924612 – app-containers/incus-0.5.1-r1 : /var/lib/incus/unix.socket not accessible by users in group incus

Bug 924612 - app-containers/incus-0.5.1-r1 : /var/lib/incus/unix.socket not accessible by users in group incus

Summary: app-containers/incus-0.5.1-r1 : /var/lib/incus/unix.socket not accessible by ...

Status:	UNCONFIRMED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	AMD64 Linux

Importance:	Normal normal (vote)
Assignee:	Joonas Niilola

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2024-02-14 22:54 UTC by Giuseppe Foti
Modified:	2024-02-18 17:55 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Giuseppe Foti 2024-02-14 22:54:49 UTC

I have just migrated from lxd to incus, following the wiki guide: https://wiki.gentoo.org/wiki/Incus
# emerge --ask app-containers/incus
# systemctl start lxd
# systemctl start incus
# usermod --append --groups incus larry
# lxd-to-incus

After a reboot (services are not enabled)
# systemctl start incus

As a regular users
$ incus list

fails with:
"Error: You don't have the needed permissions to talk to the incus daemon (socket path: /var/lib/incus/unix.socket)"

permissions on /var/lib/incus/unix.socket are:
# ls -la /var/lib/incus/unix.socket
srw-rw---- 1 root incus-admin 0 14 feb 23.34 /var/lib/incus/unix.socket

# getfacl /var/lib/incus/unix.socket 
getfacl: Removing leading '/' from absolute path names
# file: var/lib/incus/unix.socket
# owner: root
# group: incus-admin
user::rw-
group::rw-
other::---





Reproducible: Always

Steps to Reproduce:
1.migrate from lxd to incus following https://wiki.gentoo.org/wiki/Incus

Actual Results:  
Users in incus group cannot access the daemon

Expected Results:  
Users in incus group should be able to list containers

The problem can be solved setting an acl on socket file:
# setfacl -m g:incus:rw /var/lib/incus/unix.socket

# getfacl /var/lib/incus/unix.socket 
getfacl: Removing leading '/' from absolute path names
# file: var/lib/incus/unix.socket
# owner: root
# group: incus-admin
user::rw-
group::rw-
group:incus:rw-
mask::rw-
other::---

As a regular user: 
$ incus list
+-------------------+---------+------+------+-----------+-----------+
|       NAME        |  STATE  | IPV4 | IPV6 |   TYPE    | SNAPSHOTS |
+-------------------+---------+------+------+-----------+-----------+
| ################# | RUNNING |      |      | CONTAINER | 0         |
+-------------------+---------+------+------+-----------+-----------+

(networking is not set up; still investigating on it)

Comment 1 Joonas Niilola gentoo-dev

2024-02-18 17:53:53 UTC

Hmm yeah incus-user probably only works with new installations. lxd was built so your user always needed the root privileges. So after migrating you need to add your user to incus-admin group to make it work similarly to lxd. The wiki does say when migrating, with the tool, you should add your user to incus-admin group.

You probably can get incus-user to work if you manually move the containers from your "top-level" admin project onto user's own project. You'll have to set up incus-user first though.

Comment 2 Joonas Niilola gentoo-dev

2024-02-18 17:55:52 UTC

(Remember to start incus-user service separately)