search

canonical / lxd

Powerful system container and virtual machine manager
https://canonical.com/lxd
GNU Affero General Public License v3.0
4.32k stars 927 forks source link

Second ACL not saved and restored to/from container image #12438

Open kimfaint opened 11 months ago

kimfaint commented 11 months ago

Required information

Issue description

Similar to #11901 (which has been fixed) there is an issue when 2 group ACLs are applied to the same directory. The first one is now restored correctly, but the second one is restored as a numerical value.

Steps to reproduce

  1. Create a container, apply 2 ACL groups to the same directory, stop the container
$ lxc launch images:ubuntu/jammy c1
$ lxc exec c1 -- apt install acl -y
$ lxc exec c1 -- groupadd foo
$ lxc exec c1 -- groupadd wibble
$ lxc exec c1 -- touch ./foo
$ lxc exec c1 -- setfacl -m g:foo:rwx ./foo
$ lxc exec c1 -- getfacl foo
# file: foo
# owner: root
# group: root
user::rw-
group::r--
group:foo:rwx
mask::rwx
other::r--
  1. Publish container to image, launch new container from image, check ACL
$ lxc stop c1
$ lxc publish c1
Instance published with fingerprint: ad7f2ecc32d26416a6b59b65f4fb3061a5490e1658b06a8ddfec3cee77c6e016
$ lxc launch ad7f2ecc32d26416a6b59b65f4fb3061a5490e1658b06a8ddfec3cee77c6e016 c2
Creating c2
Starting c2                                
$ lxc exec c2 -- getfacl foo
# file: foo
# owner: root
# group: root
user::rw-
group::r--
group:foo:rwx
group:4294967295:rwx
mask::rwx
other::r--

Instead of wibble we get 4294967295.

Information to attach

lxc info ``` config: core.https_address: '[::]:8443' core.trust_password: true api_extensions: - storage_zfs_remove_snapshots - container_host_shutdown_timeout - container_stop_priority - container_syscall_filtering - auth_pki - container_last_used_at - etag - patch - usb_devices - https_allowed_credentials - image_compression_algorithm - directory_manipulation - container_cpu_time - storage_zfs_use_refquota - storage_lvm_mount_options - network - profile_usedby - container_push - container_exec_recording - certificate_update - container_exec_signal_handling - gpu_devices - container_image_properties - migration_progress - id_map - network_firewall_filtering - network_routes - storage - file_delete - file_append - network_dhcp_expiry - storage_lvm_vg_rename - storage_lvm_thinpool_rename - network_vlan - image_create_aliases - container_stateless_copy - container_only_migration - storage_zfs_clone_copy - unix_device_rename - storage_lvm_use_thinpool - storage_rsync_bwlimit - network_vxlan_interface - storage_btrfs_mount_options - entity_description - image_force_refresh - storage_lvm_lv_resizing - id_map_base - file_symlinks - container_push_target - network_vlan_physical - storage_images_delete - container_edit_metadata - container_snapshot_stateful_migration - storage_driver_ceph - storage_ceph_user_name - resource_limits - storage_volatile_initial_source - storage_ceph_force_osd_reuse - storage_block_filesystem_btrfs - resources - kernel_limits - storage_api_volume_rename - macaroon_authentication - network_sriov - console - restrict_devlxd - migration_pre_copy - infiniband - maas_network - devlxd_events - proxy - network_dhcp_gateway - file_get_symlink - network_leases - unix_device_hotplug - storage_api_local_volume_handling - operation_description - clustering - event_lifecycle - storage_api_remote_volume_handling - nvidia_runtime - container_mount_propagation - container_backup - devlxd_images - container_local_cross_pool_handling - proxy_unix - proxy_udp - clustering_join - proxy_tcp_udp_multi_port_handling - network_state - proxy_unix_dac_properties - container_protection_delete - unix_priv_drop - pprof_http - proxy_haproxy_protocol - network_hwaddr - proxy_nat - network_nat_order - container_full - candid_authentication - backup_compression - candid_config - nvidia_runtime_config - storage_api_volume_snapshots - storage_unmapped - projects - candid_config_key - network_vxlan_ttl - container_incremental_copy - usb_optional_vendorid - snapshot_scheduling - snapshot_schedule_aliases - container_copy_project - clustering_server_address - clustering_image_replication - container_protection_shift - snapshot_expiry - container_backup_override_pool - snapshot_expiry_creation - network_leases_location - resources_cpu_socket - resources_gpu - resources_numa - kernel_features - id_map_current - event_location - storage_api_remote_volume_snapshots - network_nat_address - container_nic_routes - rbac - cluster_internal_copy - seccomp_notify - lxc_features - container_nic_ipvlan - network_vlan_sriov - storage_cephfs - container_nic_ipfilter - resources_v2 - container_exec_user_group_cwd - container_syscall_intercept - container_disk_shift - storage_shifted - resources_infiniband - daemon_storage - instances - image_types - resources_disk_sata - clustering_roles - images_expiry - resources_network_firmware - backup_compression_algorithm - ceph_data_pool_name - container_syscall_intercept_mount - compression_squashfs - container_raw_mount - container_nic_routed - container_syscall_intercept_mount_fuse - container_disk_ceph - virtual-machines - image_profiles - clustering_architecture - resources_disk_id - storage_lvm_stripes - vm_boot_priority - unix_hotplug_devices - api_filtering - instance_nic_network - clustering_sizing - firewall_driver - projects_limits - container_syscall_intercept_hugetlbfs - limits_hugepages - container_nic_routed_gateway - projects_restrictions - custom_volume_snapshot_expiry - volume_snapshot_scheduling - trust_ca_certificates - snapshot_disk_usage - clustering_edit_roles - container_nic_routed_host_address - container_nic_ipvlan_gateway - resources_usb_pci - resources_cpu_threads_numa - resources_cpu_core_die - api_os - container_nic_routed_host_table - container_nic_ipvlan_host_table - container_nic_ipvlan_mode - resources_system - images_push_relay - network_dns_search - container_nic_routed_limits - instance_nic_bridged_vlan - network_state_bond_bridge - usedby_consistency - custom_block_volumes - clustering_failure_domains - resources_gpu_mdev - console_vga_type - projects_limits_disk - network_type_macvlan - network_type_sriov - container_syscall_intercept_bpf_devices - network_type_ovn - projects_networks - projects_networks_restricted_uplinks - custom_volume_backup - backup_override_name - storage_rsync_compression - network_type_physical - network_ovn_external_subnets - network_ovn_nat - network_ovn_external_routes_remove - tpm_device_type - storage_zfs_clone_copy_rebase - gpu_mdev - resources_pci_iommu - resources_network_usb - resources_disk_address - network_physical_ovn_ingress_mode - network_ovn_dhcp - network_physical_routes_anycast - projects_limits_instances - network_state_vlan - instance_nic_bridged_port_isolation - instance_bulk_state_change - network_gvrp - instance_pool_move - gpu_sriov - pci_device_type - storage_volume_state - network_acl - migration_stateful - disk_state_quota - storage_ceph_features - projects_compression - projects_images_remote_cache_expiry - certificate_project - network_ovn_acl - projects_images_auto_update - projects_restricted_cluster_target - images_default_architecture - network_ovn_acl_defaults - gpu_mig - project_usage - network_bridge_acl - warnings - projects_restricted_backups_and_snapshots - clustering_join_token - clustering_description - server_trusted_proxy - clustering_update_cert - storage_api_project - server_instance_driver_operational - server_supported_storage_drivers - event_lifecycle_requestor_address - resources_gpu_usb - clustering_evacuation - network_ovn_nat_address - network_bgp - network_forward - custom_volume_refresh - network_counters_errors_dropped - metrics - image_source_project - clustering_config - network_peer - linux_sysctl - network_dns - ovn_nic_acceleration - certificate_self_renewal - instance_project_move - storage_volume_project_move - cloud_init - network_dns_nat - database_leader - instance_all_projects - clustering_groups - ceph_rbd_du - instance_get_full - qemu_metrics - gpu_mig_uuid - event_project - clustering_evacuation_live - instance_allow_inconsistent_copy - network_state_ovn - storage_volume_api_filtering - image_restrictions - storage_zfs_export - network_dns_records - storage_zfs_reserve_space - network_acl_log - storage_zfs_blocksize - metrics_cpu_seconds - instance_snapshot_never - certificate_token - instance_nic_routed_neighbor_probe - event_hub - agent_nic_config - projects_restricted_intercept - metrics_authentication - images_target_project - cluster_migration_inconsistent_copy - cluster_ovn_chassis - container_syscall_intercept_sched_setscheduler - storage_lvm_thinpool_metadata_size - storage_volume_state_total - instance_file_head - instances_nic_host_name - image_copy_profile - container_syscall_intercept_sysinfo - clustering_evacuation_mode - resources_pci_vpd - qemu_raw_conf - storage_cephfs_fscache - network_load_balancer - vsock_api - instance_ready_state - network_bgp_holdtime - storage_volumes_all_projects - metrics_memory_oom_total - storage_buckets - storage_buckets_create_credentials - metrics_cpu_effective_total - projects_networks_restricted_access - storage_buckets_local - loki - acme - internal_metrics - cluster_join_token_expiry - remote_token_expiry - init_preseed - storage_volumes_created_at - cpu_hotplug - projects_networks_zones - network_txqueuelen - cluster_member_state - instances_placement_scriptlet - storage_pool_source_wipe - zfs_block_mode - instance_generation_id - disk_io_cache - amd_sev - storage_pool_loop_resize - migration_vm_live - ovn_nic_nesting - oidc - network_ovn_l3only - ovn_nic_acceleration_vdpa - cluster_healing - instances_state_total - auth_user - security_csm - instances_rebuild - numa_cpu_placement - custom_volume_iso - network_allocations - storage_api_remote_volume_snapshot_copy - zfs_delegate - operations_get_query_all_projects - metadata_configuration - syslog_socket api_status: stable api_version: "1.0" auth: trusted public: false auth_methods: - tls auth_user_name: kfaint auth_user_method: unix environment: addresses: - 172.27.82.34:8443 - 192.168.2.254:8443 - 172.17.0.1:8443 - 10.10.10.1:8443 - '[fd42:632b:873a:319e::1]:8443' architectures: - x86_64 - i686 certificate: | -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- certificate_fingerprint: f40a5dcfddbe947ec36e542fbdfc507b66203bab9bc6b7c2597086c56030cd53 driver: lxc | qemu driver_version: 5.0.3 | 8.0.4 firewall: nftables kernel: Linux kernel_architecture: x86_64 kernel_features: idmapped_mounts: "true" netnsid_getifaddrs: "true" seccomp_listener: "true" seccomp_listener_continue: "true" shiftfs: "false" uevent_injection: "true" unpriv_fscaps: "true" kernel_version: 6.2.0-33-generic lxc_features: cgroup2: "true" core_scheduling: "true" devpts_fd: "true" idmapped_mounts_v2: "true" mount_injection_file: "true" network_gateway_device_route: "true" network_ipvlan: "true" network_l2proxy: "true" network_phys_macvlan_mtu: "true" network_veth_router: "true" pidfd: "true" seccomp_allow_deny_syntax: "true" seccomp_notify: "true" seccomp_proxy_send_notify_fd: "true" os_name: Ubuntu os_version: "22.04" project: default server: lxd server_clustered: false server_event_mode: full-mesh server_name: TAP0001367 server_pid: 2932407 server_version: "5.18" storage: zfs | btrfs storage_version: 2.1.9-2ubuntu1.1 | 5.16.2 storage_supported_drivers: - name: cephobject version: 17.2.6 remote: true - name: dir version: "1" remote: false - name: lvm version: 2.03.11(2) (2021-01-08) / 1.02.175 (2021-01-08) / 4.47.0 remote: false - name: zfs version: 2.1.9-2ubuntu1.1 remote: false - name: btrfs version: 5.16.2 remote: false - name: ceph version: 17.2.6 remote: true - name: cephfs version: 17.2.6 remote: true ```
lxc info c1 --show-log ``` Name: c1 Status: STOPPED Type: container Architecture: x86_64 Created: 2023/10/23 15:16 AEST Last Used: 2023/10/23 15:16 AEST Log: lxc c1 20231023051651.210 WARN conf - ../src/src/lxc/conf.c:lxc_map_ids:3621 - newuidmap binary is missing lxc c1 20231023051651.210 WARN conf - ../src/src/lxc/conf.c:lxc_map_ids:3627 - newgidmap binary is missing lxc c1 20231023051651.213 WARN conf - ../src/src/lxc/conf.c:lxc_map_ids:3621 - newuidmap binary is missing lxc c1 20231023051651.213 WARN conf - ../src/src/lxc/conf.c:lxc_map_ids:3627 - newgidmap binary is missing lxc c1 20231023051651.214 WARN cgfsng - ../src/src/lxc/cgroups/cgfsng.c:fchowmodat:1619 - No such file or directory - Failed to fchownat(42, memory.oom.group, 1000000000, 0, AT_EMPTY_PATH | AT_SYMLINK_NOFOLLOW ) lxc c1 20231023051651.215 WARN cgfsng - ../src/src/lxc/cgroups/cgfsng.c:fchowmodat:1619 - No such file or directory - Failed to fchownat(42, memory.reclaim, 1000000000, 0, AT_EMPTY_PATH | AT_SYMLINK_NOFOLLOW ) lxc c1 20231023051718.738 WARN conf - ../src/src/lxc/conf.c:lxc_map_ids:3621 - newuidmap binary is missing lxc c1 20231023051718.738 WARN conf - ../src/src/lxc/conf.c:lxc_map_ids:3627 - newgidmap binary is missing lxc c1 20231023051734.123 WARN conf - ../src/src/lxc/conf.c:lxc_map_ids:3621 - newuidmap binary is missing lxc c1 20231023051734.123 WARN conf - ../src/src/lxc/conf.c:lxc_map_ids:3627 - newgidmap binary is missing lxc c1 20231023051755.119 WARN conf - ../src/src/lxc/conf.c:lxc_map_ids:3621 - newuidmap binary is missing lxc c1 20231023051755.119 WARN conf - ../src/src/lxc/conf.c:lxc_map_ids:3627 - newgidmap binary is missing lxc c1 20231023051903.198 WARN conf - ../src/src/lxc/conf.c:lxc_map_ids:3621 - newuidmap binary is missing lxc c1 20231023051903.198 WARN conf - ../src/src/lxc/conf.c:lxc_map_ids:3627 - newgidmap binary is missing lxc c1 20231023051922.415 WARN conf - ../src/src/lxc/conf.c:lxc_map_ids:3621 - newuidmap binary is missing lxc c1 20231023051922.415 WARN conf - ../src/src/lxc/conf.c:lxc_map_ids:3627 - newgidmap binary is missing lxc c1 20231023051937.202 WARN conf - ../src/src/lxc/conf.c:lxc_map_ids:3621 - newuidmap binary is missing lxc c1 20231023051937.202 WARN conf - ../src/src/lxc/conf.c:lxc_map_ids:3627 - newgidmap binary is missing lxc c1 20231023051949.134 WARN conf - ../src/src/lxc/conf.c:lxc_map_ids:3621 - newuidmap binary is missing lxc c1 20231023051949.134 WARN conf - ../src/src/lxc/conf.c:lxc_map_ids:3627 - newgidmap binary is missing lxc c1 20231023051952.119 WARN conf - ../src/src/lxc/conf.c:lxc_map_ids:3621 - newuidmap binary is missing lxc c1 20231023051952.119 WARN conf - ../src/src/lxc/conf.c:lxc_map_ids:3627 - newgidmap binary is missing ```
lxc info c2 --show-log ``` Name: c2 Status: RUNNING Type: container Architecture: x86_64 PID: 1108042 Created: 2023/10/23 15:20 AEST Last Used: 2023/10/23 15:21 AEST Resources: Processes: 13 Disk usage: root: 3.69MiB CPU usage: CPU usage (in seconds): 1 Memory usage: Memory (current): 56.62MiB Memory (peak): 61.65MiB Network usage: eth0: Type: broadcast State: UP Host interface: veth716f6a11 MAC address: 00:16:3e:35:f6:14 MTU: 1500 Bytes received: 14.10kB Bytes sent: 3.50kB Packets received: 83 Packets sent: 35 IP addresses: inet: 10.10.10.40/24 (global) inet6: fd42:632b:873a:319e:216:3eff:fe35:f614/64 (global) inet6: fe80::216:3eff:fe35:f614/64 (link) lo: Type: loopback State: UP MTU: 65536 Bytes received: 0B Bytes sent: 0B Packets received: 0 Packets sent: 0 IP addresses: inet: 127.0.0.1/8 (local) inet6: ::1/128 (local) Log: lxc c2 20231023052105.390 WARN conf - ../src/src/lxc/conf.c:lxc_map_ids:3621 - newuidmap binary is missing lxc c2 20231023052105.390 WARN conf - ../src/src/lxc/conf.c:lxc_map_ids:3627 - newgidmap binary is missing lxc c2 20231023052105.392 WARN conf - ../src/src/lxc/conf.c:lxc_map_ids:3621 - newuidmap binary is missing lxc c2 20231023052105.392 WARN conf - ../src/src/lxc/conf.c:lxc_map_ids:3627 - newgidmap binary is missing lxc c2 20231023052105.394 WARN cgfsng - ../src/src/lxc/cgroups/cgfsng.c:fchowmodat:1619 - No such file or directory - Failed to fchownat(42, memory.oom.group, 1000000000, 0, AT_EMPTY_PATH | AT_SYMLINK_NOFOLLOW ) lxc c2 20231023052105.394 WARN cgfsng - ../src/src/lxc/cgroups/cgfsng.c:fchowmodat:1619 - No such file or directory - Failed to fchownat(42, memory.reclaim, 1000000000, 0, AT_EMPTY_PATH | AT_SYMLINK_NOFOLLOW ) lxc c2 20231023052112.422 WARN conf - ../src/src/lxc/conf.c:lxc_map_ids:3621 - newuidmap binary is missing lxc c2 20231023052112.422 WARN conf - ../src/src/lxc/conf.c:lxc_map_ids:3627 - newgidmap binary is missing ```
lxc config show c1 --expanded ``` architecture: x86_64 config: image.architecture: amd64 image.description: Ubuntu jammy amd64 (20231022_07:42) image.os: Ubuntu image.release: jammy image.serial: "20231022_07:42" image.type: squashfs image.variant: default volatile.base_image: 2fb5bae1e9f95a14855d5c3afc1d0f55c24718dc1e2db03b18a48b1e33137756 volatile.cloud-init.instance-id: 330f476b-fe1f-4835-9a51-1cb0b8af0238 volatile.eth0.hwaddr: 00:16:3e:92:b3:2d volatile.idmap.base: "0" volatile.idmap.current: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]' volatile.idmap.next: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]' volatile.last_state.idmap: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]' volatile.last_state.power: STOPPED volatile.last_state.ready: "false" volatile.uuid: 20050700-5554-4d67-8ec0-996a13c467c6 volatile.uuid.generation: 20050700-5554-4d67-8ec0-996a13c467c6 devices: eth0: name: eth0 network: lxdbr0 type: nic root: path: / pool: default type: disk ephemeral: false profiles: - default stateful: false description: "" ```
lxc config show c2 --expanded ``` architecture: x86_64 config: image.architecture: amd64 image.description: Ubuntu jammy amd64 (20231022_07:42) image.name: ubuntu-jammy-amd64-default-20231022_07:42 image.os: ubuntu image.release: jammy image.serial: "20231022_07:42" image.variant: default volatile.base_image: ad7f2ecc32d26416a6b59b65f4fb3061a5490e1658b06a8ddfec3cee77c6e016 volatile.cloud-init.instance-id: 652b930e-3a74-435a-abad-4b0b6a167cbe volatile.eth0.host_name: veth716f6a11 volatile.eth0.hwaddr: 00:16:3e:35:f6:14 volatile.idmap.base: "0" volatile.idmap.current: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]' volatile.idmap.next: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]' volatile.last_state.idmap: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]' volatile.last_state.power: RUNNING volatile.uuid: 907b6213-d440-49d5-9867-4450aad1940c volatile.uuid.generation: 907b6213-d440-49d5-9867-4450aad1940c devices: eth0: name: eth0 network: lxdbr0 type: nic root: path: / pool: default type: disk ephemeral: false profiles: - default stateful: false description: "" ```
simondeziel commented 10 months ago

4294967295 is 2**32-1 which is suspicious. I tried changing the zpool's aclmode and aclinherit to passthrough to no avail, only the first ACL has the group ID preserved properly.

However, if the zfs image is published and then restored to btrfs, all the group IDs are preserved fine:

# c1 is on ZFS
$ lxc exec c1 -- getfacl -n foo
# file: foo
# owner: 0
# group: 0
user::rw-
group::r--
group:4:rwx
group:1001:rwx
group:1002:rwx
mask::rwx
other::r--

$ lxc publish c1
Instance published with fingerprint: b8ad7655b6c55d67b9d8789c489fcd93f5fc0399d2e0392df02c7e9403e92238

# c2 is on BTRFS
$ lxc launch b8ad7655b6c55d67b9d8789c489fcd93f5fc0399d2e0392df02c7e9403e92238 c2 -s btrfs
Creating c2
Starting c2

$ lxc exec c2 -- getfacl -n foo
# file: foo
# owner: 0
# group: 0
user::rw-
group::r--
group:4:rwx
group:1001:rwx
group:1002:rwx
mask::rwx
other::r--

Interestingly, if instead of lxc publish + lxc launch we lxc copy c1 c2, zfs has no issue:

# c1 and c2 are both on ZFS
$ lxc copy c1 c2
$ lxc start c2
$ lxc exec c2 -- getfacl -n foo
# file: foo
# owner: 0
# group: 0
user::rw-
group::r--
group:4:rwx
group:1001:rwx
group:1002:rwx
mask::rwx
other::r--