RuntimeError: Failed to read %zi bytes from /dev/urandom

LXD
#1

Hello everyone,

I’m looking for some advice. I have an lxd container and I want to run a python application that’s using a chroot environment inside the container. The error I’m getting is
RuntimeError: Failed to read %zi bytes from /dev/urandom
Can someone please advise how I can solve this?
Thank you.

#2

I don’t quite understand why you’d want or need a chroot inside of a container, but you can achieve this in a privileged container:

lxc config set c1 security.privileged=true

Restart the container, enter the container and the chroot, and run /bin/mknod -m 0666 /dev/urandom c 1 9. That’ll give you a working /dev/urandom inside of the chroot.

#3

I would generally recommend against enabling privileged mode as it means it makes it much easier to escape the container and onto the host.

See Linux Containers - LXC - Security

However you should be able to LXD’s syscall interception to allow you to create /dev/urandom inside the container.

See
https://linuxcontainers.org/lxd/docs/master/syscall-interception

#4

Thank you both.

I did look at syscall interception the other day, but unfortunately when I set the 2 entries to true I could not start the container anymore. I’ve got the below error.

Error: Failed preparing container for start: LXC doesn't support notify proxy: setting config item for the container failed Try lxc info --show-log ace for more info

Unfortunately the above command didn’t bring anything up.

#5

Any thoughts on this LXC doesn't support notify proxy error @brauner ?

#6

Please note that I’m running lxd version 4.17 inside openSUSE Tumbleweed. Not sure if this makes a difference as opposed to running it in Ubuntu.

#7

What kernel version?

#8

Linux opensuse 5.13.13-1-default #1 SMP Fri Aug 27 08:52:15 UTC 2021 (6339fac) aarch64 aarch64 aarch64 GNU/Linux

#9

Hi @tomp. I have updated today to kernel version 5.14.6-1-default and the issue is still there. Lxd/lxc is now version 4.18. What do you advise? Thank you.

#10

The error actually suggests that liblxc is lacking that support, not the kernel.
This may happen if the version of liblxc is too old or if libseccomp is an older release.

As this is using the opensuse native packages, maybe @cyphar can help.

@radumamy can you show the full lxc info output? This should show us what kernel and LXC features are detected.

#11

@stgraber, please see below. Thanks

`
config:
core.https_address: ‘[::]’ api_extensions:

  • storage_zfs_remove_snapshots
  • container_host_shutdown_timeout
  • container_stop_priority
  • container_syscall_filtering
  • auth_pki
  • container_last_used_at
  • etag
  • patch
  • usb_devices
  • https_allowed_credentials
  • image_compression_algorithm
  • directory_manipulation
  • container_cpu_time
  • storage_zfs_use_refquota
  • storage_lvm_mount_options
  • network
  • profile_usedby
  • container_push
  • container_exec_recording
  • certificate_update
  • container_exec_signal_handling
  • gpu_devices
  • container_image_properties
  • migration_progress
  • id_map
  • network_firewall_filtering
  • network_routes
  • storage
  • file_delete
  • file_append
  • network_dhcp_expiry
  • storage_lvm_vg_rename
  • storage_lvm_thinpool_rename
  • network_vlan
  • image_create_aliases
  • container_stateless_copy
  • container_only_migration
  • storage_zfs_clone_copy
  • unix_device_rename
  • storage_lvm_use_thinpool
  • storage_rsync_bwlimit
  • network_vxlan_interface
  • storage_btrfs_mount_options
  • entity_description
  • image_force_refresh
  • storage_lvm_lv_resizing
  • id_map_base
  • file_symlinks
  • container_push_target
  • network_vlan_physical
  • storage_images_delete
  • container_edit_metadata
  • container_snapshot_stateful_migration
  • storage_driver_ceph
  • storage_ceph_user_name
  • resource_limits
  • storage_volatile_initial_source
  • storage_ceph_force_osd_reuse
  • storage_block_filesystem_btrfs
  • resources
  • kernel_limits
  • storage_api_volume_rename
  • macaroon_authentication
  • network_sriov
  • console
  • restrict_devlxd
  • migration_pre_copy
  • infiniband
  • maas_network
  • devlxd_events
  • proxy
  • network_dhcp_gateway
  • file_get_symlink
  • network_leases
  • unix_device_hotplug
  • storage_api_local_volume_handling
  • operation_description
  • clustering
  • event_lifecycle
  • storage_api_remote_volume_handling
  • nvidia_runtime
  • container_mount_propagation
  • container_backup
  • devlxd_images
  • container_local_cross_pool_handling
  • proxy_unix
  • proxy_udp
  • clustering_join
  • proxy_tcp_udp_multi_port_handling
  • network_state
  • proxy_unix_dac_properties
  • container_protection_delete
  • unix_priv_drop
  • pprof_http
  • proxy_haproxy_protocol
  • network_hwaddr
  • proxy_nat
  • network_nat_order
  • container_full
  • candid_authentication
  • backup_compression
  • candid_config
  • nvidia_runtime_config
  • storage_api_volume_snapshots
  • storage_unmapped
  • projects
  • candid_config_key
  • network_vxlan_ttl
  • container_incremental_copy
  • usb_optional_vendorid
  • snapshot_scheduling
  • snapshot_schedule_aliases
  • container_copy_project
  • clustering_server_address
  • clustering_image_replication
  • container_protection_shift
  • snapshot_expiry
  • container_backup_override_pool
  • snapshot_expiry_creation
  • network_leases_location
  • resources_cpu_socket
  • resources_gpu
  • resources_numa
  • kernel_features
  • id_map_current
  • event_location
  • storage_api_remote_volume_snapshots
  • network_nat_address
  • container_nic_routes
  • rbac
  • cluster_internal_copy
  • seccomp_notify
  • lxc_features
  • container_nic_ipvlan
  • network_vlan_sriov
  • storage_cephfs
  • container_nic_ipfilter
  • resources_v2
  • container_exec_user_group_cwd
  • container_syscall_intercept
  • container_disk_shift
  • storage_shifted
  • resources_infiniband
  • daemon_storage
  • instances
  • image_types
  • resources_disk_sata
  • clustering_roles
  • images_expiry
  • resources_network_firmware
  • backup_compression_algorithm
  • ceph_data_pool_name
  • container_syscall_intercept_mount
  • compression_squashfs
  • container_raw_mount
  • container_nic_routed
  • container_syscall_intercept_mount_fuse
  • container_disk_ceph
  • virtual-machines
  • image_profiles
  • clustering_architecture
  • resources_disk_id
  • storage_lvm_stripes
  • vm_boot_priority
  • unix_hotplug_devices
  • api_filtering
  • instance_nic_network
  • clustering_sizing
  • firewall_driver
  • projects_limits
  • container_syscall_intercept_hugetlbfs
  • limits_hugepages
  • container_nic_routed_gateway
  • projects_restrictions
  • custom_volume_snapshot_expiry
  • volume_snapshot_scheduling
  • trust_ca_certificates
  • snapshot_disk_usage
  • clustering_edit_roles
  • container_nic_routed_host_address
  • container_nic_ipvlan_gateway
  • resources_usb_pci
  • resources_cpu_threads_numa
  • resources_cpu_core_die
  • api_os
  • container_nic_routed_host_table
  • container_nic_ipvlan_host_table
  • container_nic_ipvlan_mode
  • resources_system
  • images_push_relay
  • network_dns_search
  • container_nic_routed_limits
  • instance_nic_bridged_vlan
  • network_state_bond_bridge
  • usedby_consistency
  • custom_block_volumes
  • clustering_failure_domains
  • resources_gpu_mdev
  • console_vga_type
  • projects_limits_disk
  • network_type_macvlan
  • network_type_sriov
  • container_syscall_intercept_bpf_devices
  • network_type_ovn
  • projects_networks
  • projects_networks_restricted_uplinks
  • custom_volume_backup
  • backup_override_name
  • storage_rsync_compression
  • network_type_physical
  • network_ovn_external_subnets
  • network_ovn_nat
  • network_ovn_external_routes_remove
  • tpm_device_type
  • storage_zfs_clone_copy_rebase
  • gpu_mdev
  • resources_pci_iommu
  • resources_network_usb
  • resources_disk_address
  • network_physical_ovn_ingress_mode
  • network_ovn_dhcp
  • network_physical_routes_anycast
  • projects_limits_instances
  • network_state_vlan
  • instance_nic_bridged_port_isolation
  • instance_bulk_state_change
  • network_gvrp
  • instance_pool_move
  • gpu_sriov
  • pci_device_type
  • storage_volume_state
  • network_acl
  • migration_stateful
  • disk_state_quota
  • storage_ceph_features
  • projects_compression
  • projects_images_remote_cache_expiry
  • certificate_project
  • network_ovn_acl
  • projects_images_auto_update
  • projects_restricted_cluster_target
  • images_default_architecture
  • network_ovn_acl_defaults
  • gpu_mig
  • project_usage
  • network_bridge_acl
  • warnings
  • projects_restricted_backups_and_snapshots
  • clustering_join_token
  • clustering_description
  • server_trusted_proxy
  • clustering_update_cert
  • storage_api_project
  • server_instance_driver_operational
  • server_supported_storage_drivers
  • event_lifecycle_requestor_address
  • resources_gpu_usb
  • clustering_evacuation
  • network_ovn_nat_address
  • network_bgp
  • network_forward
  • custom_volume_refresh
  • network_counters_errors_dropped
    api_status: stable
    api_version: “1.0”
    auth: trusted
    public: false
    auth_methods:
  • tls
    environment:
    addresses:
    • 192.168.1.x.x8443
    • 10.49.x.x:8443
    • ‘[fd42:xxx::1]:8443’
      architectures:
    • aarch64
    • armv7l
      certificate: |
      -----BEGIN CERTIFICATE-----
      REDACTED
      -----END CERTIFICATE-----
      certificate_fingerprint: REDACTED
      driver: lxc | qemu
      driver_version: 4.0.9 | 6.1.0
      firewall: nftables
      kernel: Linux
      kernel_architecture: aarch64
      kernel_features:
      netnsid_getifaddrs: “true”
      seccomp_listener: “true”
      seccomp_listener_continue: “true”
      shiftfs: “false”
      uevent_injection: “true”
      unpriv_fscaps: “true”
      kernel_version: 5.14.6-1-default
      lxc_features:
      cgroup2: “true”
      devpts_fd: “true”
      idmapped_mounts_v2: “false”
      mount_injection_file: “true”
      network_gateway_device_route: “true”
      network_ipvlan: “true”
      network_l2proxy: “true”
      network_phys_macvlan_mtu: “true”
      network_veth_router: “true”
      pidfd: “true”
      seccomp_allow_deny_syntax: “true”
      seccomp_notify: “true”
      seccomp_proxy_send_notify_fd: “true”
      os_name: openSUSE Tumbleweed
      os_version: “20210927”
      project: default
      server: lxd
      server_clustered: false
      server_name: opensuse
      server_pid: 1204
      server_version: “4.18”
      storage: dir
      storage_version: “1”
      storage_supported_drivers:
    • name: btrfs
      version: “5.14”
      remote: false
    • name: dir
      version: “1”
      remote: false
    • name: lvm
      version: 2.03.12(2) (2021-05-07) / 1.03.01 (2021-05-07) / 4.45.0
      remote: false
      `
#12

That’s odd, it suggests that the feature is supported but that liblxc refused to set the config key when asked by LXD.

@brauner

#13

We’ve had some issues with building LXC recently, let me see if we’re due for a liblxc update…

#14

Hi @cyphar. I’m happy to test if you have an updated package. Thank you.

#15

Hi @cyphar. There have been a few updates to Tumbleweed, but the issue remains. Could you please advise if I need to submit this to openSUSE directly? Thank you.

#16

LXC has been compiled without HAVE_SECCOMP_NOTIFY. Our API extension does still advertise support for it but the seccomp codepath does check for full support too and refuses to work.

The fix for this is twofold:

  1. don’t advertise notify support if not compiled in
  2. make sure that the libseccomp version used to compile LXC does support the seccomp notifier
#17

Ok, this fixes the issue from LXD’s side

#18

I suspect Leap doesn’t have the very newest versions of libseccomp (we don’t disable any features in the LXC build script, so if LXC doesn’t have a feature enabled that’s because of the LXC configure script).