lxd cannot launch (useable) oracular container under focal's kernel

[waveform80]

Required information

• Distribution: Ubuntu

• Distribution version: 20.04 (focal)

• The output of "snap list --all lxd core20 core22 core24 snapd":

  root@focalvm:~# snap list --all lxd core20 core22 core24 snapd    
  Name    Version         Rev    Tracking       Publisher   Notes
  core20  20240416        2321   latest/stable  canonical✓  base
  core22  20240408        1383   latest/stable  canonical✓  base
  lxd     5.21.2-34459c8  29579  6.1/stable     canonical✓  disabled
  lxd     6.1-c14927a     29581  6.1/stable     canonical✓  -
  snapd   2.63            21761  latest/stable  canonical✓  snapd

• The output of "lxc info" or if that fails:

  config: {}
  api_extensions:
  - storage_zfs_remove_snapshots
  - container_host_shutdown_timeout
  - container_stop_priority
  - container_syscall_filtering
  - auth_pki
  - container_last_used_at
  - etag
  - patch
  - usb_devices
  - https_allowed_credentials
  - image_compression_algorithm
  - directory_manipulation
  - container_cpu_time
  - storage_zfs_use_refquota
  - storage_lvm_mount_options
  - network
  - profile_usedby
  - container_push
  - container_exec_recording
  - certificate_update
  - container_exec_signal_handling
  - gpu_devices
  - container_image_properties
  - migration_progress
  - id_map
  - network_firewall_filtering
  - network_routes
  - storage
  - file_delete
  - file_append
  - network_dhcp_expiry
  - storage_lvm_vg_rename
  - storage_lvm_thinpool_rename
  - network_vlan
  - image_create_aliases
  - container_stateless_copy
  - container_only_migration
  - storage_zfs_clone_copy
  - unix_device_rename
  - storage_lvm_use_thinpool
  - storage_rsync_bwlimit
  - network_vxlan_interface
  - storage_btrfs_mount_options
  - entity_description
  - image_force_refresh
  - storage_lvm_lv_resizing
  - id_map_base
  - file_symlinks
  - container_push_target
  - network_vlan_physical
  - storage_images_delete
  - container_edit_metadata
  - container_snapshot_stateful_migration
  - storage_driver_ceph
  - storage_ceph_user_name
  - resource_limits
  - storage_volatile_initial_source
  - storage_ceph_force_osd_reuse
  - storage_block_filesystem_btrfs
  - resources
  - kernel_limits
  - storage_api_volume_rename
  - network_sriov
  - console
  - restrict_devlxd
  - migration_pre_copy
  - infiniband
  - maas_network
  - devlxd_events
  - proxy
  - network_dhcp_gateway
  - file_get_symlink
  - network_leases
  - unix_device_hotplug
  - storage_api_local_volume_handling
  - operation_description
  - clustering
  - event_lifecycle
  - storage_api_remote_volume_handling
  - nvidia_runtime
  - container_mount_propagation
  - container_backup
  - devlxd_images
  - container_local_cross_pool_handling
  - proxy_unix
  - proxy_udp
  - clustering_join
  - proxy_tcp_udp_multi_port_handling
  - network_state
  - proxy_unix_dac_properties
  - container_protection_delete
  - unix_priv_drop
  - pprof_http
  - proxy_haproxy_protocol
  - network_hwaddr
  - proxy_nat
  - network_nat_order
  - container_full
  - backup_compression
  - nvidia_runtime_config
  - storage_api_volume_snapshots
  - storage_unmapped
  - projects
  - network_vxlan_ttl
  - container_incremental_copy
  - usb_optional_vendorid
  - snapshot_scheduling
  - snapshot_schedule_aliases
  - container_copy_project
  - clustering_server_address
  - clustering_image_replication
  - container_protection_shift
  - snapshot_expiry
  - container_backup_override_pool
  - snapshot_expiry_creation
  - network_leases_location
  - resources_cpu_socket
  - resources_gpu
  - resources_numa
  - kernel_features
  - id_map_current
  - event_location
  - storage_api_remote_volume_snapshots
  - network_nat_address
  - container_nic_routes
  - cluster_internal_copy
  - seccomp_notify
  - lxc_features
  - container_nic_ipvlan
  - network_vlan_sriov
  - storage_cephfs
  - container_nic_ipfilter
  - resources_v2
  - container_exec_user_group_cwd
  - container_syscall_intercept
  - container_disk_shift
  - storage_shifted
  - resources_infiniband
  - daemon_storage
  - instances
  - image_types
  - resources_disk_sata
  - clustering_roles
  - images_expiry
  - resources_network_firmware
  - backup_compression_algorithm
  - ceph_data_pool_name
  - container_syscall_intercept_mount
  - compression_squashfs
  - container_raw_mount
  - container_nic_routed
  - container_syscall_intercept_mount_fuse
  - container_disk_ceph
  - virtual-machines
  - image_profiles
  - clustering_architecture
  - resources_disk_id
  - storage_lvm_stripes
  - vm_boot_priority
  - unix_hotplug_devices
  - api_filtering
  - instance_nic_network
  - clustering_sizing
  - firewall_driver
  - projects_limits
  - container_syscall_intercept_hugetlbfs
  - limits_hugepages
  - container_nic_routed_gateway
  - projects_restrictions
  - custom_volume_snapshot_expiry
  - volume_snapshot_scheduling
  - trust_ca_certificates
  - snapshot_disk_usage
  - clustering_edit_roles
  - container_nic_routed_host_address
  - container_nic_ipvlan_gateway
  - resources_usb_pci
  - resources_cpu_threads_numa
  - resources_cpu_core_die
  - api_os
  - container_nic_routed_host_table
  - container_nic_ipvlan_host_table
  - container_nic_ipvlan_mode
  - resources_system
  - images_push_relay
  - network_dns_search
  - container_nic_routed_limits
  - instance_nic_bridged_vlan
  - network_state_bond_bridge
  - usedby_consistency
  - custom_block_volumes
  - clustering_failure_domains
  - resources_gpu_mdev
  - console_vga_type
  - projects_limits_disk
  - network_type_macvlan
  - network_type_sriov
  - container_syscall_intercept_bpf_devices
  - network_type_ovn
  - projects_networks
  - projects_networks_restricted_uplinks
  - custom_volume_backup
  - backup_override_name
  - storage_rsync_compression
  - network_type_physical
  - network_ovn_external_subnets
  - network_ovn_nat
  - network_ovn_external_routes_remove
  - tpm_device_type
  - storage_zfs_clone_copy_rebase
  - gpu_mdev
  - resources_pci_iommu
  - resources_network_usb
  - resources_disk_address
  - network_physical_ovn_ingress_mode
  - network_ovn_dhcp
  - network_physical_routes_anycast
  - projects_limits_instances
  - network_state_vlan
  - instance_nic_bridged_port_isolation
  - instance_bulk_state_change
  - network_gvrp
  - instance_pool_move
  - gpu_sriov
  - pci_device_type
  - storage_volume_state
  - network_acl
  - migration_stateful
  - disk_state_quota
  - storage_ceph_features
  - projects_compression
  - projects_images_remote_cache_expiry
  - certificate_project
  - network_ovn_acl
  - projects_images_auto_update
  - projects_restricted_cluster_target
  - images_default_architecture
  - network_ovn_acl_defaults
  - gpu_mig
  - project_usage
  - network_bridge_acl
  - warnings
  - projects_restricted_backups_and_snapshots
  - clustering_join_token
  - clustering_description
  - server_trusted_proxy
  - clustering_update_cert
  - storage_api_project
  - server_instance_driver_operational
  - server_supported_storage_drivers
  - event_lifecycle_requestor_address
  - resources_gpu_usb
  - clustering_evacuation
  - network_ovn_nat_address
  - network_bgp
  - network_forward
  - custom_volume_refresh
  - network_counters_errors_dropped
  - metrics
  - image_source_project
  - clustering_config
  - network_peer
  - linux_sysctl
  - network_dns
  - ovn_nic_acceleration
  - certificate_self_renewal
  - instance_project_move
  - storage_volume_project_move
  - cloud_init
  - network_dns_nat
  - database_leader
  - instance_all_projects
  - clustering_groups
  - ceph_rbd_du
  - instance_get_full
  - qemu_metrics
  - gpu_mig_uuid
  - event_project
  - clustering_evacuation_live
  - instance_allow_inconsistent_copy
  - network_state_ovn
  - storage_volume_api_filtering
  - image_restrictions
  - storage_zfs_export
  - network_dns_records
  - storage_zfs_reserve_space
  - network_acl_log
  - storage_zfs_blocksize
  - metrics_cpu_seconds
  - instance_snapshot_never
  - certificate_token
  - instance_nic_routed_neighbor_probe
  - event_hub
  - agent_nic_config
  - projects_restricted_intercept
  - metrics_authentication
  - images_target_project
  - cluster_migration_inconsistent_copy
  - cluster_ovn_chassis
  - container_syscall_intercept_sched_setscheduler
  - storage_lvm_thinpool_metadata_size
  - storage_volume_state_total
  - instance_file_head
  - instances_nic_host_name
  - image_copy_profile
  - container_syscall_intercept_sysinfo
  - clustering_evacuation_mode
  - resources_pci_vpd
  - qemu_raw_conf
  - storage_cephfs_fscache
  - network_load_balancer
  - vsock_api
  - instance_ready_state
  - network_bgp_holdtime
  - storage_volumes_all_projects
  - metrics_memory_oom_total
  - storage_buckets
  - storage_buckets_create_credentials
  - metrics_cpu_effective_total
  - projects_networks_restricted_access
  - storage_buckets_local
  - loki
  - acme
  - internal_metrics
  - cluster_join_token_expiry
  - remote_token_expiry
  - init_preseed
  - storage_volumes_created_at
  - cpu_hotplug
  - projects_networks_zones
  - network_txqueuelen
  - cluster_member_state
  - instances_placement_scriptlet
  - storage_pool_source_wipe
  - zfs_block_mode
  - instance_generation_id
  - disk_io_cache
  - amd_sev
  - storage_pool_loop_resize
  - migration_vm_live
  - ovn_nic_nesting
  - oidc
  - network_ovn_l3only
  - ovn_nic_acceleration_vdpa
  - cluster_healing
  - instances_state_total
  - auth_user
  - security_csm
  - instances_rebuild
  - numa_cpu_placement
  - custom_volume_iso
  - network_allocations
  - storage_api_remote_volume_snapshot_copy
  - zfs_delegate
  - operations_get_query_all_projects
  - metadata_configuration
  - syslog_socket
  - event_lifecycle_name_and_project
  - instances_nic_limits_priority
  - disk_initial_volume_configuration
  - operation_wait
  - cluster_internal_custom_volume_copy
  - disk_io_bus
  - storage_cephfs_create_missing
  - instance_move_config
  - ovn_ssl_config
  - init_preseed_storage_volumes
  - metrics_instances_count
  - server_instance_type_info
  - resources_disk_mounted
  - server_version_lts
  - oidc_groups_claim
  - loki_config_instance
  - storage_volatile_uuid
  - import_instance_devices
  - instances_uefi_vars
  - instances_migration_stateful
  - container_syscall_filtering_allow_deny_syntax
  - access_management
  - vm_disk_io_limits
  - storage_volumes_all
  - instances_files_modify_permissions
  - image_restriction_nesting
  - container_syscall_intercept_finit_module
  - device_usb_serial
  - network_allocate_external_ips
  - explicit_trust_token
  api_status: stable
  api_version: "1.0"
  auth: trusted
  public: false
  auth_methods:
  - tls
  auth_user_name: root
  auth_user_method: unix
  environment:
  addresses: []
  architectures:
  - aarch64
  - armv6l
  - armv7l
  - armv8l
  certificate: |
  -----BEGIN CERTIFICATE-----
  MIICBzCCAY2gAwIBAgIRAKTCZ5ZV4ucilz7PXed9F9swCgYIKoZIzj0EAwMwNTEc
  MBoGA1UEChMTbGludXhjb250YWluZXJzLm9yZzEVMBMGA1UEAwwMcm9vdEBmb2Nh
  bHZtMB4XDTI0MDczMDEyNTc1NloXDTM0MDcyODEyNTc1NlowNTEcMBoGA1UEChMT
  bGludXhjb250YWluZXJzLm9yZzEVMBMGA1UEAwwMcm9vdEBmb2NhbHZtMHYwEAYH
  KoZIzj0CAQYFK4EEACIDYgAErlLf6irmDjvScuX6Q3ZiMhyXsxXiwpWokDZDDFiM
  T1T6VYtffB1ZF1DhLMiMjd5UnA8P8zLE4/QyGiyVM9vXNAc7hgOp8C3bQcLBuwFY
  GMVt5oMsWtDxIU1i54XTmZAto2EwXzAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAww
  CgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAqBgNVHREEIzAhggdmb2NhbHZthwR/
  AAABhxAAAAAAAAAAAAAAAAAAAAABMAoGCCqGSM49BAMDA2gAMGUCMQDCd8HGkCEC
  T1J3wJS/9nsx/d1+AXh2GXeNzrNwLrTItAGG+bv4R7ywCLi1EB+4mbMCMB3aTu7P
  ioaOQaWjQXnXif2HRG26rEUMOBmxLF1hu/BpcE2V7mrc6iDuwbwXCYJtVg==
  -----END CERTIFICATE-----
  certificate_fingerprint: d8eb81383c140b0f1ff80c6ce95b58493b90aef579d9817187d6706c27061d08
  driver: lxc
  driver_version: 6.0.0
  instance_types:
  - container
  firewall: nftables
  kernel: Linux
  kernel_architecture: aarch64
  kernel_features:
  idmapped_mounts: "false"
  netnsid_getifaddrs: "true"
  seccomp_listener: "true"
  seccomp_listener_continue: "true"
  uevent_injection: "true"
  unpriv_fscaps: "true"
  kernel_version: 5.4.0-190-generic
  lxc_features:
  cgroup2: "true"
  core_scheduling: "true"
  devpts_fd: "true"
  idmapped_mounts_v2: "true"
  mount_injection_file: "true"
  network_gateway_device_route: "true"
  network_ipvlan: "true"
  network_l2proxy: "true"
  network_phys_macvlan_mtu: "true"
  network_veth_router: "true"
  pidfd: "true"
  seccomp_allow_deny_syntax: "true"
  seccomp_notify: "true"
  seccomp_proxy_send_notify_fd: "true"
  os_name: Ubuntu
  os_version: "20.04"
  project: default
  server: lxd
  server_clustered: false
  server_event_mode: full-mesh
  server_name: focalvm
  server_pid: 938
  server_version: "6.1"
  server_lts: false
  storage: dir
  storage_version: "1"
  storage_supported_drivers:
  - name: ceph
  version: 17.2.7
  remote: true
  - name: cephfs
  version: 17.2.7
  remote: true
  - name: cephobject
  version: 17.2.7
  remote: true
  - name: dir
  version: "1"
  remote: false
  - name: lvm
  version: 2.03.11(2) (2021-01-08) / 1.02.175 (2021-01-08) / 4.41.0
  remote: false
  - name: powerflex
  version: 1.16 (nvme-cli)
  remote: true
  - name: btrfs
  version: 5.16.2
  remote: false

Issue description

(Copied from LP: #2075176)

We've been encountering an issue with building the Ubuntu for Raspberry Pi images for oracular for the past couple of weeks:

https://launchpad.net/~ubuntu-cdimage/+livefs/ubuntu/oracular/ubuntu-preinstalled

It turns out the root issue is that the builders are running focal (kernel version 5.4), the build occurs under lxd (in an oracular container), and (peculiarly to this particular build, which uses ubuntu-image) the build requires snapd to be operational within the oracular container.

Steps to reproduce

As this occurred with our Raspberry Pi images under arm64, I'm replicating on a Pi here too, but I'd be interested to know if this also fails on PC archs. I'm using noble on the hardware itself, and demonstrating the issue within a focal VM:

user@host:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 24.04 LTS
Release:        24.04
Codename:       noble
user@host:~$ lxc launch ubuntu:f focalvm
user@host:~$ lxc exec focalvm bash
root@focalvm:~# lxd init
# Run through the usual lxd configuration
root@focalvm:~# lxc launch ubuntu-daily:o oractest -c security.nesting=true
root@focalvm:~# lxc exec oractest bash
root@oractest:~# snap list
... cannot communicate with server: Get "http://localhost/v2/snaps": dial unix /run/snapd.socket: connect: connection refused

The test (and indeed the image build, ultimately) work happily if performed under jammy's kernel (5.15). Also worth noting I am using the security.nesting workaround, and that I've tried lxc 4.0, 5.21, and 6.1 within the focal VM but all fail.

Information to attach

• [ ] Any relevant kernel output (dmesg)
• [x] Container log (lxc info NAME --show-log) lxc-info-orac-test.log
• [x] Container configuration (lxc config show NAME --expanded) lxc-config-show-orac-test.log
• [ ] Main daemon log (at /var/log/lxd/lxd.log or /var/snap/lxd/common/lxd/logs/lxd.log)
• [ ] Output of the client with --debug
• [ ] Output of the daemon with --debug (alternatively output of lxc monitor while reproducing the issue)

[tomponline]

Most likely related to https://github.com/canonical/lxd/issues/13810, we are still in the process of applying the necessary fixes to the LXD snap in order to get sufficient apparmor support. You can try latest/edge snap channel right now which has it.

However im not sure if the Focal kernel has the necessary support either, so will have to try it.

[tomponline]

Also worth noting I am using the security.nesting workaround, and that I've tried lxc 4.0, 5.21, and 6.1 within the focal VM but all fail.

So that would suggest it wont be possible to get Oracular starting using the Focal kernel using the existing fixes as it seems to lack the sufficient support. This sounds like an unrelated issue.

[tomponline]

But do please try latest/edge if you can and let us know if works.

[waveform80]

Tried with latest/edge within the focal VM, but it's the same story I'm afraid (can post logs and info if requested, but it's all the same symptoms so I imagine they're all pretty similar to the stuff already posted)

[tomponline]

Please could you see if there are any DENIED errors in journalctl on the host to see if apparmor is blocking something (using latest/edge), then we'll know if its the original issue and lack of kernel support means we cant apply the updated apparmor profile.

[waveform80]

Sure, I've attached the dmesg output with latest/edge lxd under the 5.4 focal VM (adding a ---- START HERE ---- marker indicating where I started the container). Unfortunately it doesn't look terribly interesting to me -- nothing denied by apparmor, though there is one note about disabling a cgroup2 socket.

lxc-dmesg.log

[tomponline]

@waveform80 ah so no apparmor denials, I wonder if this is due to cgroupv1 in Focal, whereas systemd in Oracular probably requires cgroupv2.

[tomponline]

I did some research into this and it works with Focal's HWE kernel and enabling cgroupv2 using:

systemd.unified_cgroup_hierarchy=1

So that confirms its related to lack of cgroupv1 support in systemd (as Oracular comes with systemd v256).

These look relevant:

• https://github.com/systemd/systemd/issues/30852
• https://github.com/systemd/systemd/pull/31442

[tomponline]

I tried lxc config set c1 raw.lxc="lxc.init.cmd = /sbin/init SYSTEMD_CGROUP_ENABLE_LEGACY_FORCE=1" and that didn't work either, although I can see systemd was started with that argument:

root@c1:~# ps aux
USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root           1  0.0  1.3  21192 13204 ?        Ss   09:32   0:00 /sbin/init SYSTEMD_CGROUP_ENABLE_LEGACY_FORCE=1
root          81  0.0  0.3   9820  3796 pts/1    Ss   09:32   0:00 su -l
root          82  0.0  0.5   9708  5868 pts/1    S    09:32   0:00 -bash
root          94  0.0  0.3   8780  3864 pts/1    R+   09:32   0:00 ps aux

[tomponline]

So from what we know so far we need:

• Kernel 5.15.0-117-generic onwards (to get cgroupv2 support) - the Focal HWE kernel from Jammy.
• cgroupv2 support enabled via systemd.unified_cgroup_hierarchy=1
• LXD 6.1 or 5.21 using latest/stable or 5.21/stable channel.

This works on a Focal host.

[mihalicyn]

I can confirm that it doesn't work on Focal kernel at all.

root@o:~# ps aux
USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root           1  0.1  1.4  22028 14152 ?        Ss   11:29   0:01 /sbin/init SYSTEMD_CGROUP_ENABLE_LEGACY_FORCE=1 systemd.unified_cgroup_hierarchy=0 systemd.log_level=debug
root          78  0.0  0.3   9944  3916 pts/1    Ss   11:52   0:00 su -l
root          79  0.0  0.6  10064  6392 pts/1    S    11:52   0:00 -bash
root         434  0.0  0.3   8856  3864 pts/1    R+   12:09   0:00 ps aux
root@o:~# uname -a
Linux o 5.4.0-1119-kvm #127-Ubuntu SMP Fri Aug 9 09:40:59 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

I tried to debug this with strace but there are too many errors here and there and it's quite hard to distinguish what is important and what is not. I would say that there is no perspective to make it work as it requires kernel modification or systemd modification.

Nothing that we can do from the LXD side.

I noticed that systemd actively uses xattrs on cgroupfs but they are no supported in Focal kernel, I don't know if this is a blocker for systemd to start or not.

So if it's something we really want to get fixed I'm ready to allocate like a week for that and dive into systemd internals to figure out what's specifically missing in the kernel, but it's not something that can be fixed on the LXD side anyways.

I can confirm that apt install linux-image-generic-hwe-20.04 helps to make it work. So, kernel 5.15 is enough to make it work.

[tomponline]

Thanks for digging into it.

Unless there is a specific request for it I think we can stick with the requirements described here:

https://github.com/canonical/lxd/issues/13844#issuecomment-2268632337