search

cmspam / incus-docker

A project to run incus in docker/podman
Apache License 2.0
20 stars 2 forks source link

dnsmasq: ... permission denied upon incus admin init #3

Closed ghost closed 6 months ago

ghost commented 6 months ago

Hi.

I set up Incus Docker with Podman Quadlet:

`[Unit] Description=Incus - modern, secure and powerful system container and virtual machine manager After=local-fs.target network-online.target time-sync.target

[Container] ContainerName=incus-pod Image=ghcr.io/cmspam/incus-docker:latest AutoUpdate=registry

Network=host

PodmanArgs=--cgroupns host --cgroups no-conmon --privileged Unmask=/sys/fs/cgroup Volume=/sys/fs/cgroup:/sys/fs/cgroup:rw Volume=/dev:/dev Volume=/var/lib/incus:/var/lib/incus Volume=/lib/modules:/lib/modules:ro

[Service] TimeoutStartSec=900 Restart=always

[Install] WantedBy=default.target`

and installed the binary into /usr/local/bin on the host machine. Everything is running.

When I enter incus admin init I get the following error:

Error: Failed to create local member network "incusbr0" in project "default": The DNS and DHCP service exited prematurely: exit status 3 ("dnsmasq: cannot read /var/lib/incus/networks/incusbr0/dnsmasq.raw: Permission denied")

I created /var/lib/incus as root on the host machine.

What am I missing? Or is it an issue?

System: openSUSE Tumbleweed (latest) Podman: 5.0.2

Thanks in advance, Magnus.

cmspam commented 6 months ago

Hello,

Well, it seems to be a permissions issue. It might help if you can check the file permissions of /var/lib/incus/networks/incusbr0/dnsmasq.raw and be sure that it can be accessed by the user which you are running 'incus admin init' -- I think you'll need to run it as root if you are not already.

Maybe you can try running incus admin init from the container:

  1. podman exec -it incus-pod bash
  2. incus admin init

And see if there is a difference?

The other thing I can think is, maybe there is something like selinux or apparmor interfering with permissions?

I will try to recreate your environment. (see below)

cmspam commented 6 months ago

So, I tried on an opensuse tumbleweed (microos) VM with the same podman version, used your quadlet file exactly, downloaded the incus binary and put it at /usr/local/bin, ran incus admin init as root, created the bridge, and everything worked... This setup has SELinux enforcing, but not AppArmor, in case it is relevant.

Perhaps you can destroy the /var/lib/incus folder and recreate it, and try again, if the above doesn't work, but in case it helps here are the permissions I have on my working install for the /var/lib/incus/networks folder

microos:~ # ls -l /var/lib/incus/networks/
total 0
drwx--x--x. 1 root root 98 Apr 28 23:26 incusbr0
microos:~ # ls -l /var/lib/incus/networks/incusbr0/
total 12
drwxr-xr-x. 1 root root   0 Apr 28 23:26 dnsmasq.hosts
-rw-r--r--. 1 root root  47 Apr 28 23:26 dnsmasq.leases
-rw-r--r--. 1 root root 863 Apr 28 23:26 dnsmasq.pid
-rw-r--r--. 1 root root   1 Apr 28 23:26 dnsmasq.raw
microos:~ #
cmspam commented 6 months ago

I just managed to recreate your issue on tumbleweed, non-microos version. I will find a fix for you.

ghost commented 6 months ago

Hi.

Thanks, Mr. Superfast ;-) This is gorgeous.

I switched off AppArmor, rebooted - and it worked. I should have found out this by myself... Thanks for the hint!

So I have to figure out an AppArmor profile for this or adapt the Security Options of the Quadlet file.

If you get a better fix, let me know.

cmspam commented 6 months ago

Hi.

Thanks, Mr. Superfast ;-) This is gorgeous.

I switched off AppArmour, rebootet - and it worked. I should have found out this by myself... Thanks for the hint!

So I have to figure out an AppArmor profile for this or adapt the Security Options of the Quadlet file.

If you get a better fix, let me know.

Yes, I found the correct fix. It is an apparmor problem. Please edit the file: /etc/apparmor.d/usr.sbin.dnsmasq

You will find a line like below, for me it was line 56 or so: /var/log/dnsmasq*.log w,

Under that line, please add /var/lib/incus/** rw,

Then do systemctl restart apparmor

Now, it will work, with apparmor enabled.

I will add this information to the readme.

ghost commented 6 months ago

You made my day.

Thank you so much! šŸ‘šŸ½

cmspam commented 6 months ago

I'm happy to get it working. šŸ‘

cmspam commented 6 months ago

One other note, it seems if you add

Volume=/sys/kernel/security:/sys/kernel/security

To your mounts, you can get Incus's apparmor support to secure the containers. Probably you currently have an "Apparmor Support not included in kernel" kind of warning in your logs, that will rectify it.