[Bug 2107491] [NEW] systemd-creds encryption/decryption doesn't work in a 24.04 container nested in a VM
Daniel Arndt
2107491 at bugs.launchpad.net
Wed Apr 16 18:01:25 UTC 2025
Public bug reported:
>From the host (24.10)
```
$ lxc launch ubuntu:24.04 test-container
Launching test-container
$ lxc shell test-container
root at test-container:~# sudo systemd-creds encrypt --name mysecret - - <<< "This is my secret"
Whxqht+dQJax1aZeCGLxmiAAAAABAAAADAAAABAAAABlMLRMJ/Z7up70ybYAAAAAIUjQa/P9P0y87VU
pfa6dgJcEXpmAVQA1kAbiw1wx7QsZ+zRmQIZnkirZksWLRGEFmUvtI/SIUBHbq5OjKX3aqILa
```
Starting from the host again
```
$ lxc launch ubuntu:24.04 test-vm --vm
Launching test-vm
$ lxc shell test-vm
root at test-vm:~# SYSTEMD_LOG_LEVEL=debug systemd-creds encrypt --name mysecret - - <<< "This is my secret"
Including credential name 'mysecret' in encrypted credential.
Including timestamp 'Wed 2025-04-16 17:50:27 UTC' in encrypted credential.
Credential secret file '/var/lib/systemd/credential.secret' is not located on encrypted media, using anyway.
Found cgroup2 on /sys/fs/cgroup/, full unified hierarchy
Found container virtualization none.
libtss2-rc.so.0 is not installed: libtss2-rc.so.0: cannot open shared object file: No such file or directory
System lacks TPM2 support or running in a container, not attempting to use TPM2.
Input of 18 bytes grew to output of 152 bytes (+744%).
Whxqht+dQJax1aZeCGLxmiAAAAABAAAADAAAABAAAAB0Ao/wlEFy5YSgPAEAAAAAJ7MwNi/rLExNfPF
AZQyVRi7bbyHVAyzGzdr1mRkPXySDsLTt9kDG7vIg4pM9fTJfbL3BpSZB2sYVs0IZg3xsqLDX
root at test-vm:~# sudo snap install lxd
2025-04-15T17:11:34Z INFO Waiting for automatic snapd restart...
lxd (5.21/stable) 5.21.3-c5ae129 from Canonical✓ installed
root at test-vm:~# lxd init --auto
root at test-vm:~# lxc launch ubuntu:24.04 test-vm-container
Launching test-vm-container
root at test-vm:~# lxc shell test-vm-container
root at test-vm-container:~# SYSTEMD_LOG_LEVEL=debug systemd-creds encrypt --name mysecret - - <<< "This is my secret"
Including credential name 'mysecret' in encrypted credential.
Including timestamp 'Wed 2025-04-16 17:49:52 UTC' in encrypted credential.
Unable to set file attribute 0x800000 on n/a, ignoring: Operation not supported
Failed to set file attributes for secrets file, ignoring: Operation not supported
Credential secret file '/var/lib/systemd/credential.secret' is not located on encrypted media, using anyway.
Failed to create credential secret /var/lib/systemd/credential.secret: No such file or directory
Failed to determine local credential host secret: No such file or directory
```
However, it works fine in 24.10:
```
$ lxc launch ubuntu:24.10 test-vm-10 --vm
Launching test-vm-10
$ lxc shell test-vm-10
root at test-vm-10:~# SYSTEMD_LOG_LEVEL=debug systemd-creds encrypt --name mysecret - - <<< "This is my secret"
Including credential name 'mysecret' in encrypted credential.
Including timestamp 'Wed 2025-04-16 17:52:29 UTC' in encrypted credential.
Credential secret file '/var/lib/systemd/credential.secret' is not located on encrypted media, using anyway.
Found cgroup2 on /sys/fs/cgroup/, full unified hierarchy
Found container virtualization none.
Loaded 'libtss2-esys.so.0' via dlopen()
libtss2-rc.so.0 is not installed: libtss2-rc.so.0: cannot open shared object file: No such file or directory
System lacks TPM2 support or running in a container, not attempting to use TPM2.
Input of 18 bytes grew to output of 152 bytes (+744%).
Whxqht+dQJax1aZeCGLxmiAAAAABAAAADAAAABAAAAD+X+ujzY3gfPZHR8QAAAAAxj8pPCNloQt7KWv
HIAKL6YKN34DDyvaYPgHmrBW/MQ1/tFp1WW1SNC6jaA9j8yFBUG3PL4ycoxNbzjYXujv/kxtf
root at test-vm-10:~# lxc launch ubuntu:24.10 test-vm-container
Launching test-vm-container
root at test-vm-10:~# lxc shell test-vm-container
root at test-vm-container:~# SYSTEMD_LOG_LEVEL=debug systemd-creds encrypt --name mysecret - - <<< "This is my secret"
Including credential name 'mysecret' in encrypted credential.
Including timestamp 'Wed 2025-04-16 17:52:44 UTC' in encrypted credential.
Credential secret file '/var/lib/systemd/credential.secret' is not located on encrypted media, using anyway.
Found container virtualization lxc.
Loaded 'libtss2-esys.so.0' via dlopen()
libtss2-rc.so.0 is not installed: libtss2-rc.so.0: cannot open shared object file: No such file or directory
System lacks TPM2 support or running in a container, not attempting to use TPM2.
Input of 18 bytes grew to output of 152 bytes (+744%).
Whxqht+dQJax1aZeCGLxmiAAAAABAAAADAAAABAAAACKfiVSkYQ9eKOfMzkAAAAA+l8lEqCBg/SP5qo
516ZymD/N2J1g0PcoSyOslHDHMnuKzsE74U32P+8KQHYK2GEZSF6SbA6ohKP2K2PAA4ZpNjmj
```
And finally, I've tested this with a 24.10 container inside of a 24.04
VM on a 24.10 host and it works:
```
root at test-vm:~# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 24.04.2 LTS
Release: 24.04
Codename: noble
root at test-vm:~# lxc launch ubuntu:24.10 test-vm-container-10
Launching test-vm-container-10
root at test-vm:~# lxc shell test-vm-container-10
root at test-vm-container-10:~# SYSTEMD_LOG_LEVEL=debug systemd-creds encrypt --name mysecret - - <<< "This is my secret"
Including credential name 'mysecret' in encrypted credential.
Including timestamp 'Wed 2025-04-16 17:57:27 UTC' in encrypted credential.
Unable to set file attribute 0x800000 on n/a, ignoring: Operation not supported
Failed to set file attributes for secrets file, ignoring: Operation not supported
Credential secret file '/var/lib/systemd/credential.secret' is not located on encrypted media, using anyway.
Found container virtualization lxc.
Loaded 'libtss2-esys.so.0' via dlopen()
libtss2-rc.so.0 is not installed: libtss2-rc.so.0: cannot open shared object file: No such file or directory
System lacks TPM2 support or running in a container, not attempting to use TPM2.
Input of 18 bytes grew to output of 152 bytes (+744%).
Whxqht+dQJax1aZeCGLxmiAAAAABAAAADAAAABAAAAAAHKYbgWbmKbzxJvwAAAAAZeTe1RVzlU5/tJZ
QWCdFg1iIXKlqm9MvloNnXedwJj+L6dzI7vE1HcdSrIakE//lXmsTImKdPJNuuIuIwFgA95Jl
```
** Affects: systemd (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/2107491
Title:
systemd-creds encryption/decryption doesn't work in a 24.04 container
nested in a VM
Status in systemd package in Ubuntu:
New
Bug description:
From the host (24.10)
```
$ lxc launch ubuntu:24.04 test-container
Launching test-container
$ lxc shell test-container
root at test-container:~# sudo systemd-creds encrypt --name mysecret - - <<< "This is my secret"
Whxqht+dQJax1aZeCGLxmiAAAAABAAAADAAAABAAAABlMLRMJ/Z7up70ybYAAAAAIUjQa/P9P0y87VU
pfa6dgJcEXpmAVQA1kAbiw1wx7QsZ+zRmQIZnkirZksWLRGEFmUvtI/SIUBHbq5OjKX3aqILa
```
Starting from the host again
```
$ lxc launch ubuntu:24.04 test-vm --vm
Launching test-vm
$ lxc shell test-vm
root at test-vm:~# SYSTEMD_LOG_LEVEL=debug systemd-creds encrypt --name mysecret - - <<< "This is my secret"
Including credential name 'mysecret' in encrypted credential.
Including timestamp 'Wed 2025-04-16 17:50:27 UTC' in encrypted credential.
Credential secret file '/var/lib/systemd/credential.secret' is not located on encrypted media, using anyway.
Found cgroup2 on /sys/fs/cgroup/, full unified hierarchy
Found container virtualization none.
libtss2-rc.so.0 is not installed: libtss2-rc.so.0: cannot open shared object file: No such file or directory
System lacks TPM2 support or running in a container, not attempting to use TPM2.
Input of 18 bytes grew to output of 152 bytes (+744%).
Whxqht+dQJax1aZeCGLxmiAAAAABAAAADAAAABAAAAB0Ao/wlEFy5YSgPAEAAAAAJ7MwNi/rLExNfPF
AZQyVRi7bbyHVAyzGzdr1mRkPXySDsLTt9kDG7vIg4pM9fTJfbL3BpSZB2sYVs0IZg3xsqLDX
root at test-vm:~# sudo snap install lxd
2025-04-15T17:11:34Z INFO Waiting for automatic snapd restart...
lxd (5.21/stable) 5.21.3-c5ae129 from Canonical✓ installed
root at test-vm:~# lxd init --auto
root at test-vm:~# lxc launch ubuntu:24.04 test-vm-container
Launching test-vm-container
root at test-vm:~# lxc shell test-vm-container
root at test-vm-container:~# SYSTEMD_LOG_LEVEL=debug systemd-creds encrypt --name mysecret - - <<< "This is my secret"
Including credential name 'mysecret' in encrypted credential.
Including timestamp 'Wed 2025-04-16 17:49:52 UTC' in encrypted credential.
Unable to set file attribute 0x800000 on n/a, ignoring: Operation not supported
Failed to set file attributes for secrets file, ignoring: Operation not supported
Credential secret file '/var/lib/systemd/credential.secret' is not located on encrypted media, using anyway.
Failed to create credential secret /var/lib/systemd/credential.secret: No such file or directory
Failed to determine local credential host secret: No such file or directory
```
However, it works fine in 24.10:
```
$ lxc launch ubuntu:24.10 test-vm-10 --vm
Launching test-vm-10
$ lxc shell test-vm-10
root at test-vm-10:~# SYSTEMD_LOG_LEVEL=debug systemd-creds encrypt --name mysecret - - <<< "This is my secret"
Including credential name 'mysecret' in encrypted credential.
Including timestamp 'Wed 2025-04-16 17:52:29 UTC' in encrypted credential.
Credential secret file '/var/lib/systemd/credential.secret' is not located on encrypted media, using anyway.
Found cgroup2 on /sys/fs/cgroup/, full unified hierarchy
Found container virtualization none.
Loaded 'libtss2-esys.so.0' via dlopen()
libtss2-rc.so.0 is not installed: libtss2-rc.so.0: cannot open shared object file: No such file or directory
System lacks TPM2 support or running in a container, not attempting to use TPM2.
Input of 18 bytes grew to output of 152 bytes (+744%).
Whxqht+dQJax1aZeCGLxmiAAAAABAAAADAAAABAAAAD+X+ujzY3gfPZHR8QAAAAAxj8pPCNloQt7KWv
HIAKL6YKN34DDyvaYPgHmrBW/MQ1/tFp1WW1SNC6jaA9j8yFBUG3PL4ycoxNbzjYXujv/kxtf
root at test-vm-10:~# lxc launch ubuntu:24.10 test-vm-container
Launching test-vm-container
root at test-vm-10:~# lxc shell test-vm-container
root at test-vm-container:~# SYSTEMD_LOG_LEVEL=debug systemd-creds encrypt --name mysecret - - <<< "This is my secret"
Including credential name 'mysecret' in encrypted credential.
Including timestamp 'Wed 2025-04-16 17:52:44 UTC' in encrypted credential.
Credential secret file '/var/lib/systemd/credential.secret' is not located on encrypted media, using anyway.
Found container virtualization lxc.
Loaded 'libtss2-esys.so.0' via dlopen()
libtss2-rc.so.0 is not installed: libtss2-rc.so.0: cannot open shared object file: No such file or directory
System lacks TPM2 support or running in a container, not attempting to use TPM2.
Input of 18 bytes grew to output of 152 bytes (+744%).
Whxqht+dQJax1aZeCGLxmiAAAAABAAAADAAAABAAAACKfiVSkYQ9eKOfMzkAAAAA+l8lEqCBg/SP5qo
516ZymD/N2J1g0PcoSyOslHDHMnuKzsE74U32P+8KQHYK2GEZSF6SbA6ohKP2K2PAA4ZpNjmj
```
And finally, I've tested this with a 24.10 container inside of a 24.04
VM on a 24.10 host and it works:
```
root at test-vm:~# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 24.04.2 LTS
Release: 24.04
Codename: noble
root at test-vm:~# lxc launch ubuntu:24.10 test-vm-container-10
Launching test-vm-container-10
root at test-vm:~# lxc shell test-vm-container-10
root at test-vm-container-10:~# SYSTEMD_LOG_LEVEL=debug systemd-creds encrypt --name mysecret - - <<< "This is my secret"
Including credential name 'mysecret' in encrypted credential.
Including timestamp 'Wed 2025-04-16 17:57:27 UTC' in encrypted credential.
Unable to set file attribute 0x800000 on n/a, ignoring: Operation not supported
Failed to set file attributes for secrets file, ignoring: Operation not supported
Credential secret file '/var/lib/systemd/credential.secret' is not located on encrypted media, using anyway.
Found container virtualization lxc.
Loaded 'libtss2-esys.so.0' via dlopen()
libtss2-rc.so.0 is not installed: libtss2-rc.so.0: cannot open shared object file: No such file or directory
System lacks TPM2 support or running in a container, not attempting to use TPM2.
Input of 18 bytes grew to output of 152 bytes (+744%).
Whxqht+dQJax1aZeCGLxmiAAAAABAAAADAAAABAAAAAAHKYbgWbmKbzxJvwAAAAAZeTe1RVzlU5/tJZ
QWCdFg1iIXKlqm9MvloNnXedwJj+L6dzI7vE1HcdSrIakE//lXmsTImKdPJNuuIuIwFgA95Jl
```
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/2107491/+subscriptions
More information about the foundations-bugs
mailing list