[Bug 2107491] Re: systemd-creds encryption/decryption doesn't work in a 24.04 container nested in a VM

Wed Apr 23 13:21:37 UTC 2025

** Changed in: linux (Ubuntu)
       Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/2107491

Title:
  systemd-creds encryption/decryption doesn't work in a 24.04 container
  nested in a VM

Status in linux package in Ubuntu:
  Confirmed
Status in systemd package in Ubuntu:
  Incomplete

Bug description:
  From the host (24.10)

  ```
  $ lxc launch ubuntu:24.04 test-container
  Launching test-container
  $ lxc shell test-container
  root at test-container:~# sudo systemd-creds encrypt --name mysecret - - <<< "This is my secret"
  Whxqht+dQJax1aZeCGLxmiAAAAABAAAADAAAABAAAABlMLRMJ/Z7up70ybYAAAAAIUjQa/P9P0y87VU
  pfa6dgJcEXpmAVQA1kAbiw1wx7QsZ+zRmQIZnkirZksWLRGEFmUvtI/SIUBHbq5OjKX3aqILa
  ```

  Starting from the host again

  ```
  $ lxc launch ubuntu:24.04 test-vm --vm
  Launching test-vm
  $ lxc shell test-vm
  root at test-vm:~# SYSTEMD_LOG_LEVEL=debug systemd-creds encrypt --name mysecret - - <<< "This is my secret"
  Including credential name 'mysecret' in encrypted credential.
  Including timestamp 'Wed 2025-04-16 17:50:27 UTC' in encrypted credential.
  Credential secret file '/var/lib/systemd/credential.secret' is not located on encrypted media, using anyway.
  Found cgroup2 on /sys/fs/cgroup/, full unified hierarchy
  Found container virtualization none.
  libtss2-rc.so.0 is not installed: libtss2-rc.so.0: cannot open shared object file: No such file or directory
  System lacks TPM2 support or running in a container, not attempting to use TPM2.
  Input of 18 bytes grew to output of 152 bytes (+744%).
  Whxqht+dQJax1aZeCGLxmiAAAAABAAAADAAAABAAAAB0Ao/wlEFy5YSgPAEAAAAAJ7MwNi/rLExNfPF
  AZQyVRi7bbyHVAyzGzdr1mRkPXySDsLTt9kDG7vIg4pM9fTJfbL3BpSZB2sYVs0IZg3xsqLDX
  root at test-vm:~# sudo snap install lxd
  2025-04-15T17:11:34Z INFO Waiting for automatic snapd restart...
  lxd (5.21/stable) 5.21.3-c5ae129 from Canonical✓ installed
  root at test-vm:~# lxd init --auto
  root at test-vm:~# lxc launch ubuntu:24.04 test-vm-container
  Launching test-vm-container
  root at test-vm:~# lxc shell test-vm-container
  root at test-vm-container:~# SYSTEMD_LOG_LEVEL=debug systemd-creds encrypt --name mysecret - - <<< "This is my secret"
  Including credential name 'mysecret' in encrypted credential.
  Including timestamp 'Wed 2025-04-16 17:49:52 UTC' in encrypted credential.
  Unable to set file attribute 0x800000 on n/a, ignoring: Operation not supported
  Failed to set file attributes for secrets file, ignoring: Operation not supported
  Credential secret file '/var/lib/systemd/credential.secret' is not located on encrypted media, using anyway.
  Failed to create credential secret /var/lib/systemd/credential.secret: No such file or directory
  Failed to determine local credential host secret: No such file or directory

  ```

  However, it works fine in 24.10:

  ```
  $ lxc launch ubuntu:24.10 test-vm-10 --vm
  Launching test-vm-10
  $ lxc shell test-vm-10
  root at test-vm-10:~# SYSTEMD_LOG_LEVEL=debug systemd-creds encrypt --name mysecret - - <<< "This is my secret"
  Including credential name 'mysecret' in encrypted credential.
  Including timestamp 'Wed 2025-04-16 17:52:29 UTC' in encrypted credential.
  Credential secret file '/var/lib/systemd/credential.secret' is not located on encrypted media, using anyway.
  Found cgroup2 on /sys/fs/cgroup/, full unified hierarchy
  Found container virtualization none.
  Loaded 'libtss2-esys.so.0' via dlopen()
  libtss2-rc.so.0 is not installed: libtss2-rc.so.0: cannot open shared object file: No such file or directory
  System lacks TPM2 support or running in a container, not attempting to use TPM2.
  Input of 18 bytes grew to output of 152 bytes (+744%).
  Whxqht+dQJax1aZeCGLxmiAAAAABAAAADAAAABAAAAD+X+ujzY3gfPZHR8QAAAAAxj8pPCNloQt7KWv
  HIAKL6YKN34DDyvaYPgHmrBW/MQ1/tFp1WW1SNC6jaA9j8yFBUG3PL4ycoxNbzjYXujv/kxtf
  root at test-vm-10:~# lxc launch ubuntu:24.10 test-vm-container
  Launching test-vm-container
  root at test-vm-10:~# lxc shell test-vm-container
  root at test-vm-container:~# SYSTEMD_LOG_LEVEL=debug systemd-creds encrypt --name mysecret - - <<< "This is my secret"
  Including credential name 'mysecret' in encrypted credential.
  Including timestamp 'Wed 2025-04-16 17:52:44 UTC' in encrypted credential.
  Credential secret file '/var/lib/systemd/credential.secret' is not located on encrypted media, using anyway.
  Found container virtualization lxc.
  Loaded 'libtss2-esys.so.0' via dlopen()
  libtss2-rc.so.0 is not installed: libtss2-rc.so.0: cannot open shared object file: No such file or directory
  System lacks TPM2 support or running in a container, not attempting to use TPM2.
  Input of 18 bytes grew to output of 152 bytes (+744%).
  Whxqht+dQJax1aZeCGLxmiAAAAABAAAADAAAABAAAACKfiVSkYQ9eKOfMzkAAAAA+l8lEqCBg/SP5qo
  516ZymD/N2J1g0PcoSyOslHDHMnuKzsE74U32P+8KQHYK2GEZSF6SbA6ohKP2K2PAA4ZpNjmj
  ```

  And finally, I've tested this with a 24.10 container inside of a 24.04
  VM on a 24.10 host and it works:

  ```
  root at test-vm:~# lsb_release -a
  No LSB modules are available.
  Distributor ID: Ubuntu
  Description:    Ubuntu 24.04.2 LTS
  Release:        24.04
  Codename:       noble
  root at test-vm:~# lxc launch ubuntu:24.10 test-vm-container-10
  Launching test-vm-container-10
  root at test-vm:~# lxc shell test-vm-container-10
  root at test-vm-container-10:~# SYSTEMD_LOG_LEVEL=debug systemd-creds encrypt --name mysecret - - <<< "This is my secret"
  Including credential name 'mysecret' in encrypted credential.
  Including timestamp 'Wed 2025-04-16 17:57:27 UTC' in encrypted credential.
  Unable to set file attribute 0x800000 on n/a, ignoring: Operation not supported
  Failed to set file attributes for secrets file, ignoring: Operation not supported
  Credential secret file '/var/lib/systemd/credential.secret' is not located on encrypted media, using anyway.
  Found container virtualization lxc.
  Loaded 'libtss2-esys.so.0' via dlopen()
  libtss2-rc.so.0 is not installed: libtss2-rc.so.0: cannot open shared object file: No such file or directory
  System lacks TPM2 support or running in a container, not attempting to use TPM2.
  Input of 18 bytes grew to output of 152 bytes (+744%).
  Whxqht+dQJax1aZeCGLxmiAAAAABAAAADAAAABAAAAAAHKYbgWbmKbzxJvwAAAAAZeTe1RVzlU5/tJZ
  QWCdFg1iIXKlqm9MvloNnXedwJj+L6dzI7vE1HcdSrIakE//lXmsTImKdPJNuuIuIwFgA95Jl
  ```

  lxc configs:
  ```
  root at test-vm:~# lxc config show test-vm-container
  architecture: x86_64
  config:
    image.architecture: amd64
    image.description: ubuntu 24.04 LTS amd64 (release) (20250403)
    image.label: release
    image.os: ubuntu
    image.release: noble
    image.serial: "20250403"
    image.type: squashfs
    image.version: "24.04"
    volatile.base_image: 9f684552788a49591b1336a37e943296d346e345252cade971377a8d4df4e9c7
    volatile.cloud-init.instance-id: 3d8edafa-18f7-4397-be7a-8b00565305c5
    volatile.eth0.host_name: veth66f77d0b
    volatile.eth0.hwaddr: 00:16:3e:7f:e9:78
    volatile.idmap.base: "0"
    volatile.idmap.current: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
    volatile.idmap.next: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
    volatile.last_state.idmap: '[]'
    volatile.last_state.power: RUNNING
    volatile.last_state.ready: "false"
    volatile.uuid: 0423d992-bc3b-42ec-a2c5-8c6afacac1df
    volatile.uuid.generation: 0423d992-bc3b-42ec-a2c5-8c6afacac1df
  devices: {}
  ephemeral: false
  profiles:
  - default
  stateful: false
  description: ""
  ```

  ```
  root at test-vm:~# lxc config show test-vm-container-10
  architecture: x86_64
  config:
    image.architecture: amd64
    image.description: ubuntu 24.10 amd64 (release) (20250305)
    image.label: release
    image.os: ubuntu
    image.release: oracular
    image.serial: "20250305"
    image.type: squashfs
    image.version: "24.10"
    volatile.base_image: 68a83c031676d791d378364b42a0a1d50d4234b95dc9eacec3e956a4bbc0aea9
    volatile.cloud-init.instance-id: 14bc2c6c-8a96-4469-b13c-4c1991b229a9
    volatile.eth0.host_name: vethee5b90c0
    volatile.eth0.hwaddr: 00:16:3e:7e:16:82
    volatile.idmap.base: "0"
    volatile.idmap.current: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
    volatile.idmap.next: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
    volatile.last_state.idmap: '[]'
    volatile.last_state.power: RUNNING
    volatile.uuid: 9d2a2577-cab9-44ad-9d3b-5b5ff0bef7d6
    volatile.uuid.generation: 9d2a2577-cab9-44ad-9d3b-5b5ff0bef7d6
  devices: {}
  ephemeral: false
  profiles:
  - default
  stateful: false
  description: ""
  ```

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2107491/+subscriptions