LXD Windows VM creation process steps broken in SNAP LXD 4.6

bmullan · October 1, 2020, 9:23pm

I’m using Ubuntu 20.04.1
SNAP LXD v4.6
500GB BTRFS file system for LXD storage/use.

I had previously 2 Windows LXD VM’s that had installed fine and worked well using the steps Stephane outlined here:

However, since then my SNAP LXD was updated to LXD v4.6 my 2 previous WIndows LXD VMs
both fail when trying to “lxc start” them.

So I tried to create a NEW WIndows 10 LXD VM using the above URL’s steps using a script:

#!/bin/bash
# Create an empty VM with beefier CPU/RAM and SecureBoot disabled:

# vmname=‘win10’
lxc init win10 --empty --vm -c security.secureboot=false -c limits.cpu=4 -c limits.memory=8GB

# Grow its root disk to a reasonable size:
lxc config device override win10 root size=40GB

# Enable temporary install and drivers media:
echo -n ‘-drive file=/home/bmullan/win/win10.iso,index=0,media=cdrom,if=ide -drive file=/home/bmullan/win/virtiowin.iso,index=1,media=cdrom,if=ide’ | lxc config set win10 raw.qemu -

Then when I execute LXC START i get a failure:

$ lxc start win10 - -console
error: Failed to run: forklimits limit=memlock:unlimited:unlimited – /snap/lxd/17320/bin/qemu-system-x86_64 -S -name win10 -uuid 2be66138-1997-456b-b74a-ec36bb938a3b -daemonize -cpu host -nographic -serial chardev:console -nodefaults -no-reboot -no-user-config -sandbox on,obsolete=deny,elevateprivileges=allow,spawn=deny,resourcecontrol=deny -readconfig /var/snap/lxd/common/lxd/logs/win10/qemu.conf -pidfile /var/snap/lxd/common/lxd/logs/win10/qemu.pid -D /var/snap/lxd/common/lxd/logs/win10/qemu.log -chroot /var/snap/lxd/common/lxd/virtual-machines/win10 -smbios type=2,manufacturer=Canonical Ltd.,product=LXD -runas lxd -drive file=/home/bmullan/win/win10.iso,index=0,media=cdrom,if=ide -drive file=/home/bmullan/win/virtiowin.iso,index=1,media=cdrom,if=ide: char device redirected to /dev/pts/0 (label console)
: Process exited with a non-zero value
Try lxc info --show-log win10 for more info

I was able to Launch & Start an Ubuntu 20.04 LXD VM OK.

I could be wrong but I believe this may have something to do with the Windows 10 VM and it having two Drives.

$ lxc info --show-log win10
Name: win10
Location: none
Remote: unix://
Architecture: x86_64
Created: 2020/10/01 21:05 UTC
Status: Stopped
Type: virtual-machine
Profiles: default

Log:

qemu-system-x86_64: -drive file=/home/bmullan/win/win10.iso,index=0,media=cdrom,if=ide: Failed to lock byte 100

simos · October 1, 2020, 9:28pm

I got that as well. Apparently it’s an AppArmor issue and there should be a DENIED error in dmesg when trying to read the ISO image.

bmullan · October 1, 2020, 9:51pm

There was:

$ dmesg
.
.
[ 139.993138] audit: type=1400 audit(1601586336.547:73): apparmor=“STATUS” operation=“profile_load” profile=“unconfined” name=“lxd-win10_</var/snap/lxd/common/lxd>” pid=5106 comm=“apparmor_parser”
[ 140.260018] audit: type=1400 audit(1601586336.815:74): apparmor=“DENIED” operation=“file_lock” profile=“lxd-win10_</var/snap/lxd/common/lxd>” name="/home/bmullan/win/win10.iso" pid=5135 comm=“qemu-system-x86” requested_mask=“k” denied_mask=“k” fsuid=0 ouid=1000

stgraber · October 1, 2020, 10:46pm

Ah yeah, our apparmor profile is (correctly) blocking this.
You can fix it with:

lxc config set NAME raw.apparmor “/home/** rwk,”

bmullan · October 1, 2020, 11:11pm

@stgraber

I’m not sure I understood that command:

stgraber · October 1, 2020, 11:18pm

Fixed it.

Effectively it tells apparmor to allow all read, writes and file locks under /home.

bmullan · October 1, 2020, 11:31pm

@stgraber

lxc config set NAME raw.apparmor “/home/** rwk,”

Is “NAME” the container name?

If i execute the following it comes back to a prompt that looks like there was more expected:
assuming container name “win10”…

$ lxc config set win10 raw.apparmor “/home/** rwk,”
>

But if I just edit the container’s config:

$ lxc config edit win10

and add the following the raw.apparmor command directly in to the Config section, then it works:

raw.apparmor “/home/** rwk,”