Anbox Couldn't work on lxc 4.0.8

[STASWIT]

1. Please check that no similar bug is already reported. Have a look on the list of open bugs at https://github.com/anbox/anbox/issues

2. Make sure you are running the latest version of Anbox before reporting an issue. Update snap to latest: snap refresh --devmode --edge anbox

3. Make sure you have debug logs enabled:
   sudo snap set anbox debug.enable=true

4. Reproduce the error while debug logs enabled.

5. Run the anbox logs collection utility and attach the tar file.
   sudo /snap/bin/anbox.collect-bug-info

6. ** Please paste the result of anbox system-info below:**

anbox system-info output

version: local-9de4e87
cpu:
  arch:  x86
  brand: Intel(R) Core(TM) i5-4258U CPU @ 2.40GHz
  features: 
    - aes
    - sse4_1
    - sse4_2
    - avx
    - avx2
os:
  name: Arch Linux
  version: 
  snap-based: false
kernel:
  version: Linux version 5.12.0-xanmod1-2 (makepkg@archlinux) (gcc (GCC) 10.2.0, GNU ld (GNU Binutils) 2.36.1) #1 SMP PREEMPT Fri, 30 Apr 2021 11:40:51 +0000
  binder: false
  ashmem: true
graphics:
  egl:
    vendor: n/a
    version: n/a
    extensions:
      - n/a
  gles2:
    vendor: n/a
    vendor: n/a
    extensions: []

Please describe your problem:
When I using latest anbox from ArchLinux(AUR), I followed ArchWiki's guidance, however, I have got this problem
when using $ anbox launch --package=org.anbox.appmgr --component=org.anbox.appmgr.AppViewActivity:

[ 2021-05-01 13:58:55] [daemon.cpp:61@Run] [org.freedesktop.DBus.Error.ServiceUnknown] The name org.anbox was not provided by any .service files

Then I pressed $ anbox session-manager, it outputed:

[ 2021-05-01 13:59:33] [Renderer.cpp:104@initialize] Failed to initialize EGL
[ 2021-05-01 13:59:33] [client.cpp:48@start] Failed to start container: Failed to start container: Failed to set config item lxc.group.devices.deny
[ 2021-05-01 13:59:33] [session_manager.cpp:164@operator()] Lost connection to container manager, terminating.
[ 2021-05-01 13:59:33] [daemon.cpp:61@Run] Container is not running
Stack trace (most recent call last) in thread 23046:

What were you expecting?:
I hope someone could fix it.

Additional info:
I'm Using lxc-1:4.0.8-1 maybe the latest anbox haven't support it.

[Danct12]

Checking journalctl on my own after starting anbox-session-manager also shows this:

Failed to start container: Failed to set config item lxc.group.devices.deny

[xade93]

downgrading lxc to 1:4.0.6-1 temporarily solves the problem

[ahmubashshir]

Here is the core dump.
anbox.core.gz

[ibilux]

downgrading lxc to 1:4.0.6-1 temporarily solves the problem

Can confirm, downgrading lxc to 1:4.0.6-1 solves the problem in Manjaro.

[Thaodan]

downgrading lxc to 1:4.0.6-1 temporarily solves the problem

Can confirm, downgrading lxc to 1:4.0.6-1 solves the problem in Manjaro.

Depends on your kernel version.

    sed -e 's/lxc.group.devices.deny/lxc.cgroup2.devices.deny/' -i src/anbox/container/lxc_container.cpp
  sed -e 's/lxc.group.devices.allow/lxc.cgroup2.devices.allow/' -i src/anbox/container/lxc_container.cpp

Could fix it however I can't still start the container..

[gardotd426]

Arch is already on lxc 4.0.9, and that also does not work w/ anbox

[weimzh]

I managed to get anbox working under Fedora 34. A dirty patch (not suitable for submitting and will break with older lxc versions or a different GNU/Linux distro which uses apparmor):
https://gist.github.com/CecilHarvey/86572d515b184ddfa73fb5fa2621914f

There is also an issue with newer versions of lxc:
lxc/lxc#3844

[gardotd426]

Unfortunately the "fix" that supposedly solved this issue that got merged into lxc does not in fact fix the problem. I just tried with the latest lxc master and it's the exact same error.

[weimzh]

Unfortunately the "fix" that supposedly solved this issue that got merged into lxc does not in fact fix the problem. I just tried with the latest lxc master and it's the exact same error.

have you also tried applying this patch to anbox?
https://gist.github.com/CecilHarvey/86572d515b184ddfa73fb5fa2621914f

I need to patch both lxc and anbox to get it working here.

[gardotd426]

Ah, you'd said on the lxc MR that just that patch fixed the issue.

Unfortunately I'm on Arch which uses apparmor for snapd, so I guess that patch won't work, correct? I can still give it a try though, I have a 5900X so it's not like compiling anbox is a big commitment.

[gardotd426]

Well turns out apparmor isn't an issue for me. I just patched it and built anbox and sure enough, it works. Thanks a lot, it's appreciated.

[pabloyoyoista]

Can anybody please test #1827 and report results? I believe that should fix this (although it does not solve the issue with anbox not supporting cgroupsv2 for lxc).

@CecilHarvey, which is the reason you did this change? Is that also related to LXC 4.0.9?

-  set_config_item(lxc_config_apparmor_profile_key, "unconfined");
+  //set_config_item(lxc_config_apparmor_profile_key, "unconfined");