Linux Filesystem Error: Transaction failed when using LXD

See all LXD related Howtos/Tutorials
I am a big fan of LXD, a next-generation Linux system container manager and default on Ubuntu. It allows me to run desktop apps or server apps in an isolated environment. Ubuntu provides LXD with robust security in mind. However, this might lead to undesired side effects, such as individual packages under OpenSUSE or CentOS Linux may not be updated. One such package is the filesystem package. Let us see how to fix Error: Transaction failed when you try to update filesystem package under CentOS, OpenSUSE, and other Linux containers running under LXD.

Tutorial details
Difficulty level Easy
Root privileges No
Requirements LXD under Linux
Est. reading time 4 minutes

Linux Filesystem Error: Transaction failed when using LXD

Let us look into the error here. For instance, when using CentOS under LXD, I see:
# dnf update
Here is what I saw:

Last metadata expiration check: 2:31:48 ago on Sat Mar  6 06:03:50 2021.
Dependencies resolved.
===============================================================================
 Package             Architecture    Version             Repository       Size
===============================================================================
Upgrading:
 filesystem          x86_64          3.8-3.el8           baseos          1.1 M
 
Transaction Summary
===============================================================================
Upgrade  1 Package
 
Total download size: 1.1 M
Is this ok [y/N]: y
Downloading Packages:
filesystem-3.8-3.el8.x86_64.rpm                1.8 MB/s | 1.1 MB     00:00    
-------------------------------------------------------------------------------
Total                                          932 kB/s | 1.1 MB     00:01     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Running scriptlet: filesystem-3.8-3.el8.x86_64                           1/1 
  Preparing        :                                                       1/1 
  Upgrading        : filesystem-3.8-3.el8.x86_64                           1/2 
Error unpacking rpm package filesystem-3.8-3.el8.x86_64
  Verifying        : filesystem-3.8-3.el8.x86_64                           1/2 
  Verifying        : filesystem-3.8-2.el8.x86_64                           2/2 
 
Failed:
  filesystem-3.8-2.el8.x86_64            filesystem-3.8-3.el8.x86_64           
 
Error: Transaction failed

Two kinds of LXD containers

LXD allows us to set up two different types of Linux containers:

  1. Privileged containers – Unsafe containers and a user with root in such a container will be able to DoS the host and find ways to escape confinement. It would help if you avoided them at all costs.
  2. Unprivileged containers (default) – Safe containers. It means they operate inside a user namespace, restricting users’ abilities in the Linux container to that of regular users on the host with limited privileges on the devices that the container owns. Protection of the host and prevention of escape is entirely done through Mandatory Access Control such as AppArmor or SElinux. This protection is what is causing the error. Hence, we can temporarily turn off protection. Apply pending updates and turn on the security
    protection.

Fixing “Error: Transaction failed” LXD error and apply patches

To list your all LXD instances, run:
$ lxc list

+------------------+---------+----------------------+-----------------------------------------------+-----------+-----------+
|       NAME       |  STATE  |         IPV4         |                     IPV6                      |   TYPE    | SNAPSHOTS |
+------------------+---------+----------------------+-----------------------------------------------+-----------+-----------+
| archbox          | RUNNING | 10.83.200.161 (eth0) | fd42:87d0:ec52:7d50:216:3eff:fe9d:f205 (eth0) | CONTAINER | 0         |
+------------------+---------+----------------------+-----------------------------------------------+-----------+-----------+
| centos-6         | STOPPED |                      |                                               | CONTAINER | 0         |
+------------------+---------+----------------------+-----------------------------------------------+-----------+-----------+
| centos-7         | STOPPED |                      |                                               | CONTAINER | 0         |
+------------------+---------+----------------------+-----------------------------------------------+-----------+-----------+
| centos-8         | RUNNING | 10.83.200.129 (eth0) | fd42:87d0:ec52:7d50:216:3eff:fe6c:f3ed (eth0) | CONTAINER | 1         |
+------------------+---------+----------------------+-----------------------------------------------+-----------+-----------+
| debian-8-jessie  | STOPPED |                      |                                               | CONTAINER | 0         |
+------------------+---------+----------------------+-----------------------------------------------+-----------+-----------+
| debian-9-stretch | STOPPED |                      |                                               | CONTAINER | 0         |
+------------------+---------+----------------------+-----------------------------------------------+-----------+-----------+
| debian-test      | STOPPED |                      |                                               | CONTAINER | 3         |
+------------------+---------+----------------------+-----------------------------------------------+-----------+-----------+
| fedora-33        | RUNNING | 10.83.200.41 (eth0)  | fd42:87d0:ec52:7d50:216:3eff:fe8c:5088 (eth0) | CONTAINER | 0         |
+------------------+---------+----------------------+-----------------------------------------------+-----------+-----------+
| gentoo           | STOPPED |                      |                                               | CONTAINER | 0         |
+------------------+---------+----------------------+-----------------------------------------------+-----------+-----------+
| gui1604          | STOPPED |                      |                                               | CONTAINER | 0         |
+------------------+---------+----------------------+-----------------------------------------------+-----------+-----------+
| gui-1804-gimp    | RUNNING | 10.83.200.28 (eth0)  | fd42:87d0:ec52:7d50:216:3eff:fea3:9da8 (eth0) | CONTAINER | 0         |
+------------------+---------+----------------------+-----------------------------------------------+-----------+-----------+
| opensuse-15-1    | STOPPED |                      |                                               | CONTAINER | 1         |
+------------------+---------+----------------------+-----------------------------------------------+-----------+-----------+
| oracle-7         | STOPPED |                      |                                               | CONTAINER | 0         |
+------------------+---------+----------------------+-----------------------------------------------+-----------+-----------+

To view the current mode run:
$ lxc config get centos-8 security.privileged
$ lxc config get opensuse-leap security.privileged

Next, set security.privileged to true for instances:
$ lxc config set centos-8 security.privileged true
$ lxc config set opensuse-leap security.privileged true

Restart instances to activate security policy:
$ lxc restart centos-8
$ lxc restart opensuse-leap

Let us gain a root shell for our CentOS 8 container:
$ lxc exec centos-8 bash
Run update using the dnf command:
# dnf update
# exit

For OpenSUSE instance use the zypper command:
$ lxc exec opensuse-leap bash
# zypper up
# exit

Turn it off:
$ lxc config set centos-8 security.privileged false
$ lxc config set opensuse-leap security.privileged false

Finally, again reboot your instances to make sure they come up after reboot and security policy set back to an unprivileged mode:
$ lxc restart centos-8
$ lxc restart opensuse-leap
$ lxc exec centos-8 bash
$ lxc config get centos-8 security.privileged

Linux Filesystem Error: Transaction failed when using LXD error and fix

Summing up

This specific issue is not documented very well. Therefore I wrote this quick post to help others. See LXD documentation for further information.

This entry is 20 of 22 in the LXD Tutorial series. Keep reading the rest of the series:
  1. Install LXD container hypervisor on Ubuntu 16.04 LTS
  2. How to install and setup LXC (Linux Container) on Fedora Linux 26
  3. Set up LXD container under KVM or Xen virtual machine
  4. List VM images in LXD (Linux Containers)
  5. Upgrade LXD containers powered by Ubuntu/Debian or CentOS Linux
  6. Auto start LXD containers at boot time in Linux
  7. Command to rename LXD / LXC container
  8. Run commands on Linux Container (LXD) instance at provision launch time
  9. Use LXD (Linux containers) in a shell script to create VM when the cloud instance launches
  10. Move/migrate LXD VM to another host on Linux
  11. Fedora install and set up LXD
  12. CentOS 7.x install and set up LXD server
  13. Install LXD pure-container hypervisor on Ubuntu 18.04 LTS
  14. Create snapshots with lxc command for LXD
  15. Set up and install LXD on CentOS/RHEL 8
  16. Ubuntu 20.04 LTS install and set up LXD
  17. Full backup and restore LXD containers
  18. Disable firewall and NAT rules on the LXD bridge
  19. Delete or remove LXD container using the lxc
  20. Linux Filesystem Error: Transaction failed solution
  21. Ubuntu 22.04 LTS set up LXD
  22. Debian 11 set up LXD

🥺 Was this helpful? Please add a comment to show your appreciation or feedback.

nixCrat Tux Pixel Penguin
Hi! 🤠
I'm Vivek Gite, and I write about Linux, macOS, Unix, IT, programming, infosec, and open source. Subscribe to my RSS feed or email newsletter for updates.

4 comments… add one
  • JCB Mar 6, 2021 @ 23:53

    I was thinking the Idea of containers is to “never update” but replace with a new container up to date… So I don’t know LXD obviously… Or not, but for instance on docker I have a docker file where I just have say that I want the latest kernel, or app version and to tweak the data on a local share to just shut down and replace with the new up to date kernel or app I may be wrong but it seems to me that it’s something you may used on a dev environnement or even personnal one but not production…

  • LOC Mar 10, 2021 @ 7:23

    Docker is app level container. This is OS level container. Hence the difference.

  • Alexander May 21, 2021 @ 20:02

    What is the root cause? I see same on podman user namespaces where other RPMs install properly.

    • Shyam May 24, 2021 @ 20:01

      It even worked with OpenSUSE Linux.

Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre> for code samples. Your comment will appear only after approval by the site admin.