Can't create snapshots or export images

patrickgoetz · January 10, 2024, 5:31pm

Environment:
Ubuntu 18.04 server
lxd 5.19 snap

dacc@whale:~$ lxc list
+----------+---------+------+------+-----------+-----------+
|   NAME   |  STATE  | IPV4 | IPV6 |   TYPE    | SNAPSHOTS |
+----------+---------+------+------+-----------+-----------+
| daccproj | STOPPED |      |      | CONTAINER | 0         |
+----------+---------+------+------+-----------+-----------+

dacc@whale:~$ lxc snapshot daccproj snapshot1
Error: Project "user-1005" doesn't allow for snapshot creation
dacc@whale:~$ lxc export daccproj daccproj_2024-01-10.tar.gz
Error: Create instance backup: Project "user-1005" doesn't allow for backup creation

This is the first time I’ve run into an error like this and am not sure how to proceed. I need to either export or publish a container snapshot in order to have a backup, as this machine is slated to be re-installed with a newer version of Ubuntu.

The container does have GPU passthrough configured, as it’s being used for computations:

# snap set lxd daemon.user.group=games
# gpasswd -a dacc games
$ su -l dacc
$ lxc launch images:ubuntu/22.04 daccproj
$ lxc exec daccproj bash
$ lxc config device add daccproj gpu gpu gputype=physical
$ lxc stop daccproj
$ lxc config set daccproj nvidia.runtime=true
$ lxc start daccproj

but I don’t see how this could be relevant. I set this container up a while ago and notice that the dacc user is not in the lxd group. I don’t recall why, but this didn’t seem to interfere with any of the operations listed above. In any case adding the dacc user to the lxd group did not resolve the issue, I got exactly the same error.

EDIT: Another oddity which (I might be responsible for) but can’t explain is that even though I ran lxd init as the root user, root can’t see the containers created by the dacc user:

root@whale:~# lxc list
+------+-------+------+------+------+-----------+
| NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS |
+------+-------+------+------+------+-----------+
root@whale:~

For previous installations of lxd on other servers this has never been an issue. Now i’m wondering how it’s determined which users are able to see which snaps.

ru-fu · January 11, 2024, 8:14am

You should check you project setup. See How to work with different projects.

By setting the daemon user group, you configured LXD to dynamically create projects for the users in the group - see Confine projects to specific LXD users.

The project apparently doesn’t allow snapshots - see restricted.snapshots.

And your root user has access to a different project, that’s why it can’t see the containers from the dacc user.

patrickgoetz · January 17, 2024, 4:59pm

Thanks, ru-fu! I had forgotten that when you create a container under an unprivileged unix socket:

# snap set lxd daemon.user.group=<my_group>

It places the container in a restricted Project. I wasn’t aware that snapshots and backups are prohibited by default. To solve this (in my case the Project is called user-1005)

# lxc project set user-1005 restricted.snapshots=allow

Oddly this then allows the container to be published as well:

$ lxc stop <my_container>
$ lxc snapshot <my_container> snapshot1
$ lxc publish <my_container>/snapshot1

In order to export a container, one needs to lift this restriction as well:

# lxc project set user-1005 restricted.backups=allow

And now a user in the <my_group> group can export the container.

Marking this as solved.