3.0.3 - systemd 240.0-3 -networkd.service not starting in unprivileged container

host unprivileged guest
system x86_64
os ubuntu cosmic arch linux rolling
kernel 4.18.0-13
sytemd 239-7 240.0-3

Looks like another fine systemd mess coming to lxc.

Just made the mistake and updated the guest’s systemd package to v240 and since then

systemd-networkd.service: Failed to set up mount namespacing: Permission denied

Another arch linux guest with systemd 239.370-1 does not exhibit the issue.

Appears to be an AppArmor (apparmor_parser) issue at the ubuntu host

https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1811248

Almost one month after the bug been reported there is no traceable development from AppArmor and the issue has meantime a tail riding on the bug

https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1813622

https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=030919ba5e4931d6ee576d0259fae67fe4ed9770


It seems that currently the only way to keep unprivileged lxc guests with systemd v240 alive, other than from the unbuntu distro, is with lxc.apparmor.profile = unconfined which though defeats the purpose of AppArmor.

After having upgraded the host to:

unbuntu disco (19.04) | kernel 5.0.0-13 | aa 2.13.2-9 | systemd 240-6

the issue is still present and no news on the respective bug trackers.

Isn’t this an AppArmor issue? Not sure that this is the right forum to send such a reminder IMHO.

Not directly, the direct cause for the error is lxc not allowing such mounts. This is explained in the bug trackers.


Not sure how this is being construed as a reminder, considering this being user forum and the bug trackers are referenced?