Best practices for apparmor and systemd-networkd for Debian sid container?

On a Debian bullseye host, I created an unprivileged Debian sid container, which now sees the exciting change from ifupdown to systemd-networkd (presumably images/debian: Enable networkd for bullseye, bookworm and sid · lxc/lxc-ci@6e7038c · GitHub).

Networking no longer “just works” like it used to, for example, ping:

ping: deb.debian.org: Temporary failure in name resolution

I did

root@sidcontainer:~# systemctl enable systemd-networkd
root@sidcontainer:~# systemctl start systemd-networkd
Job for systemd-networkd.service failed because the control process exited with error code.
See "systemctl status systemd-networkd.service" and "journalctl -xeu systemd-networkd.service" for details.

root@sidcontainer:~# journalctl -eu systemd-networkd.service
Apr 06 09:56:58 sidcontainer systemd[1]: Starting Network Configuration...
Apr 06 09:56:58 sidcontainer systemd[162]: systemd-networkd.service: Failed to set up mount namespacing: Permission denied
Apr 06 09:56:58 sidcontainer systemd[162]: systemd-networkd.service: Failed at step NAMESPACE spawning /lib/systemd/systemd-networkd: Permission denied
Apr 06 09:56:58 sidcontainer systemd[1]: systemd-networkd.service: Main process exited, code=exited, status=226/NAMESPACE
Apr 06 09:56:58 sidcontainer systemd[1]: systemd-networkd.service: Failed with result 'exit-code'.
Apr 06 09:56:58 sidcontainer systemd[1]: Failed to start Network Configuration.
Apr 06 09:56:58 sidcontainer systemd[1]: systemd-networkd.service: Scheduled restart job, restart counter is at 1.
Apr 06 09:56:58 sidcontainer systemd[1]: Stopped Network Configuration.

On the host, I see in /var/log/syslog:

Apr  6 05:56:58 myhostname kernel: [123820.651799] audit: type=1400 audit(1649239018.374:215): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=2443287 comm="(networkd)" flags="rw, rslave"

I therefore added

lxc.apparmor.profile = unconfined

to my container’s config, and I was then able to bring up networking.

However, this seems a very large hammer for such a basic task as enabling networking. Is there a better way to do this?

Thanks
–ken

@monstermunchkin can you look at this please? thanks

Thanks for the improvements. I confirm that, with lxc.apparmor.profile = unconfined , networking now does Just Work for a Debian sid container.

However, my main question remains: is lxc.apparmor.profile = unconfined now the recommended LXC practice to enable networking for Debian sid, bookworm, and bullseye? I tried lxc.apparmor.profile = lxc-container-default-cgns on the new container, and I still hit the same apparmor="DENIED" problems noted in my original post.

This seems to be an AppArmor issue. The issue mentions that lxc.apparmor.profile = unconfined is the only option here.

Note that this only affects lxc. The Debian images work fine in LXD.