Bug 2292123

Summary: incus changes the mode of /run/incus back to 0700
Product: [Fedora] Fedora Reporter: Ling Li <liling>
Component: incusAssignee: Neal Gompa <ngompa13>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: unspecified    
Version: 42CC: bketelsen, go-sig, keith.maxwell, liling, ngompa13, reto.gantenbein
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: incus-6.12-1.fc42 incus-6.12-1.fc41 Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2025-05-07 03:21:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ling Li 2024-06-13 05:47:50 UTC 
It seems that Fedora is trying to move incus sockets from /var/lib/incus to /run/incus (https://github.com/lxc/incus/pull/800).  In order for non-root users to access these sockets, the permission/mode of /run/incus should be at least 0711.  And this is what is set in the tempfiles.d config included in Fedora's RPM.

However, incus itself rewrites the mode to 700 upon initialization.  For example, after a reboot, the first command of incus may change the folder mode:

# ll /run/incus -d
drwx--x--x 2 root root 40 Jun 12 10:28 /run/incus

# incus list
+-------+---------+------+------+-----------+-----------+
| NAME  |  STATE  | IPV4 | IPV6 |   TYPE    | SNAPSHOTS |
+-------+---------+------+------+-----------+-----------+
| test1 | STOPPED |      |      | CONTAINER | 0         |
+-------+---------+------+------+-----------+-----------+
| test2 | STOPPED |      |      | CONTAINER | 0         |
+-------+---------+------+------+-----------+-----------+

# ll /run/incus -d
drwx------ 2 root root 60 Jun 12 10:29 /run/incus

I digged a bit and so far it seems that the mode change happens in incus source "internal/server/sys/fs.go", function initDirs().  I'm not sure if this one-liner change is approriate:

diff -ru a/internal/server/sys/fs.go b/internal/server/sys/fs.go
--- a/internal/server/sys/fs.go 2024-05-30 20:14:21.000000000 -0700
+++ b/internal/server/sys/fs.go 2024-06-12 18:21:30.100094484 -0700
@@ -49,7 +49,7 @@
                {filepath.Join(s.VarDir, "images"), 0700},
                {s.LogDir, 0700},
                {filepath.Join(s.VarDir, "networks"), 0711},
-               {s.RunDir, 0700},
+               {s.RunDir, 0711},
                {filepath.Join(s.VarDir, "security"), 0700},
                {filepath.Join(s.VarDir, "security", "apparmor"), 0700},
                {filepath.Join(s.VarDir, "security", "apparmor", "cache"), 0700},


Reproducible: Always
Comment 1 Fedora Admin user for bugzilla script actions 2024-07-02 00:16:18 UTC 
This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component.
Comment 2 Fedora Admin user for bugzilla script actions 2024-07-03 00:08:43 UTC 
This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component.
Comment 3 Brian Ketelsen 2024-07-16 15:16:01 UTC 
PR submitted upstream:
https://github.com/lxc/incus/pull/1004
Comment 4 Aoife Moloney 2025-02-26 13:03:54 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora Linux 42 development cycle.
Changing version to 42.
Comment 5 Fedora Update System 2025-05-06 03:19:43 UTC 
FEDORA-2025-5fce1e4f70 (incus-6.12-1.fc41) has been submitted as an update to Fedora 41.
https://bodhi.fedoraproject.org/updates/FEDORA-2025-5fce1e4f70
Comment 6 Fedora Update System 2025-05-06 03:19:45 UTC 
FEDORA-2025-e4d441a4dd (incus-6.12-1.fc42) has been submitted as an update to Fedora 42.
https://bodhi.fedoraproject.org/updates/FEDORA-2025-e4d441a4dd
Comment 7 Fedora Update System 2025-05-07 03:21:41 UTC 
FEDORA-2025-e4d441a4dd (incus-6.12-1.fc42) has been pushed to the Fedora 42 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 8 Fedora Update System 2025-05-07 03:59:35 UTC 
FEDORA-2025-5fce1e4f70 (incus-6.12-1.fc41) has been pushed to the Fedora 41 stable repository.
If problem still persists, please make note of it in this bug report.