We use lxd for production. We have had a hard time finding the right base OS. Right now we have containers running on both ubuntu 18.04, Debian 10 and now also 20.04.
All based on zfs datasets.
So far it has been a good experience with lxd 4.0.1 on Ubuntu 20.04. Performance is good and seems pretty stable.
One strange issue however. We use it for webservers with apache and php fpm. We migrated a server offline migration with lxc move from a host using debian 10 to another host using ubuntu 20.04. Apache in the container had no problems running on Debian, but when we moved it to the Ubuntu 20.04 host we started to get file permission errors when starting Apache and PHP.
[04-May-2020 13:22:23] ERROR: Unable to create or open slowlog(/var/www/hest.dk/logs/php-fpm-slow.log): Permission denied (13)
[04-May-2020 13:22:23] ERROR: failed to post process the configuration
[04-May-2020 13:22:23] ERROR: FPM initialization failed
(13)Permission denied: AH00091: apache2: could not open error log file /var/www/hest.dk/logs/apache_errorlog.log.
Migrating the container backup to orign host and apache and php fpm starts on boot with no issues.
This happens on both lxd 4.0.1 and 3.23, but only on Ubuntu 20.04
Cannot be replicated on Debian 10 and Ubuntu 18.04
@dhpowrhost can you show lxc config show --expanded NAME for that container?
If you’re forcing unconfined through raw.lxc, this may actually be the source of the issue.
Unlike what most people think, unconfined isn’t really unconfined, it mostly means you don’t have an apparmor profile or namespace, which also means that any apparmor profile defined on the host which applies based on application path WILL be applied to your processes.
Ok, so apache runs as www-data and is part of virtual.
Based on:
-rw-r--r-- 1 hest_dk virtual 0 May 4 10:29 apache_accesslog.log
-rw-r--r-- 1 hest_dk virtual 0 May 4 10:29 apache_errorlog.log
-rw------- 1 hest_dk virtual 0 May 4 13:05 filesystem_audit.log
-rw------- 1 hest_dk virtual 0 May 4 10:28 php-fpm-slow.log
That www-data user will only be able to read the apache_* logs, not open them for writing, they need to be 660 or 664 for that, not the current 644.
It’s worse on the other two files as those can only be written to by hest_dk, so apache/php will have no way of doing that.