[Bug 1813622] Re: systemd-resolved, systemd-networkd and others fail to start in lxc container with v240 systemd

Dimitri John Ledkov launchpad at surgut.co.uk
Mon Jan 28 23:54:11 UTC 2019 

Jan 28 23:50:06 ottawa audit[10278]: AVC apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxd-improved-kodiak_</var/snap/lxd/common/lxd>" name="/run/systemd/unit-root/home/" pid=10278 comm="(networkd)" flags="ro, nosuid, nodev, remount, bind"
Jan 28 23:50:06 ottawa kernel: audit: type=1400 audit(1548719406.237:332): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxd-improved-kodiak_</var/snap/lxd/common/lxd>" name="/run/systemd/unit-root/home/" pid=10278 comm="(networkd)" flags="ro, nosuid, nodev, remount, bind"
Jan 28 23:50:06 ottawa audit[10310]: AVC apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxd-improved-kodiak_</var/snap/lxd/common/lxd>" name="/run/systemd/unit-root/home/" pid=10310 comm="(networkd)" flags="ro, nosuid, nodev, remount, bind"
Jan 28 23:50:06 ottawa kernel: audit: type=1400 audit(1548719406.273:333): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxd-improved-kodiak_</var/snap/lxd/common/lxd>" name="/run/systemd/unit-root/home/" pid=10310 comm="(networkd)" flags="ro, nosuid, nodev, remount, bind"


So systemd v240 tries to setup mount namespace to further contain
execution, and it appears that this is no longer possible inside the lxd
container, due to apparmor denies.

I'm not sure if this is a bug/feature of systemd | snapd | lxd |
apparmor, as all of these are involved.

** Summary changed:

- systemd-resolved fails to start in a container
+ systemd-resolved, systemd-networkd and others fail to start in lxc container with v240 systemd

** Also affects: lxd (Ubuntu)
   Importance: Undecided
       Status: New

** Also affects: apparmor (Ubuntu)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1813622

Title:
  systemd-resolved, systemd-networkd and others fail to start in lxc
  container with v240 systemd

Status in apparmor package in Ubuntu:
  New
Status in lxd package in Ubuntu:
  New
Status in systemd package in Ubuntu:
  Confirmed

Bug description:
  This is a regression from 239-7ubuntu15 to 240-5ubuntu1.

  Steps to reproduce:

  lxc launch ubuntu-daily:disco rbasak-resolv
  lxc exec rbasak-resolv bash
  systemctl status systemd-resolved  # observe running
  echo "deb http://archive.ubuntu.com/ubuntu/ disco-proposed main universe multiverse restricted" >> /etc/apt/sources.list
  apt update
  # Update to 240-5ubuntu1 from proposed
  apt install systemd libsystemd0 systemd-sysv libnss-systemd libpam-systemd
  reboot
  lxc exec rbasak-resolv bash
  systemctl status systemd-resolved  # observe failed

  ● systemd-resolved.service - Network Name Resolution
     Loaded: loaded (/lib/systemd/system/systemd-resolved.service; enabled; vendor preset: enabled)
     Active: failed (Result: exit-code) since Mon 2019-01-28 16:50:37 UTC; 2min 28s ago
       Docs: man:systemd-resolved.service(8)
             https://www.freedesktop.org/wiki/Software/systemd/resolved
             https://www.freedesktop.org/wiki/Software/systemd/writing-network-configuration-managers
             https://www.freedesktop.org/wiki/Software/systemd/writing-resolver-clients
    Process: 290 ExecStart=/lib/systemd/systemd-resolved (code=exited, status=226/NAMESPACE)
   Main PID: 290 (code=exited, status=226/NAMESPACE)

  Jan 28 16:50:37 rbasak-resolv systemd[1]: systemd-resolved.service: Service has no hold-off time (RestartSec=0), scheduling restart.
  Jan 28 16:50:37 rbasak-resolv systemd[1]: systemd-resolved.service: Scheduled restart job, restart counter is at 5.
  Jan 28 16:50:37 rbasak-resolv systemd[1]: Stopped Network Name Resolution.
  Jan 28 16:50:37 rbasak-resolv systemd[1]: systemd-resolved.service: Start request repeated too quickly.
  Jan 28 16:50:37 rbasak-resolv systemd[1]: systemd-resolved.service: Failed with result 'exit-code'.
  Jan 28 16:50:37 rbasak-resolv systemd[1]: Failed to start Network Name Resolution.

  This causes /etc/resolv.conf to point to a file that isn't created, so
  all name resolution fails. As far as I can determine, landing this in
  the release pocket would cause all default LXD containers to stop
  working.

  In my case it breaks "autopkgtest -U --apt-pocket=proposed ... -- lxd
  ubuntu-daily:disco"

  Tagging block-proposed as migration would regress the release pocket,
  and marking Critical as it breaks the system (presumably only in a
  container though, and it is only in proposed currently).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1813622/+subscriptions

More information about the foundations-bugs mailing list