`snap install lxd
error: cannot perform the following tasks:
- Run install hook of "lxd" snap if present (run hook "install": cannot create cgroup hierarchy /sys/fs/cgroup/freezer/snap.lxd: Operation not permitted)`
When attempting to snap install lxd inside lxc container. Any ideas? I’m really blocked by this error. I looked at all of the previously proposed solutions, but none of them worked for me.
What’s snap version inside the container and outside the container?
Outside the container:
snap 2.45.3.1-1.el7
snapd 2.45.3.1-1.el7
series 16
centos 7
kernel 3.10.0-1127.19.1.el7.x86_64
Inside the container:
snap 2.47
snapd 2.47
series 16
ubuntu 18.04
kernel 3.10.0-1127.19.1.el7.x86_64
Is this a LXD container or the old-school lxc one?
Just for the record, can you also check that no SELinux denials are logged? Running ausearch -m AVC should provide the relevant information.
lxc exec daas-admin -- /bin/bash -c "ausearch -m"
2020/10/22 18:51:54.864656 cmd_run.go:409: restoring default SELinux context of /home/jhiggs/snap
/bin/bash: ausearch: command not found
This is the lxc container that is giving me issues.
$ ausearch -m
Argument is required for -m
Valid message types are: ALL USER LOGIN USER_AUTH USER_ACCT USER_MGMT CRED_ACQ
CRED_DISP USER_START USER_END USER_AVC USER_CHAUTHTOK USER_ERR CRED_REFR USYS_CONFIG USER_LOGIN USER_LOGOUT ADD_USER DEL_USER ADD_GROUP DEL_GROUP DAC_CHECK CHGRP_ID TEST TRUSTED_APP USER_SELINUX_ERR USER_CMD USER_TTY CHUSER_ID GRP_AUTH SYSTEM_BOOT SYSTEM_SHUTDOWN SYSTEM_RUNLEVEL SERVICE_START SERVICE_STOP GRP_MGMT GRP_CHAUTHTOK MAC_CHECK ACCT_LOCK ACCT_UNLOCK USER_DEVICE SOFTWARE_UPDATE DAEMON_START DAEMON_END DAEMON_ABORT DAEMON_CONFIG DAEMON_ROTATE DAEMON_RESUME DAEMON_ACCEPT DAEMON_CLOSE DAEMON_ERR SYSCALL PATH IPC SOCKETCALL CONFIG_CHANGE SOCKADDR CWD EXECVE IPC_SET_PERM MQ_OPEN MQ_SENDRECV MQ_NOTIFY MQ_GETSETATTR KERNEL_OTHER FD_PAIR OBJ_PID TTY EOE BPRM_FCAPS CAPSET MMAP NETFILTER_PKT NETFILTER_CFG SECCOMP PROCTITLE FEATURE_CHANGE KERN_MODULE FANOTIFY AVC SELINUX_ERR AVC_PATH MAC_POLICY_LOAD MAC_STATUS MAC_CONFIG_CHANGE MAC_UNLBL_ALLOW MAC_CIPSOV4_ADD MAC_CIPSOV4_DEL MAC_MAP_ADD MAC_MAP_DEL MAC_IPSEC_ADDSA MAC_IPSEC_DELSA MAC_IPSEC_ADDSPD MAC_IPSEC_DELSPD MAC_IPSEC_EVENT MAC_UNLBL_STCADD MAC_UNLBL_STCDEL MAC_CALIPSO_ADD MAC_CALIPSO_DEL ANOM_PROMISCUOUS ANOM_ABEND ANOM_LINK INTEGRITY_DATA INTEGRITY_METADATA INTEGRITY_STATUS INTEGRITY_HASH INTEGRITY_PCR INTEGRITY_RULE KERNEL ANOM_LOGIN_FAILURES ANOM_LOGIN_TIME ANOM_LOGIN_SESSIONS ANOM_LOGIN_ACCT ANOM_LOGIN_LOCATION ANOM_MAX_DAC ANOM_MAX_MAC ANOM_AMTU_FAIL ANOM_RBAC_FAIL ANOM_RBAC_INTEGRITY_FAIL ANOM_CRYPTO_FAIL ANOM_ACCESS_FS ANOM_EXEC ANOM_MK_EXEC ANOM_ADD_ACCT ANOM_DEL_ACCT ANOM_MOD_ACCT ANOM_ROOT_TRANS ANOM_LOGIN_SERVICE RESP_ANOMALY RESP_ALERT RESP_KILL_PROC RESP_TERM_ACCESS RESP_ACCT_REMOTE RESP_ACCT_LOCK_TIMED RESP_ACCT_UNLOCK_TIMED RESP_ACCT_LOCK RESP_TERM_LOCK RESP_SEBOOL RESP_EXEC RESP_SINGLE RESP_HALT RESP_ORIGIN_BLOCK RESP_ORIGIN_BLOCK_TIMED USER_ROLE_CHANGE ROLE_ASSIGN ROLE_REMOVE LABEL_OVERRIDE LABEL_LEVEL_CHANGE USER_LABELED_EXPORT USER_UNLABELED_EXPORT DEV_ALLOC DEV_DEALLOC FS_RELABEL USER_MAC_POLICY_LOAD ROLE_MODIFY USER_MAC_CONFIG_CHANGE CRYPTO_TEST_USER CRYPTO_PARAM_CHANGE_USER CRYPTO_LOGIN CRYPTO_LOGOUT CRYPTO_KEY_USER CRYPTO_FAILURE_USER CRYPTO_REPLAY_USER CRYPTO_SESSION CRYPTO_IKE_SA CRYPTO_IPSEC_SA VIRT_CONTROL VIRT_RESOURCE VIRT_MACHINE_ID VIRT_INTEGRITY_CHECK VIRT_CREATE VIRT_DESTROY VIRT_MIGRATE_IN VIRT_MIGRATE_OUT
The host is clearly RHEL/CentOS 7. Do you see any SELinux denials getting logged there?