Error while snap installing lxd on Fedora 29


#1

I’m following the Build on LXD guide but I get an error.

When I try to install LXD, specifically with this command sudo snap install lxd I get an error on Fedora 29:

error: cannot perform the following tasks:

  • Start snap “lxd” (9664) services ([start snap.lxd.daemon.unix.socket] failed with exit status 1: Job for snap.lxd.daemon.unix.socket failed.
    See “systemctl status snap.lxd.daemon.unix.socket” and “journalctl -xe” for details.
    )

#2

Anything in the journal that would suggest SELinux is blocking this? Can you check ausearch -m AVC perhaps?


#3

I get:

Error opening config file (Permission denied)
NOTE - using built-in logs: /var/log/audit/audit.log
Error opening /var/log/audit/audit.log (Permission denied)

What does it mean?


#4

Try running the command with superuser privileges


#5

It could solve the problem, but why in the first place SELinux blocked it?

Are there any possible security problems if I execute it as root?


#6

I checked this locally in Fedora cloud image:

Dec 12 07:31:17 localhost audit[3195]: AVC avc:  denied  { execute_no_trans } for  pid=3195 comm="snap-confine" path="/usr/lib/snapd/snap-exec" dev="loop0" ino=6448 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
Dec 12 07:31:17 localhost audit[3195]: AVC avc:  denied  { map } for  pid=3195 comm="snap-exec" path="/usr/lib/snapd/snap-exec" dev="loop0" ino=6448 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
Dec 12 07:31:17 localhost audit[1]: AVC avc:  denied  { write } for  pid=1 comm="systemd" name="lxd" dev="vda1" ino=149648 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:snappy_var_t:s0 tclass=dir permissive=0
Dec 12 07:31:17 localhost systemd[1]: Failed to create listening socket: Permission denied
Dec 12 07:31:17 localhost systemd[1]: snap.lxd.daemon.unix.socket: Failed to listen on sockets: Permission denied
Dec 12 07:31:17 localhost systemd[1]: snap.lxd.daemon.unix.socket: Failed with result 'resources'.
Dec 12 07:31:17 localhost systemd[1]: Failed to listen on Socket unix for snap application lxd.daemon.
Dec 12 07:31:18 localhost audit[2880]: AVC avc:  denied  { remove_name } for  pid=2880 comm="snapd" name="lxc" dev="vda1" ino=149644 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=1
Dec 12 07:31:18 localhost audit[2880]: AVC avc:  denied  { unlink } for  pid=2880 comm="snapd" name="lxc" dev="vda1" ino=149644 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=lnk_file permissive=1

So it’s SELinux as suspected, specifically this line:

denied  { write } for  pid=1 comm="systemd" name="lxd" dev="vda1" ino=149648 
        scontext=system_u:system_r:init_t:s0
        tcontext=system_u:object_r:snappy_var_t:s0 tclass=dir
        permissive=0

The systemd daemon, running with context system_u:system_r:init_t:s0, was denied a write operation on directory lxd, with context system_u:object_r:snappy_var_t:s0 (snappy_var_t is used for $SNAP_DATA under /var/snap/).

I’m working on some refactoring of snapd policy, hopefully this should go away once the changes land.

In the meantime, the fastest solution is probably switch to permissive mode.

A longer solution would be to enable permissive, install the snap, grab the denials and use audit2allow -R to generate a local policy to allow this specific action. Running sudo ausearch -m AVC -se system_u:object_r:snappy_var_t -ts <timestamp-from-journal> should list the relevant logs only. If you generate a local policy module, you woull need to remove it once the fixes land with a future version of snapd.


#7

How do I switch to permissive mode? Could I change it back when you refactor snapd policy?


#8

For the first question, I’ve found an answer on the RedHat docs

For the second question, is it going to be enough to set again enforced when you roll out the updated version?


#9

sudo lxd init outputs
sudo: lxd: command not found

lxd init outputs
Error: Failed to connect to local LXD: Get http://unix.socket/1.0: dial unix /var/snap/lxd/common/lxd/unix.socket: connect: permission denied


#10

I suppose the permissions are a bit off, can you post the output of ls -l /var/snap/lxd/common/lxd/unix.socket?


#11

The sudo lxd init error looks a bit fishy, needs futher investigation. Maybe Fedora 29 introduced some changes to sudo configuration too like they did with default umask.


#12

That’s what I get:

srw-rw----. 1 root lxd 0 Dec 12 18:15 /var/snap/lxd/common/lxd/unix.socket


#13

I confirm that I have lxd running on Fedora 29 after switching SELinux to permissive mode and adding myself to group lxd:

$ cat /etc/fedora-release 
Fedora release 29 (Twenty Nine)
$ lxc launch ubuntu:16.04
Creating the container
Container name is: usable-muskrat
Starting usable-muskrat

Update: oh ok, it was not flawless: it seems that lxd.daemon is not stopping gracefully on system shutdown.