I recently switched from LXD to Incus just because of the bad policy Canonical had against the good Linux Containers team
Everything is working fine so far, but for those wondering why the shadowsocks systemd service is not working under Incus, here’s there’s a quick fix ( even if i don’t know if it’s an appropriate one ).
To fix the problem, edit the systemd service using your favorite editor ( in my case, nano ):
In the file, look for DynamicUser=true and switch the value from true to false.
The new file will look like this:
# This file is part of shadowsocks-libev.
#
# Shadowsocks-libev is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# This file is default for Debian packaging. See also
# /etc/default/shadowsocks-libev for environment variables.
[Unit]
Description=Shadowsocks-libev Default Server Service
Documentation=man:shadowsocks-libev(8)
After=network-online.target
Wants=network-online.target
[Service]
Type=simple
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE
DynamicUser=false
EnvironmentFile=/etc/default/shadowsocks-libev
LimitNOFILE=32768
ExecStart=/usr/bin/ss-server -c $CONFFILE $DAEMON_ARGS
[Install]
WantedBy=multi-user.target
Save the file and reload the systemd daemon with the following command:
sudo systemctl daemon-reload
After this, just restart shadowsocks-libev service with:
sudo systemctl restart shadowsocks-libev
I hope this solution will help someone. Thank you.
The DynamicUser documentation, systemd.exec
DynamicUser does a lot of things and it’s not clear what part could cause the problem.
What error do you get when you keep DynamicUser enabled? If there is a specific message, post it so that others that Google for that message, can get directly here.
My understanding of DynamicUser is that it makes use of high uid/gid which may not be available in the container.
It’s actually one of the leading reasons behind the recent work by @amikhalitsyn and myself to get a new concept of isolated user namespaces going in the kernel, this would then provide the entire uid/gid space for each container, allowing for such dynamic allocation of high uid/gid without problems.
I get this error. I run a Debian 12 container on a Debian 12 host ( node ) and the only user i have is root:
Feb 17 18:08:55 wg-debian12 (s-server)[1025]: shadowsocks-libev.service: Failed to update dynamic user credentials: Permission denied
Feb 17 18:08:55 wg-debian12 (s-server)[1025]: shadowsocks-libev.service: Failed at step USER spawning /usr/bin/ss-server: Permission denied
EDIT: i forgot to mention that i used lxd-to-incus for the migration from LXD to Incus. On LXD this problem, even if i had just root as user, was not present.