I am unable to run containers with nixos images. The containers get created but there is no way to interact with them.
After seeing the release notes for incus 0.5.1, I suspect it might be related.
I have tried with 0.5.1 as well without success.
$ incus version
Client version: 0.5.1
Server version: 0.5.1
$ incus launch images:nixos/23.11 nixos
Launching nixos
$ incus exec nixos bash
Error: Command not found
$ incus exec nixos sh
sh-5.2# ls
sh: ls: command not found
The current 23.11 container image works fine for me on 0.4. Iâm preparing the 0.5.1 nixos upgrade and Iâll test again once thatâs done.
It looks like the PATH is missing for some reasonâŠ
â⯠incus launch images:nixos/23.11 test
Creating test
Starting test
â⯠incus exec test bash
[root@nixos:~]# echo $PATH
/run/wrappers/bin:/root/.nix-profile/bin:/nix/profile/bin:/root/.local/state/nix/profile/bin:/etc/profiles/per-user/root/bin:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin
Yeah, thatâs the issue, itâs the new apparmor âmediationâ of the new VFS API which is breaking NixOS on recent kernels.
Basically AppArmor just straight up rejects every single attempt at performing bind-mounts through the new VFS API because they donât have the logic to actually apply their policy.
The workaround is pertty ugly, basically to avoid this apparmor breakage, you need to disable the use of the new VFS API in your container. This can be done with:
incus stop NAME
printf "2\ndenylist\nreject_force_umount\n[all]\nfsconfig errno 38\nfsopen errno 38\n" | incus config set NAME raw.seccomp -
incus start NAME
That should take care of this out of the box once landed.
It still wonât work for privileged containers, for those I donât know that thereâs a lot we can do other than maybe automatically blocking those system calls.
But as we donât really want folks running privileged containers, automatically handling those can wait