Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 924612

Summary: app-containers/incus-0.5.1-r1 : /var/lib/incus/unix.socket not accessible by users in group incus
Product: Gentoo Linux Reporter: Giuseppe Foti <foti.giuseppe>
Component: Current packagesAssignee: Joonas Niilola <juippis>
Status: UNCONFIRMED ---    
Severity: normal CC: foti.giuseppe, virtualization
Priority: Normal    
Version: unspecified   
Hardware: AMD64   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Giuseppe Foti 2024-02-14 22:54:49 UTC 
I have just migrated from lxd to incus, following the wiki guide: https://wiki.gentoo.org/wiki/Incus
# emerge --ask app-containers/incus
# systemctl start lxd
# systemctl start incus
# usermod --append --groups incus larry
# lxd-to-incus

After a reboot (services are not enabled)
# systemctl start incus

As a regular users
$ incus list

fails with:
"Error: You don't have the needed permissions to talk to the incus daemon (socket path: /var/lib/incus/unix.socket)"

permissions on /var/lib/incus/unix.socket are:
# ls -la /var/lib/incus/unix.socket
srw-rw---- 1 root incus-admin 0 14 feb 23.34 /var/lib/incus/unix.socket

# getfacl /var/lib/incus/unix.socket 
getfacl: Removing leading '/' from absolute path names
# file: var/lib/incus/unix.socket
# owner: root
# group: incus-admin
user::rw-
group::rw-
other::---





Reproducible: Always

Steps to Reproduce:
1.migrate from lxd to incus following https://wiki.gentoo.org/wiki/Incus

Actual Results:  
Users in incus group cannot access the daemon

Expected Results:  
Users in incus group should be able to list containers

The problem can be solved setting an acl on socket file:
# setfacl -m g:incus:rw /var/lib/incus/unix.socket

# getfacl /var/lib/incus/unix.socket 
getfacl: Removing leading '/' from absolute path names
# file: var/lib/incus/unix.socket
# owner: root
# group: incus-admin
user::rw-
group::rw-
group:incus:rw-
mask::rw-
other::---

As a regular user: 
$ incus list
+-------------------+---------+------+------+-----------+-----------+
|       NAME        |  STATE  | IPV4 | IPV6 |   TYPE    | SNAPSHOTS |
+-------------------+---------+------+------+-----------+-----------+
| ################# | RUNNING |      |      | CONTAINER | 0         |
+-------------------+---------+------+------+-----------+-----------+

(networking is not set up; still investigating on it)
Comment 1 Joonas Niilola gentoo-dev 2024-02-18 17:53:53 UTC 
Hmm yeah incus-user probably only works with new installations. lxd was built so your user always needed the root privileges. So after migrating you need to add your user to incus-admin group to make it work similarly to lxd. The wiki does say when migrating, with the tool, you should add your user to incus-admin group.

You probably can get incus-user to work if you manually move the containers from your "top-level" admin project onto user's own project. You'll have to set up incus-user first though.
Comment 2 Joonas Niilola gentoo-dev 2024-02-18 17:55:52 UTC 
(Remember to start incus-user service separately)