[lxc systemd] 240.0 might break -networkd.service

lxc
systemd

#1

updating systemd to v240.0 might break its child -networkd.service, at least it does in an unprivileged lxc (v3.0.3) guest by exhibiting

systemd-networkd.service: Failed to set up mount namespacing: Permission denied

With the current lxc version in TOS and a privileged guest the outcome might be different but I thought at least to give a heads up.


#2

Tracing the root cause has narrowed down to ubuntu as host and apparmor_parser having issue with networkd in the guest

audit: type=1400 audit(1547125168.853:722): apparmor=“DENIED” operation=“mount” info=“failed flags match” error=-13 profile=“lxc-container-default-cgns” name="/" pid=8426 comm="(networkd)" flags=“rw, rslave”


#3

Due to the correlation of AppArmor’s apparmor_parser issue and LXC’s AppArmor policy for unprivileged guests this is not an issue on the TO since unprivileged containers are not yet feasible.