Wednesday, 24 July 2024

Re: many systemd units failing in oracular LXD containers

On Mon, Jul 15, 2024 at 10:34:51AM -0400, Nick Rosbrook wrote:
> tl;dr - If e.g. systemd-resolved (among many other systemd services)
> fails to start in oracular LXD containers, configure your container
> with security.nesting=true (safe for unprivileged containers only).

There seems to be a second issue between systemd and lxd which
security.nesting=true doesn't seem to fix:

https://github.com/canonical/lxd/issues/13807

I've just heard that Oracular Raspi pre-install images have been broken
for a week for what appears to be the same reason.

What do you think about kicking this systemd update back to
oracular-proposed until it is resolved properly, and/or uploading a
revert?

Or, even if it's not worth doing it this time, how about this idea in
principle, and/or arranging the necessary CI (where practical) to do it
next time? Given that so much of our own development is based on lxd
nowadays, would it be reasonable to consider any change in the archive
that breaks lxd to require blocking of migration, for the "always be
green" CI principle?

Robie