3.0.3 - systemd 240.0-3 -networkd.service not starting in unprivileged container


#1
host unprivileged guest
system x86_64
os ubuntu cosmic arch linux rolling
kernel 4.18.0-13
sytemd 239-7 240.0-3

Looks like another fine systemd mess coming to lxc.

Just made the mistake and updated the guest’s systemd package to v240 and since then

systemd-networkd.service: Failed to set up mount namespacing: Permission denied

Another arch linux guest with systemd 239.370-1 does not exhibit the issue.


#4

Appears to be an AppArmor (apparmor_parser) issue at the ubuntu host

https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1811248


#5

Almost one month after the bug been reported there is no traceable development from AppArmor and the issue has meantime a tail riding on the bug

https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1813622

https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=030919ba5e4931d6ee576d0259fae67fe4ed9770


It seems that currently the only way to keep unprivileged lxc guests with systemd v240 alive, other than from the unbuntu distro, is with lxc.apparmor.profile = unconfined which though defeats the purpose of AppArmor.