Monday, 15 July 2024

many systemd units failing in oracular LXD containers

Hello,

tl;dr - If e.g. systemd-resolved (among many other systemd services)
fails to start in oracular LXD containers, configure your container
with security.nesting=true (safe for unprivileged containers only).

I wanted to raise awareness of a bug[1] and its workaround because
many people are likely to hit it. The bug is that in LXD containers,
systemd units with credentials[2] will fail to start because setting
up credentials requires bind mounts which are prevented by LXD's
default AppArmor policy. The bug is not new, but in systemd v256 (now
in oracular), many of systemd's own services utilize credentials in
some way, so the bug is more apparent. Most notable is
systemd-resolved.

The LXD team has been very helpful and we are working on resolving
this in LXD. One possibility is that by default, unprivileged (already
the default) LXD containers will have security.nesting=true[3], which
allows more mounts like the ones systemd is attempting. So, in the
mean time, the workaround for this is to configure your *unprivileged*
(this is not safe for privileged containers) containers with
security.nesting=true.

Thanks,
Nick

[1] https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/2046486
[2] https://systemd.io/CREDENTIALS/
[3] https://github.com/canonical/lxd/issues/13631

--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel