Friday, 26 July 2024

Re: many systemd units failing in oracular LXD containers

On Wed, Jul 24, 2024 at 09:06:13AM -0400, Nick Rosbrook wrote:
> On Wed, Jul 24, 2024 at 8:18 AM Robie Basak <robie.basak@ubuntu.com> wrote:
> > There seems to be a second issue between systemd and lxd which
> > security.nesting=true doesn't seem to fix:
> >
> > https://github.com/canonical/lxd/issues/13807
>
> I cannot reproduce this with Oracular or Jammy containers running on a
> Noble host. [1] However, also note that my containers are using ext4
> for the rootfs. Are you using ZFS? If so, this sounds similar to [2],
> but we uploaded a workaround in systemd-sysusers for Noble (and it's
> present in upstream >= v256) and I thought the kernel got fixed, too.

Thanks! A newer kernel is what I needed. IIUC, systemd 255.4-1ubuntu8 is
supposed to handle an older kernel with this issue though, and it
doesn't seem to? So I'm not sure if it's the same bug or not.

> > I've just heard that Oracular Raspi pre-install images have been broken
> > for a week for what appears to be the same reason.
>
> Is there a bug you can share? I have not seen details of this yet.

The failures are here:
https://launchpad.net/~ubuntu-cdimage/+livefs/ubuntu/oracular/ubuntu-preinstalled

> > What do you think about kicking this systemd update back to
> > oracular-proposed until it is resolved properly, and/or uploading a
> > revert?
>
> I don't see sufficient evidence that this would help the situation.
> But then again, I am confused about the details of this bug on
> Oracular vs Jammy because your LXD issue is about Jammy, and I have
> not seen any details for the Oracular Raspi issue.

Sorry - I was looking at multiple lxd issues in the same week and I
conflated them. This one was for a Noble host running a Jammy container
and you're right to question that it has nothing to do with Oracular.

I was surprised to see the security.nesting=true workaround going in to
samba in LP: #2046486 though. That, together with developers having to
set security.nesting=true everywhere to continue with their work, does
still seem onerous. If this problem was introduced by a new systemd, why
wouldn't a systemd revert help the situation?

Robie

--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel