[Bug 1950787] Re: systemd-sysusers cannot mount /dev in privileged containers (to pass credentials)
Aleksandr Mikhalitsyn
1950787 at bugs.launchpad.net
Wed May 24 10:57:52 UTC 2023
Hi Lukas,
yes, we know about that problem and yes, it's our priority to fix that.
We've combined our forces with AppArmor team to fix the issue on the AppArmor side:
https://gitlab.com/apparmor/apparmor/-/merge_requests/333
This is waiting to be merged:
https://github.com/lxc/lxc/pull/4295
We can't merge it now, until new AppArmor release (with fix) won't
appear (because merging it right now makes security risks).
Other useful links:
https://github.com/lxc/lxc/issues/4280
https://github.com/lxc/lxc/issues/3371
https://bugs.launchpad.net/apparmor/+bug/1597017
Kind regards,
Alex
** Bug watch added: LXC bug tracker #4280
https://github.com/lxc/lxc/issues/4280
** Bug watch added: LXC bug tracker #3371
https://github.com/lxc/lxc/issues/3371
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1950787
Title:
systemd-sysusers cannot mount /dev in privileged containers (to pass
credentials)
Status in lxd package in Ubuntu:
Invalid
Status in systemd package in Ubuntu:
Fix Released
Bug description:
systemd-sysusers.service/systemd.exec fails to start in privileged containers, due to being unable to properly mount /dev for passing credentials, caused by the following config in the .service unit:
```
# Optionally, pick up a root password and shell for the root user from a
# credential passed to the service manager. This is useful for importing this
# data from nspawn's --set-credential= switch.
LoadCredential=passwd.hashed-password.root
LoadCredential=passwd.plaintext-password.root
LoadCredential=passwd.shell.root
```
Reproducer:
$ lxc profile set default security.privileged "true"
$ lxc launch ubuntu-daily:jammy test
$ lxc exec test bash
# add-apt-repository ppa:ci-train-ppa-service/4704
# apt install systemd # install systemd 249.5-2ubuntu1
# systemctl restart systemd-sysusers
# systemctl status systemd-sysusers
# system --status=failed
$ lxc profile set default security.privileged "false"
A workaround is to disable it via:
$ cat /etc/systemd/system/systemd-sysusers.service.d/override.conf:
[Service]
LoadCredential=
Interesting logs:
Nov 12 12:09:44 test systemd[1]: systemd-journald.service: Added fd 42 (n/a) to fd store.
Nov 12 12:09:44 test systemd[431]: Mounting /dev (MS_REC|MS_SLAVE "")...
Nov 12 12:09:44 test systemd[431]: Failed to mount n/a (type n/a) on /dev (MS_REC|MS_SLAVE ""): Permission denied
Nov 12 12:09:44 test systemd[430]: (sd-mkdcreds) failed with exit status 1.
Nov 12 12:09:44 test systemd[430]: systemd-sysusers.service: Failed to set up credentials: Protocol error
Nov 12 12:09:44 test systemd[430]: systemd-sysusers.service: Failed at step CREDENTIALS spawning
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxd/+bug/1950787/+subscriptions
More information about the foundations-bugs
mailing list