On Ubuntu 18.04 I can install LXD apt install lxc1 lxd lxd-client, create a container lxc launch images:centos/7 mycontainer and enter it using lxc exec mycontainer bash.
In the container I noticed that service dev-hugepages.mount has failed.
[root@mycontainer ~]# systemctl status dev-hugepages.mount
● dev-hugepages.mount - Huge Pages File System
Loaded: loaded (/usr/lib/systemd/system/dev-hugepages.mount; static; vendor preset: disabled)
Active: failed (Result: exit-code) since Fri 2020-11-20 04:35:41 UTC; 33s ago
Where: /dev/hugepages
What: hugetlbfs
Docs: https://www.kernel.org/doc/Documentation/vm/hugetlbpage.txt
http://www.freedesktop.org/wiki/Software/systemd/APIFileSystems
Process: 35 ExecMount=/bin/mount hugetlbfs /dev/hugepages -t hugetlbfs (code=exited, status=32)
Nov 20 04:35:41 mycontainer mount[35]: mount: permission denied
Nov 20 04:35:41 mycontainer systemd[1]: dev-hugepages.mount mount process exited, code=exited status=32
Nov 20 04:35:41 mycontainer systemd[1]: Failed to mount Huge Pages File System.
Nov 20 04:35:41 mycontainer systemd[1]: Unit dev-hugepages.mount entered failed state.
Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.
[root@mycontainer ~]#
The command that is making this service fails is /bin/mount hugetlbfs /dev/hugepages -t hugetlbfs -v
3d [user@ubuntulxchost:~] 130 $ lxc config set mycontainer raw.apparmor="mount fstype=hugetlbfs,"
Error: cannot set 'mycontainer' to 'raw.apparmor=mount fstype=hugetlbfs,': unknown key
I noticed btw that the lxc.con looks strange with two entries
3d [user@ubuntulxchost:~]1 $ sudo cat /var/log/lxd/mycontainer/lxc.conf | grep app
lxc.apparmor.profile = lxd-mycontainer_</var/lib/lxd>//&:lxd-mycontainer_<var-lib-lxd>:
lxc.apparmor.profile=unconfined
3d [user@ubuntulxchost:~]
I tried that before and after a restart of the container but the problem is still there.
journalctl -xe shows all kinds of permission problems
Nov 21 05:35:41 mycontainer systemd-udevd[40]: starting version 219
Nov 21 05:35:41 mycontainer systemd-sysctl[41]: Failed to write '0' to '/proc/sys/kernel/yama/ptrace_scope': Permiss
ion denied
Nov 21 05:35:41 mycontainer systemd-sysctl[41]: Failed to write '16' to '/proc/sys/kernel/sysrq': Permission denied
Nov 21 05:35:41 mycontainer systemd-sysctl[41]: Failed to write '1' to '/proc/sys/kernel/core_uses_pid': Permission
denied
Nov 21 05:35:41 mycontainer mount[39]: mount: permission denied
Nov 21 05:35:41 mycontainer systemd-sysctl[41]: Failed to write '1' to '/proc/sys/kernel/kptr_restrict': Permission
denied
Nov 21 05:35:41 mycontainer systemd-sysctl[41]: Failed to write '1' to '/proc/sys/fs/protected_hardlinks': Permissio
n denied
Nov 21 05:35:41 mycontainer systemd-sysctl[41]: Failed to write '1' to '/proc/sys/fs/protected_symlinks': Permission
denied
Nov 21 05:35:41 mycontainer mount[42]: mount: permission denied
Nov 21 05:35:41 mycontainer systemd[1]: Started udev Kernel Device Manager.
-- Subject: Unit systemd-udevd.service has finished start-up
Ok, so the issue isn’t apparmor at all. I suspect it’s simply that hugetlbfs is a restricted filesystem which is never allowed to be mounted inside of an unprivileged container.
This is a difference between LXD and LXC then I suppose because with LXC this does work. I used Vagrant with Vagrant LXC plugin and in that case the service works.
Checked this with the Vagrant LXD plugin and indeed. Same problem. When I searched filesystem I noticed many other permissions problems
So I suppose your conclusion is correct that this will not work with LXD. I was thinking about switching from LXC to LXD but as it turns out this would not make sense for me. In a LXD container it is not possible to run a NFS server or even mount a NFS folder. Those services depend on dev-hugepages.mount.