search

NixOS / nixpkgs

Nix Packages collection & NixOS
MIT License
18.28k stars 14.26k forks source link

Incus: Creating new containers/vms blocked by apparmor #350012

Open broizter opened 1 month ago

broizter commented 1 month ago

When creating new containers or VMs using Incus you first have to disable apparmor, otherwise you get errors and the creation fails.

incus create images:debian/12 test
Creating test
Error: Failed instance creation: Failed creating instance from image: Unpack failed: Failed to run: tar --anchored --wildcards --exclude=dev/* --exclude=/dev/* --exclude=./dev/* --exclude=rootfs/dev/* --exclude=/rootfs/dev/* --exclude=./rootfs/dev/* --restrict --force-local -C /var/lib/incus/storage-pools/default/images/149e0ff3a1ca46db20336210704104db4c9409f2f33369dea26174d908757c29 --numeric-owner --xattrs-include=* -Jxf -: exit status 127 (tar: error while loading shared libraries: libacl.so.1: cannot open shared object file: No such file or directory)

dmesg -T
[sön okt 20 14:32:58 2024] audit: type=1400 audit(1729427573.016:126): apparmor="STATUS" operation="profile_load" profile="unconfined" name="incus_archive-d6df5eea-1a10-4ad0-b163-43dbbc49e4b1" pid=2582270 comm="apparmor_parser"
[sön okt 20 14:32:58 2024] audit: type=1400 audit(1729427573.018:127): apparmor="DENIED" operation="open" class="file" profile="incus_archive-d6df5eea-1a10-4ad0-b163-43dbbc49e4b1" name="/nix/store/7px4n99mcmdzx8nygx59f28j8g7vj0kb-acl-2.3.2/lib/libacl.so.1.1.2302" pid=2582272 comm="tar" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[sön okt 20 14:32:58 2024] audit: type=1400 audit(1729427573.057:128): apparmor="STATUS" operation="profile_remove" profile="unconfined" name="incus_archive-d6df5eea-1a10-4ad0-b163-43dbbc49e4b1" pid=2582276 comm="apparmor_parser"
broizter commented 1 month ago

The maintainer of Incus Stéphane Graber wrote about the issue which I thought was worth attaching.

"So normally the AppArmor abstractions/base contains what’s needed for dynamic libraries to be loaded. All our profiles include that abstraction so we don’t need to specifically allow every single library.

There must be something odd going on with NixOS which causes that abstraction to not include a correct pattern for where Nix stores its libraries (/nix/storage/*/lib/so or something like that)."

broizter commented 1 month ago

This is the apparmor profile he suggested to fix this particular issue.

/nix/storage/*/lib/*so* mr,