I am new to Bluefin but absolutely loving it. However, one thing I really want to use on top of it is incus (or worst case, LXD).
I see that ujust makes installing incus very easy, but it forces you to disable SELinux or put it in permissive mode…something I’m very reluctant to doing.
Has anyone figured out a workaround for this? If not at the host level, would it be feasible to run incus in podman?
Thanks so much in advance for your reply.
d1rewolf
Ok, I’ve been able to get both working without fully disabling SELinux. This is on bluefin-dx-nvidia-latest.
For incus, you need to create an incus-workaround.service file in /etc/systemd/system/incus-workaround.service with the following contents:
[Unit]
Description=Workaround Incus not having the correct label
ConditionPathExists=/usr/bin/incus
ConditionPathExists=/usr/bin/incus-agent
ConditionPathExists=/usr/lib/incus
After=local-fs.target
[Service]
Type=oneshot
# Ensure /var/lib/lxcfs exists
ExecStartPre=/usr/bin/bash -c "[ -d /var/lib/lxcfs ] || /usr/bin/mkdir -p /var/lib/lxcfs"
# Copy if it doesn't exist
ExecStartPre=/usr/bin/bash -c "[ -x /usr/local/bin/.incus ] || /usr/bin/cp /usr/bin/incus /usr/local/bin/.incus"
ExecStartPre=/usr/bin/bash -c "[ -x /usr/local/bin/.incus-agent ] || /usr/bin/cp /usr/bin/incus-agent /usr/local/bin/.incus-agent"
ExecStartPre=/usr/bin/bash -c "[ -d /usr/local/lib/.incus ] || /usr/bin/cp -r /usr/lib/incus /usr/local/lib/.incus"
# This is faster than using .mount unit. Also allows for the previous line/cleanup
ExecStartPre=/usr/bin/mount --bind /usr/local/bin/.incus /usr/bin/incus
ExecStartPre=/usr/bin/mount --bind /usr/local/bin/.incus-agent /usr/bin/incus-agent
ExecStartPre=/usr/bin/mount --bind /usr/local/lib/.incus /usr/lib/incus
# Fix SELinux label
ExecStart=/usr/sbin/restorecon -R /usr/bin/incus
ExecStart=/usr/sbin/restorecon -R /usr/bin/incus-agent
ExecStart=/usr/sbin/restorecon -R /usr/lib/incus
ExecStart=/usr/sbin/restorecon -R /var/lib/lxcfs
ExecStart=/usr/sbin/restorecon -R /var/lib/incus
# Clean-up after ourselves
ExecStop=/usr/bin/umount /usr/bin/incus
ExecStop=/usr/bin/umount /usr/bin/incus-agent
ExecStop=/usr/bin/umount /usr/lib/incus
ExecStop=/usr/bin/rm -r /usr/local/bin/.incus
ExecStop=/usr/bin/rm -r /usr/local/bin/.incus-agent
ExecStop=/usr/bin/rm -r /usr/local/lib/.incus
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
Then enable it and incus.socket with "systemctl enable incus.socket incus-workaround.service. Reboot, “incus admin init” and other commands should work fine.
For lxd, following the steps in this post made it work for me: LXD 5.19 removed SELinux workarounds. · Issue #41 · ganto/copr-lxc4 · GitHub. After doing that, make sure to add the following line to both /etc/subuid and /etc/subgid:
root:1000000:1000000000
After that, LXD should work fine. Hope this helps and good luck!
This topic was automatically closed 12 hours after the last reply. New replies are no longer allowed.