RuntimeError: Failed to read %zi bytes from /dev/urandom

Hello everyone,

I’m looking for some advice. I have an lxd container and I want to run a python application that’s using a chroot environment inside the container. The error I’m getting is
RuntimeError: Failed to read %zi bytes from /dev/urandom
Can someone please advise how I can solve this?
Thank you.

I don’t quite understand why you’d want or need a chroot inside of a container, but you can achieve this in a privileged container:

lxc config set c1 security.privileged=true

Restart the container, enter the container and the chroot, and run /bin/mknod -m 0666 /dev/urandom c 1 9. That’ll give you a working /dev/urandom inside of the chroot.

I would generally recommend against enabling privileged mode as it means it makes it much easier to escape the container and onto the host.

See Linux Containers - LXC - Security

However you should be able to LXD’s syscall interception to allow you to create /dev/urandom inside the container.

See
https://linuxcontainers.org/lxd/docs/master/syscall-interception

Thank you both.

I did look at syscall interception the other day, but unfortunately when I set the 2 entries to true I could not start the container anymore. I’ve got the below error.

Error: Failed preparing container for start: LXC doesn't support notify proxy: setting config item for the container failed Try lxc info --show-log ace for more info

Unfortunately the above command didn’t bring anything up.

Any thoughts on this LXC doesn't support notify proxy error @brauner ?

Please note that I’m running lxd version 4.17 inside openSUSE Tumbleweed. Not sure if this makes a difference as opposed to running it in Ubuntu.

What kernel version?

Linux opensuse 5.13.13-1-default #1 SMP Fri Aug 27 08:52:15 UTC 2021 (6339fac) aarch64 aarch64 aarch64 GNU/Linux

Hi @tomp. I have updated today to kernel version 5.14.6-1-default and the issue is still there. Lxd/lxc is now version 4.18. What do you advise? Thank you.

The error actually suggests that liblxc is lacking that support, not the kernel.
This may happen if the version of liblxc is too old or if libseccomp is an older release.

As this is using the opensuse native packages, maybe @cyphar can help.

@radumamy can you show the full lxc info output? This should show us what kernel and LXC features are detected.

@stgraber, please see below. Thanks

`
config:
core.https_address: ‘[::]’ api_extensions:

• storage_zfs_remove_snapshots
• container_host_shutdown_timeout
• container_stop_priority
• container_syscall_filtering
• auth_pki
• container_last_used_at
• etag
• patch
• usb_devices
• https_allowed_credentials
• image_compression_algorithm
• directory_manipulation
• container_cpu_time
• storage_zfs_use_refquota
• storage_lvm_mount_options
• network
• profile_usedby
• container_push
• container_exec_recording
• certificate_update
• container_exec_signal_handling
• gpu_devices
• container_image_properties
• migration_progress
• id_map
• network_firewall_filtering
• network_routes
• storage
• file_delete
• file_append
• network_dhcp_expiry
• storage_lvm_vg_rename
• storage_lvm_thinpool_rename
• network_vlan
• image_create_aliases
• container_stateless_copy
• container_only_migration
• storage_zfs_clone_copy
• unix_device_rename
• storage_lvm_use_thinpool
• storage_rsync_bwlimit
• network_vxlan_interface
• storage_btrfs_mount_options
• entity_description
• image_force_refresh
• storage_lvm_lv_resizing
• id_map_base
• file_symlinks
• container_push_target
• network_vlan_physical
• storage_images_delete
• container_edit_metadata
• container_snapshot_stateful_migration
• storage_driver_ceph
• storage_ceph_user_name
• resource_limits
• storage_volatile_initial_source
• storage_ceph_force_osd_reuse
• storage_block_filesystem_btrfs
• resources
• kernel_limits
• storage_api_volume_rename
• macaroon_authentication
• network_sriov
• console
• restrict_devlxd
• migration_pre_copy
• infiniband
• maas_network
• devlxd_events
• proxy
• network_dhcp_gateway
• file_get_symlink
• network_leases
• unix_device_hotplug
• storage_api_local_volume_handling
• operation_description
• clustering
• event_lifecycle
• storage_api_remote_volume_handling
• nvidia_runtime
• container_mount_propagation
• container_backup
• devlxd_images
• container_local_cross_pool_handling
• proxy_unix
• proxy_udp
• clustering_join
• proxy_tcp_udp_multi_port_handling
• network_state
• proxy_unix_dac_properties
• container_protection_delete
• unix_priv_drop
• pprof_http
• proxy_haproxy_protocol
• network_hwaddr
• proxy_nat
• network_nat_order
• container_full
• candid_authentication
• backup_compression
• candid_config
• nvidia_runtime_config
• storage_api_volume_snapshots
• storage_unmapped
• projects
• candid_config_key
• network_vxlan_ttl
• container_incremental_copy
• usb_optional_vendorid
• snapshot_scheduling
• snapshot_schedule_aliases
• container_copy_project
• clustering_server_address
• clustering_image_replication
• container_protection_shift
• snapshot_expiry
• container_backup_override_pool
• snapshot_expiry_creation
• network_leases_location
• resources_cpu_socket
• resources_gpu
• resources_numa
• kernel_features
• id_map_current
• event_location
• storage_api_remote_volume_snapshots
• network_nat_address
• container_nic_routes
• rbac
• cluster_internal_copy
• seccomp_notify
• lxc_features
• container_nic_ipvlan
• network_vlan_sriov
• storage_cephfs
• container_nic_ipfilter
• resources_v2
• container_exec_user_group_cwd
• container_syscall_intercept
• container_disk_shift
• storage_shifted
• resources_infiniband
• daemon_storage
• instances
• image_types
• resources_disk_sata
• clustering_roles
• images_expiry
• resources_network_firmware
• backup_compression_algorithm
• ceph_data_pool_name
• container_syscall_intercept_mount
• compression_squashfs
• container_raw_mount
• container_nic_routed
• container_syscall_intercept_mount_fuse
• container_disk_ceph
• virtual-machines
• image_profiles
• clustering_architecture
• resources_disk_id
• storage_lvm_stripes
• vm_boot_priority
• unix_hotplug_devices
• api_filtering
• instance_nic_network
• clustering_sizing
• firewall_driver
• projects_limits
• container_syscall_intercept_hugetlbfs
• limits_hugepages
• container_nic_routed_gateway
• projects_restrictions
• custom_volume_snapshot_expiry
• volume_snapshot_scheduling
• trust_ca_certificates
• snapshot_disk_usage
• clustering_edit_roles
• container_nic_routed_host_address
• container_nic_ipvlan_gateway
• resources_usb_pci
• resources_cpu_threads_numa
• resources_cpu_core_die
• api_os
• container_nic_routed_host_table
• container_nic_ipvlan_host_table
• container_nic_ipvlan_mode
• resources_system
• images_push_relay
• network_dns_search
• container_nic_routed_limits
• instance_nic_bridged_vlan
• network_state_bond_bridge
• usedby_consistency
• custom_block_volumes
• clustering_failure_domains
• resources_gpu_mdev
• console_vga_type
• projects_limits_disk
• network_type_macvlan
• network_type_sriov
• container_syscall_intercept_bpf_devices
• network_type_ovn
• projects_networks
• projects_networks_restricted_uplinks
• custom_volume_backup
• backup_override_name
• storage_rsync_compression
• network_type_physical
• network_ovn_external_subnets
• network_ovn_nat
• network_ovn_external_routes_remove
• tpm_device_type
• storage_zfs_clone_copy_rebase
• gpu_mdev
• resources_pci_iommu
• resources_network_usb
• resources_disk_address
• network_physical_ovn_ingress_mode
• network_ovn_dhcp
• network_physical_routes_anycast
• projects_limits_instances
• network_state_vlan
• instance_nic_bridged_port_isolation
• instance_bulk_state_change
• network_gvrp
• instance_pool_move
• gpu_sriov
• pci_device_type
• storage_volume_state
• network_acl
• migration_stateful
• disk_state_quota
• storage_ceph_features
• projects_compression
• projects_images_remote_cache_expiry
• certificate_project
• network_ovn_acl
• projects_images_auto_update
• projects_restricted_cluster_target
• images_default_architecture
• network_ovn_acl_defaults
• gpu_mig
• project_usage
• network_bridge_acl
• warnings
• projects_restricted_backups_and_snapshots
• clustering_join_token
• clustering_description
• server_trusted_proxy
• clustering_update_cert
• storage_api_project
• server_instance_driver_operational
• server_supported_storage_drivers
• event_lifecycle_requestor_address
• resources_gpu_usb
• clustering_evacuation
• network_ovn_nat_address
• network_bgp
• network_forward
• custom_volume_refresh
• network_counters_errors_dropped
  api_status: stable
  api_version: “1.0”
  auth: trusted
  public: false
  auth_methods:
• tls
  environment:
  addresses:
  • 192.168.1.x.x8443
  • 10.49.x.x:8443
  • ‘[fd42:xxx::1]:8443’
    architectures:
  • aarch64
  • armv7l
    certificate: |
    -----BEGIN CERTIFICATE-----
    REDACTED
    -----END CERTIFICATE-----
    certificate_fingerprint: REDACTED
    driver: lxc | qemu
    driver_version: 4.0.9 | 6.1.0
    firewall: nftables
    kernel: Linux
    kernel_architecture: aarch64
    kernel_features:
    netnsid_getifaddrs: “true”
    seccomp_listener: “true”
    seccomp_listener_continue: “true”
    shiftfs: “false”
    uevent_injection: “true”
    unpriv_fscaps: “true”
    kernel_version: 5.14.6-1-default
    lxc_features:
    cgroup2: “true”
    devpts_fd: “true”
    idmapped_mounts_v2: “false”
    mount_injection_file: “true”
    network_gateway_device_route: “true”
    network_ipvlan: “true”
    network_l2proxy: “true”
    network_phys_macvlan_mtu: “true”
    network_veth_router: “true”
    pidfd: “true”
    seccomp_allow_deny_syntax: “true”
    seccomp_notify: “true”
    seccomp_proxy_send_notify_fd: “true”
    os_name: openSUSE Tumbleweed
    os_version: “20210927”
    project: default
    server: lxd
    server_clustered: false
    server_name: opensuse
    server_pid: 1204
    server_version: “4.18”
    storage: dir
    storage_version: “1”
    storage_supported_drivers:
  • name: btrfs
    version: “5.14”
    remote: false
  • name: dir
    version: “1”
    remote: false
  • name: lvm
    version: 2.03.12(2) (2021-05-07) / 1.03.01 (2021-05-07) / 4.45.0
    remote: false
    `

That’s odd, it suggests that the feature is supported but that liblxc refused to set the config key when asked by LXD.

@brauner

We’ve had some issues with building LXC recently, let me see if we’re due for a liblxc update…

Hi @cyphar. I’m happy to test if you have an updated package. Thank you.