updating systemd to v240.0 might break its child -networkd.service, at least it does in an unprivileged lxc (v3.0.3) guest by exhibiting
systemd-networkd.service: Failed to set up mount namespacing: Permission denied
With the current lxc version in TOS and a privileged guest the outcome might be different but I thought at least to give a heads up.
Tracing the root cause has narrowed down to ubuntu as host and apparmor_parser having issue with networkd in the guest
audit: type=1400 audit(1547125168.853:722): apparmor=“DENIED” operation=“mount” info=“failed flags match” error=-13 profile=“lxc-container-default-cgns” name=“/” pid=8426 comm=“(networkd)” flags=“rw, rslave”
Due to the correlation of AppArmor’s apparmor_parser issue and LXC’s AppArmor policy for unprivileged guests this is not an issue on the TO since unprivileged containers are not yet feasible.