxd/24643/commands/daemon.start
Apr 17 05:13:24 test lxd.daemon[2411]: - proc_uptime
Apr 17 05:13:24 test lxd.daemon[2411]: - proc_slabinfo
Apr 17 05:13:24 test lxd.daemon[2411]: - shared_pidns
Apr 17 05:13:24 test lxd.daemon[2411]: - cpuview_daemon
Apr 17 05:13:24 test lxd.daemon[2411]: - loadavg_daemon
Apr 17 05:13:24 test lxd.daemon[2411]: - pidfds
Apr 17 05:13:25 test lxd.daemon[2258]: => Starting LXD
Apr 17 05:13:27 test lxd.daemon[2424]: time="2023-04-17T05:13:27Z" level=warning msg=" - Couldn't find the CGroup network priority controller, network priorit>
Apr 17 05:13:29 test lxd.daemon[2258]: => First LXD execution on this system
Apr 17 05:13:29 test lxd.daemon[2258]: => LXD is ready
root@test:~#
The LXD socket is set to be writable for anyone in the lxd group, this is enforced by the snap.lxd.activate service which is always started on LXD installation, refreshes and on boot.