Hi,
I have trouble setting hostname inside LXD container with hostnamectl (and essentially can
reproduce issue found on Ubuntu Xenial host when running Bionic containers. My LXD host is my
personal laptop running current Debian Testing with LXD 5.0 installed from Debian repositories (lxd package version 5.0.2-5). The running kernel is stock Debian kernel (Linux 6.1.0-9-amd64 (SMP w/4 CPU threads; PREEMPT))
I begin by launching Debian Bookworm container by lxd launch images:debian/12 test, then
entering the container shell with lxd shell test. Inside the container, I attempt to set hostname via hostnamectl set-hostname test.test. Instead of hostname set, it returns Could not set pretty hostname: Connection timed out error instead. The corresponding journalctl
log is:
Jun 17 03:03:12 test dbus-daemon[81]: [system] Activating via systemd: service name='org.freedesktop.hostname1' unit='dbus-org.freedesktop.hostname1.service' requested by ':1.7' (uid=0 pid=104 comm="hostnamectl set-hostname test.test")
Jun 17 03:03:12 test (ostnamed)[105]: systemd-hostnamed.service: Failed to set up network namespacing: Permission denied
Jun 17 03:03:12 test systemd[1]: Starting systemd-hostnamed.service - Hostname Service...
Jun 17 03:03:12 test (ostnamed)[105]: systemd-hostnamed.service: Failed at step NETWORK spawning /lib/systemd/systemd-hostnamed: Permission denied
Jun 17 03:03:12 test systemd[1]: systemd-hostnamed.service: Main process exited, code=exited, status=225/NETWORK
Jun 17 03:03:12 test systemd[1]: systemd-hostnamed.service: Failed with result 'exit-code'.
Jun 17 03:03:12 test systemd[1]: Failed to start systemd-hostnamed.service - Hostname Service.
Jun 17 03:03:37 test dbus-daemon[81]: [system] Failed to activate service 'org.freedesktop.hostname1': timed out (service_start_timeout=25000ms)
When looking at dmesg on host, I get:
[10673.299973] audit: type=1400 audit(1686970915.519:84): apparmor="DENIED" operation="file_lock" profile="lxd-myself_test_</var/lib/lxd>" pid=12984 comm="(crub_all)" family="unix" sock_type="dgram" protocol=0 requested_mask="send"
[10673.299988] audit: type=1400 audit(1686970915.519:85): apparmor="DENIED" operation="file_lock" profile="lxd-myself_test_</var/lib/lxd>" pid=12984 comm="(crub_all)" family="unix" sock_type="dgram" protocol=0 requested_mask="send"
[10675.793944] audit: type=1400 audit(1686970918.015:86): apparmor="DENIED" operation="file_lock" profile="lxd-myself_test_</var/lib/lxd>" pid=12991 comm="(ostnamed)" family="unix" sock_type="dgram" protocol=0 requested_mask="send"
[10675.793966] audit: type=1400 audit(1686970918.015:87): apparmor="DENIED" operation="file_lock" profile="lxd-myself_test_</var/lib/lxd>" pid=12991 comm="(ostnamed)" family="unix" sock_type="dgram" protocol=0 requested_mask="send"
[10750.671804] audit: type=1400 audit(1686970992.896:88): apparmor="DENIED" operation="file_lock" profile="lxd-myself_test_</var/lib/lxd>" pid=13038 comm="(ostnamed)" family="unix" sock_type="dgram" protocol=0 requested_mask="send"
[10750.671817] audit: type=1400 audit(1686970992.896:89): apparmor="DENIED" operation="file_lock" profile="lxd-myself_test_</var/lib/lxd>" pid=13038 comm="(ostnamed)" family="unix" sock_type="dgram" protocol=0 requested_mask="send"
The only difference from the linked Bionic containers issue is the apparmor dmesg log above
has requested_mask=send instead of addr=none.
The working workaround in this case is to disable AppArmor confining on the container by:
lxc config set test raw.lxc "lxc.apparmor.profile=unconfined
I have already filed this issue on Debian BTS.
Thanks.