Ubuntu session restarts on lxd start

mindbender · March 22, 2022, 2:38pm

Following the instructions here: MicroK8s - MicroK8s in LXD . My Ubuntu desktop sessions logs off and when I log back in session has restarted. The profile from that page is reproduced below check to see if some configuration is problematic there.

### This is a YAML representation of the profile.
### Any line starting with a '# will be ignored.
###
### A profile consists of a set of configuration items followed by a set of
### devices.
###
### An example would look like:
### name: onenic
### config:
###   raw.lxc: lxc.aa_profile=unconfined
### devices:
###   eth0:
###     nictype: bridged
###     parent: lxdbr0
###     type: nic
###
### Note that the name is shown but cannot be changed

config:
  boot.autostart: "true"
  linux.kernel_modules: ip_vs,ip_vs_rr,ip_vs_wrr,ip_vs_sh,ip_tables,ip6_tables,netlink_diag,nf_nat,overlay,br_netfilter
  raw.lxc: |
    lxc.apparmor.profile=unconfined
    lxc.mount.auto=proc:rw sys:rw cgroup:rw
    lxc.cgroup.devices.allow=a
    lxc.cap.drop=
  security.nesting: "true"
  security.privileged: "true"
description: ""
devices:
  aadisable:
    path: /sys/module/nf_conntrack/parameters/hashsize
    source: /sys/module/nf_conntrack/parameters/hashsize
    type: disk
  aadisable1:
    path: /sys/module/apparmor/parameters/enabled
    source: /dev/null
    type: disk
  aadisable2:
    path: /dev/kmsg
    source: /dev/kmsg
    type: unix-char
  aadisable3:
    path: /sys/fs/bpf
    source: /sys/fs/bpf
    type: disk
  aadisable4:
    path: /proc/sys/net/netfilter/nf_conntrack_max
    source: /proc/sys/net/netfilter/nf_conntrack_max
    type: disk
name: microk8s
used_by:
- /1.0/instances/microk8s-worker0
- /1.0/instances/microk8s-worker1

I have an other instance that doesn’t use this profile and it doesn’t suffer this issue when stopping and starting it.

stgraber · March 22, 2022, 5:45pm

It’s not really surprising. The combination of security.privileged=true and your raw.lxc allows for very terrible things to be possible by the container.

That container can change apparmor profiles, load kernel modules and perform a lot of other actions which could seriously upset your host and cause your desktop session to restart.

mindbender · August 7, 2022, 3:50am

Please what is the safest LXD profile to get a fully functional Kubernetes up and running?

I see here you have good experience with Kubernetes on LXD:

Even the Charmed Kubernetes bundle suffers the same fate on my machine due to using a similar LXD profile to that of MicroK8s

turtle0x1 · August 7, 2022, 3:35pm

Have you tried a VM? It might be more resource intensive but would give you clean separation (I think).

bramv · September 10, 2024, 6:34am

I also encountered this using version 5.21.2 LTS (on a container without raw.lxc). If I set security.privileged=false, the host session logout does not happen, which makes me wonder why it happens when security.privileged=true?

simos · September 10, 2024, 6:55am

Welcome!

This discussion forum has switched to Incus (since a year ago), which is a continuation/fork of LXD.

See Migrating from LXD - Incus documentation on how to migrate to Incus.

Then, it would be great to make a list of steps to reproduce the host session logout.
When you enable security.privileged=true, then your container can harm the host. It’s interesting to get reproducible steps to figure out what’s going on.

bramv · September 11, 2024, 3:35pm

I’ve tested with incus 6.0.0 stock package on host ubuntu 24.04, and can confirm that when following the steps below to install microk8s on an incus container also causes a session logout when restarting the container:
https://microk8s.io/docs/install-lxd

(Replace lxd with incus in the instructions above)

simos · September 11, 2024, 3:57pm

This profile is a train wreck; an experiment on how to rollback all the effort in isolating processes from an isolation system. I wouldn’t touch this.

If you really need to run microk8s, launch an Incus VM and add a dedicated network device.

$ cat microk8s.profile 
name: microk8s
config:
  boot.autostart: "true"
  linux.kernel_modules: ip_vs,ip_vs_rr,ip_vs_wrr,ip_vs_sh,ip_tables,ip6_tables,netlink_diag,nf_nat,overlay,br_netfilter
  raw.lxc: |
    lxc.apparmor.profile=unconfined
    lxc.mount.auto=proc:rw sys:rw cgroup:rw
    lxc.cgroup.devices.allow=a
    lxc.cap.drop=
  security.nesting: "true"
  security.privileged: "true"
description: ""
devices:
  aadisable:
    path: /sys/module/nf_conntrack/parameters/hashsize
    source: /sys/module/nf_conntrack/parameters/hashsize
    type: disk
  aadisable2:
    path: /dev/zfs
    source: /dev/zfs
    type: disk
  aadisable3:
    path: /dev/kmsg
    source: /dev/kmsg
    type: unix-char
  aadisable4:
    path: /sys/fs/bpf
    source: /sys/fs/bpf
    type: disk
  aadisable5:
    path: /proc/sys/net/netfilter/nf_conntrack_max
    source: /proc/sys/net/netfilter/nf_conntrack_max
    type: disk
$