Aleks
January 11, 2026, 4:55pm
1
this is a continuation of
i wanted my containers to have different ids to avoid nproc limit issues and did this:
lxc config set artemis2 security.idmap.isolated=true
lxc start artemis2
artemis2: error: Failed to handle idmapped storage: invalid argument - Failed to change ACLs on /var/snap/lxd/common/lxd/storage-pools/ee/containers/artemis2/rootfs/var/log/journal
artemis2: Try lxc info --show-log artemis2 for more info
lxc info --show-log artemis2 said
lxc artemis2 20251203125722.135 WARN attach - …/src/src/lxc…
which got closed accidentally
Now I have managed to reproduce it with fuidshift, it seems like multiple (more than one?) additional groups bother fuidshift:
this fails:
:; mkdir -p /tmp/testfile
:; cat<<EOF|setfacl --restore=-
# file: /tmp/rootfs/testdir
# owner: 1000000
# group: 1000190
# flags: -s-
user::rwx
group::r-x
group:0:r-x
group:1000004:r-x
mask::r-x
other::r-x
default:user::rwx
default:group::r-x
default:group:0:r-x
default:group:1000004:r-x
default:mask::r-x
default:other::r-x
EOF
:;go/bin/fuidshift /tmp b:1000000:0:65536
Error: invalid argument - Failed to change ACLs on /tmp/rootfs/testdir
but as soon as I remove extra group it works
:; cat<<EOF|setfacl --restore=-
# file: /tmp/rootfs/testdir
# owner: 1000000
# group: 1000190
# flags: -s-
user::rwx
group::r-x
group:1000004:r-x
mask::r-x
other::r-x
default:user::rwx
default:group::r-x
default:group:1000004:r-x
default:mask::r-x
default:other::r-x
EOF
:; go/bin/fuidshift /tmp b:1000000:0:65536
@tomp This feels awfully similar to what I ran into while trying to get container root disk attachment to work. IIRC systemd applied an ACL like this somewhere in /var.
Aleks
January 12, 2026, 5:00pm
3
yes, this one is actually from journald from /var/log/journal or wherever you like your journals, but there are also others, e.g.
~ getfacl /var/lib/tpm2-tss/system/keystore
file: var/lib/tpm2-tss/system/keystore
owner: tss
group: tss
flags: -s-
user::rwx