3.0.3 - systemd 240.0-3 -networkd.service not starting in unprivileged container


#1
host unprivileged guest
system x86_64
os ubuntu cosmic arch linux rolling
kernel 4.18.0-13
sytemd 239-7 240.0-3

Looks like another fine systemd mess coming to lxc.

Just made the mistake and updated the guest’s systemd package to v240 and since then

systemd-networkd.service: Failed to set up mount namespacing: Permission denied

Another arch linux guest with systemd 239.370-1 does not exhibit the issue.


#4

Appears to be an AppArmor (apparmor_parser) issue at the ubuntu host

https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1811248


#5

Almost one month after the bug been reported there is no traceable development from AppArmor and the issue has meantime a tail riding on the bug

https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1813622

https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=030919ba5e4931d6ee576d0259fae67fe4ed9770


It seems that currently the only way to keep unprivileged lxc guests with systemd v240 alive, other than from the unbuntu distro, is with lxc.apparmor.profile = unconfined which though defeats the purpose of AppArmor.


#6

After having upgraded the host to:

unbuntu disco (19.04) | kernel 5.0.0-13 | aa 2.13.2-9 | systemd 240-6

the issue is still present and no news on the respective bug trackers.


(David Negreira) #7

Isn’t this an AppArmor issue? Not sure that this is the right forum to send such a reminder IMHO.


#8

Not directly, the direct cause for the error is lxc not allowing such mounts. This is explained in the bug trackers.


Not sure how this is being construed as a reminder, considering this being user forum and the bug trackers are referenced?