Not able to create containers after upgrade to lxd 5.5

Midhun_Vijayan · August 29, 2022, 10:23am

Hello,

I am running lxd on debian 11.4. After upgrading from lxd 5.0.0 to 5.5,I couldn’t create any containers anymore . Getting the below error.

note: I am not using the lxd snap version, using lxd version which compiled manually from source

root@cpu-6286:~# lxc launch images:debian/buster test
Creating test
Error: Failed instance creation: Failed creating instance from image: Unpack failed: Failed to run: tar --restrict --force-local -C /var/lib/lxd/storage-pools/default/images/023e5952681e699612e4d5b0807e0dbdc3236168d3ce95ed0c4616badee623d9 --numeric-owner --xattrs-include=* -Jxf -: Process exited with non-zero value 2 (tar (grandchild): xz: Cannot exec: Permission denied
tar (grandchild): Error is not recoverable: exiting now
tar: Child returned status 2
tar: Error is not recoverable: exiting now)

here is the details from kern.log

root@cpu-6286:~# tail /var/log/kern.log
Aug 27 09:06:10 cpu-6286 kernel: [2246807.671707] audit: type=1400 audit(1661583970.808:56312): apparmor="DENIED" operation="exec" profile="lxd_archive-var-lib-lxd-storage-pools-default-images-bb75e1557060d5153898de297ba1f1d11cb5d49cca1fc71987eb8215115e266a" name="/usr/bin/xz" pid=465007 comm="tar" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
Aug 27 09:06:10 cpu-6286 kernel: [2246807.674908] audit: type=1400 audit(1661583970.808:56313): apparmor="DENIED" operation="exec" profile="lxd_archive-var-lib-lxd-storage-pools-default-images-bb75e1557060d5153898de297ba1f1d11cb5d49cca1fc71987eb8215115e266a" name="/usr/bin/xz" pid=465007 comm="tar" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
Aug 27 09:06:10 cpu-6286 kernel: [2246807.742857] audit: type=1400 audit(1661583970.892:56314): apparmor="STATUS" operation="profile_remove" profile="unconfined" name="lxd_archive-var-lib-lxd-storage-pools-default-images-bb75e1557060d5153898de297ba1f1d11cb5d49cca1fc71987eb8215115e266a" pid=465013 comm="apparmor_parser"
Aug 27 12:58:10 cpu-6286 kernel: [2260727.006851] audit: type=1400 audit(1661597890.255:56315): apparmor="STATUS" operation="profile_load" profile="unconfined" name="lxd_archive-var-lib-lxd-storage-pools-default-images-023e5952681e699612e4d5b0807e0dbdc3236168d3ce95ed0c4616badee623d9" pid=2737508 comm="apparmor_parser"
Aug 27 12:58:10 cpu-6286 kernel: [2260727.018528] audit: type=1400 audit(1661597890.259:56316): apparmor="DENIED" operation="exec" profile="lxd_archive-var-lib-lxd-storage-pools-default-images-023e5952681e699612e4d5b0807e0dbdc3236168d3ce95ed0c4616badee623d9" name="/usr/bin/xz" pid=2737541 comm="tar" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
Aug 27 12:58:10 cpu-6286 kernel: [2260727.021625] audit: type=1400 audit(1661597890.259:56317): apparmor="DENIED" operation="exec" profile="lxd_archive-var-lib-lxd-storage-pools-default-images-023e5952681e699612e4d5b0807e0dbdc3236168d3ce95ed0c4616badee623d9" name="/usr/bin/xz" pid=2737541 comm="tar" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
Aug 27 12:58:10 cpu-6286 kernel: [2260727.024746] audit: type=1400 audit(1661597890.259:56318): apparmor="DENIED" operation="exec" profile="lxd_archive-var-lib-lxd-storage-pools-default-images-023e5952681e699612e4d5b0807e0dbdc3236168d3ce95ed0c4616badee623d9" name="/usr/bin/xz" pid=2737541 comm="tar" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
Aug 27 12:58:10 cpu-6286 kernel: [2260727.037083] audit: type=1400 audit(1661597890.259:56319): apparmor="DENIED" operation="exec" profile="lxd_archive-var-lib-lxd-storage-pools-default-images-023e5952681e699612e4d5b0807e0dbdc3236168d3ce95ed0c4616badee623d9" name="/usr/bin/xz" pid=2737541 comm="tar" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
Aug 27 12:58:10 cpu-6286 kernel: [2260727.040018] audit: type=1400 audit(1661597890.259:56320): apparmor="DENIED" operation="exec" profile="lxd_archive-var-lib-lxd-storage-pools-default-images-023e5952681e699612e4d5b0807e0dbdc3236168d3ce95ed0c4616badee623d9" name="/usr/bin/xz" pid=2737541 comm="tar" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
Aug 27 12:58:10 cpu-6286 kernel: [2260727.063616] audit: type=1400 audit(1661597890.315:56321): apparmor="STATUS" operation="profile_remove" profile="unconfined" name="lxd_archive-var-lib-lxd-storage-pools-default-images-023e5952681e699612e4d5b0807e0dbdc3236168d3ce95ed0c4616badee623d9" pid=2737543 comm="apparmor_parser"

any help on this?

Thanks in advance

stgraber · August 29, 2022, 2:15pm

github.com/lxc/lxd

image unpack fails when `gzip` is a symlink

opened 06:07AM - 02 Aug 22 UTC

M1cha

Bug Easy

# Required information * Distribution: Alpine * Distribution version: edge… * The output of "lxc info": ```yaml config: {} api_extensions: - storage_zfs_remove_snapshots - container_host_shutdown_timeout - container_stop_priority - container_syscall_filtering - auth_pki - container_last_used_at - etag - patch - usb_devices - https_allowed_credentials - image_compression_algorithm - directory_manipulation - container_cpu_time - storage_zfs_use_refquota - storage_lvm_mount_options - network - profile_usedby - container_push - container_exec_recording - certificate_update - container_exec_signal_handling - gpu_devices - container_image_properties - migration_progress - id_map - network_firewall_filtering - network_routes - storage - file_delete - file_append - network_dhcp_expiry - storage_lvm_vg_rename - storage_lvm_thinpool_rename - network_vlan - image_create_aliases - container_stateless_copy - container_only_migration - storage_zfs_clone_copy - unix_device_rename - storage_lvm_use_thinpool - storage_rsync_bwlimit - network_vxlan_interface - storage_btrfs_mount_options - entity_description - image_force_refresh - storage_lvm_lv_resizing - id_map_base - file_symlinks - container_push_target - network_vlan_physical - storage_images_delete - container_edit_metadata - container_snapshot_stateful_migration - storage_driver_ceph - storage_ceph_user_name - resource_limits - storage_volatile_initial_source - storage_ceph_force_osd_reuse - storage_block_filesystem_btrfs - resources - kernel_limits - storage_api_volume_rename - macaroon_authentication - network_sriov - console - restrict_devlxd - migration_pre_copy - infiniband - maas_network - devlxd_events - proxy - network_dhcp_gateway - file_get_symlink - network_leases - unix_device_hotplug - storage_api_local_volume_handling - operation_description - clustering - event_lifecycle - storage_api_remote_volume_handling - nvidia_runtime - container_mount_propagation - container_backup - devlxd_images - container_local_cross_pool_handling - proxy_unix - proxy_udp - clustering_join - proxy_tcp_udp_multi_port_handling - network_state - proxy_unix_dac_properties - container_protection_delete - unix_priv_drop - pprof_http - proxy_haproxy_protocol - network_hwaddr - proxy_nat - network_nat_order - container_full - candid_authentication - backup_compression - candid_config - nvidia_runtime_config - storage_api_volume_snapshots - storage_unmapped - projects - candid_config_key - network_vxlan_ttl - container_incremental_copy - usb_optional_vendorid - snapshot_scheduling - snapshot_schedule_aliases - container_copy_project - clustering_server_address - clustering_image_replication - container_protection_shift - snapshot_expiry - container_backup_override_pool - snapshot_expiry_creation - network_leases_location - resources_cpu_socket - resources_gpu - resources_numa - kernel_features - id_map_current - event_location - storage_api_remote_volume_snapshots - network_nat_address - container_nic_routes - rbac - cluster_internal_copy - seccomp_notify - lxc_features - container_nic_ipvlan - network_vlan_sriov - storage_cephfs - container_nic_ipfilter - resources_v2 - container_exec_user_group_cwd - container_syscall_intercept - container_disk_shift - storage_shifted - resources_infiniband - daemon_storage - instances - image_types - resources_disk_sata - clustering_roles - images_expiry - resources_network_firmware - backup_compression_algorithm - ceph_data_pool_name - container_syscall_intercept_mount - compression_squashfs - container_raw_mount - container_nic_routed - container_syscall_intercept_mount_fuse - container_disk_ceph - virtual-machines - image_profiles - clustering_architecture - resources_disk_id - storage_lvm_stripes - vm_boot_priority - unix_hotplug_devices - api_filtering - instance_nic_network - clustering_sizing - firewall_driver - projects_limits - container_syscall_intercept_hugetlbfs - limits_hugepages - container_nic_routed_gateway - projects_restrictions - custom_volume_snapshot_expiry - volume_snapshot_scheduling - trust_ca_certificates - snapshot_disk_usage - clustering_edit_roles - container_nic_routed_host_address - container_nic_ipvlan_gateway - resources_usb_pci - resources_cpu_threads_numa - resources_cpu_core_die - api_os - container_nic_routed_host_table - container_nic_ipvlan_host_table - container_nic_ipvlan_mode - resources_system - images_push_relay - network_dns_search - container_nic_routed_limits - instance_nic_bridged_vlan - network_state_bond_bridge - usedby_consistency - custom_block_volumes - clustering_failure_domains - resources_gpu_mdev - console_vga_type - projects_limits_disk - network_type_macvlan - network_type_sriov - container_syscall_intercept_bpf_devices - network_type_ovn - projects_networks - projects_networks_restricted_uplinks - custom_volume_backup - backup_override_name - storage_rsync_compression - network_type_physical - network_ovn_external_subnets - network_ovn_nat - network_ovn_external_routes_remove - tpm_device_type - storage_zfs_clone_copy_rebase - gpu_mdev - resources_pci_iommu - resources_network_usb - resources_disk_address - network_physical_ovn_ingress_mode - network_ovn_dhcp - network_physical_routes_anycast - projects_limits_instances - network_state_vlan - instance_nic_bridged_port_isolation - instance_bulk_state_change - network_gvrp - instance_pool_move - gpu_sriov - pci_device_type - storage_volume_state - network_acl - migration_stateful - disk_state_quota - storage_ceph_features - projects_compression - projects_images_remote_cache_expiry - certificate_project - network_ovn_acl - projects_images_auto_update - projects_restricted_cluster_target - images_default_architecture - network_ovn_acl_defaults - gpu_mig - project_usage - network_bridge_acl - warnings - projects_restricted_backups_and_snapshots - clustering_join_token - clustering_description - server_trusted_proxy - clustering_update_cert - storage_api_project - server_instance_driver_operational - server_supported_storage_drivers - event_lifecycle_requestor_address - resources_gpu_usb - clustering_evacuation - network_ovn_nat_address - network_bgp - network_forward - custom_volume_refresh - network_counters_errors_dropped - metrics - image_source_project - clustering_config - network_peer - linux_sysctl - network_dns - ovn_nic_acceleration - certificate_self_renewal - instance_project_move - storage_volume_project_move - cloud_init - network_dns_nat - database_leader - instance_all_projects - clustering_groups - ceph_rbd_du - instance_get_full - qemu_metrics - gpu_mig_uuid - event_project - clustering_evacuation_live - instance_allow_inconsistent_copy - network_state_ovn - storage_volume_api_filtering - image_restrictions - storage_zfs_export - network_dns_records - storage_zfs_reserve_space - network_acl_log - storage_zfs_blocksize - metrics_cpu_seconds - instance_snapshot_never - certificate_token - instance_nic_routed_neighbor_probe - event_hub - agent_nic_config - projects_restricted_intercept - metrics_authentication - images_target_project - cluster_migration_inconsistent_copy - cluster_ovn_chassis - container_syscall_intercept_sched_setscheduler - storage_lvm_thinpool_metadata_size - storage_volume_state_total - instance_file_head - instances_nic_host_name - image_copy_profile - container_syscall_intercept_sysinfo - clustering_evacuation_mode - resources_pci_vpd api_status: stable api_version: "1.0" auth: trusted public: false auth_methods: - tls environment: addresses: [] architectures: - aarch64 - armv7l certificate: REDACTED certificate_fingerprint: REDACTED driver: lxc | qemu driver_version: 4.0.12 | 7.0.0 firewall: nftables kernel: Linux kernel_architecture: aarch64 kernel_features: idmapped_mounts: "true" netnsid_getifaddrs: "true" seccomp_listener: "true" seccomp_listener_continue: "true" shiftfs: "false" uevent_injection: "true" unpriv_fscaps: "true" kernel_version: 5.15.57-0-lts lxc_features: cgroup2: "true" core_scheduling: "true" devpts_fd: "true" idmapped_mounts_v2: "true" mount_injection_file: "true" network_gateway_device_route: "true" network_ipvlan: "true" network_l2proxy: "true" network_phys_macvlan_mtu: "true" network_veth_router: "true" pidfd: "true" seccomp_allow_deny_syntax: "true" seccomp_notify: "true" seccomp_proxy_send_notify_fd: "true" os_name: Alpine Linux os_version: 3.17_alpha20220715 project: default server: lxd server_clustered: false server_event_mode: full-mesh server_name: router server_pid: 3203 server_version: "5.2" storage: btrfs | zfs storage_version: 5.18.1 | 2.1.5-1 storage_supported_drivers: - name: btrfs version: 5.18.1 remote: false - name: dir version: "1" remote: false - name: zfs version: 2.1.5-1 remote: false ``` # Issue description On Alpine, `gzip` is a symlink: ```bash # ls -lah /bin/gzip lrwxrwxrwx 1 root root 12 Aug 1 19:45 /bin/gzip -> /bin/busybox ``` LXD doesn't resolve that path to add it to the apparmor profile so `lxc launch` fails with: ``` Error: Failed instance creation: Failed creating instance from image: Unpack failed: Process exited with non-zero value 2 ``` lxd.log: ``` level=warning msg="Unpack failed" allowedCmds="[gzip]" err="Process exited with non-zero value 2" extension=.tar.gz file=/var/lib/lxd/images/68d9d65b9225e2dce3c30fef34f7e1671f61e1c87d6649cb19b9900877c19017 path=/var/lib/lxd/storage-pools/default/images/68d9d65b9225e2dce3c30fef34f7e1671f61e1c87d6649cb19b9900877c19017 ``` dmesg: ``` [ 4212.393157] audit: type=1400 audit(1659419741.945:19): apparmor="STATUS" operation="profile_load" profile="unconfined" name="lxd_archive-var-lib-lxd-storage-pools-default-images-68d9d65b9225e2dce3c30fef34f7e1671f61e1c87d6649cb19b9900877c19017" pid=23838 comm="apparmor_parser" [ 4212.406122] audit: type=1400 audit(1659419741.958:20): apparmor="DENIED" operation="exec" profile="lxd_archive-var-lib-lxd-storage-pools-default-images-68d9d65b9225e2dce3c30fef34f7e1671f61e1c87d6649cb19b9900877c19017" name="/bin/busybox" pid=23841 comm="tar" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 [ 4212.406524] audit: type=1400 audit(1659419741.958:21): apparmor="DENIED" operation="exec" profile="lxd_archive-var-lib-lxd-storage-pools-default-images-68d9d65b9225e2dce3c30fef34f7e1671f61e1c87d6649cb19b9900877c19017" name="/bin/busybox" pid=23841 comm="tar" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 [ 4213.314076] audit: type=1400 audit(1659419742.868:22): apparmor="STATUS" operation="profile_remove" profile="unconfined" name="lxd_archive-var-lib-lxd-storage-pools-default-images-68d9d65b9225e2dce3c30fef34f7e1671f61e1c87d6649cb19b9900877c19017" pid=23843 comm="apparmor_parser" ``` # Steps to reproduce I don't expect you you reproduce my alpine setup, so here's untested steps that should reproduce this issue: 1. Setup LXD on a system with apparmor enabled 2. Install busybox and replace `gzip` with a symlink to that 3. `lxc launch` an image in `.tar.gz` format If you can't find an image in `.tar.gz` format you might get the same result by turning `unsquashfs` into a symlink to another binary. # Possible solution similar to https://github.com/stgraber/lxd/commit/4942a108f6f4822a91bc8ffe1e5ae07677b6c6c8 we might need to resolve the binary path when adding it do the apparmor profile. For security it's important to verify `argv[0]` though so you can't just run any busybox command. I hope that apparmor allows you to do that.

stgraber · August 29, 2022, 2:16pm

m1cha · August 29, 2022, 3:23pm

What I find more interesting is that this only happened after the update. Shouldn’t it always have been an issue?

stgraber · August 29, 2022, 3:49pm

My guess is that LXD 5.0.0 pre-dates the apparmor profile for the unpacker.

Midhun_Vijayan · August 30, 2022, 11:25am

thanks @stgraber @m1cha