Package: lxc Version: 1:5.0.2-1+deb12u2 I recently changed cockpit-ws' systemd unit from a static `adduser` to `DynamicUser=yes`. This works great by and large (on Debian 12 and testing and also all currently supported Ubuntu releases). But there's a failure when running the autopkgtest in debci [1] -- it runs into a bug between LXC, the kernel, and possibly seccomp.
This can be reproduced on a Debian 12 VM: # create container as per https://ci.debian.net/doc/file.MAINTAINERS.html apt install lxc lxc-templates apt install -t bookworm-backports debci autopkgtest debci setup # start and enter container lxc-start autopkgtest-unstable-amd64 lxc-attach -n autopkgtest-unstable-amd64 bash # inside the container: apt install libnss-systemd # create and run DynamicUser unit cat <<EOF > /lib/systemd/system/dynuser.service [Unit] Description=DynamicUser test [Service] DynamicUser=yes User=dynuser Group=dynuser Type=oneshot ExecStart=/bin/true RemainAfterExit=yes EOF systemctl daemon-reload systemctl start dynuser systemctl status dynuser That will fail: × dynuser.service - DynamicUser test Loaded: loaded (/usr/lib/systemd/system/dynuser.service; static) Active: failed (Result: exit-code) since Wed 2024-06-19 05:21:32 UTC; 6s ago Invocation: 587f9585324e4072920a246959a12334 Process: 229 ExecStart=/bin/true (code=exited, status=217/USER) Main PID: 229 (code=exited, status=217/USER) Jun 19 05:21:32 autopkgtest-unstable-amd64 systemd[1]: Starting dynuser.service - DynamicUser test... Jun 19 05:21:32 autopkgtest-unstable-amd64 (true)[229]: dynuser.service: Failed to update dynamic user credentials: Permission denied Jun 19 05:21:32 autopkgtest-unstable-amd64 (true)[229]: dynuser.service: Failed at step USER spawning /bin/true: Permission denied Jun 19 05:21:32 autopkgtest-unstable-amd64 systemd[1]: dynuser.service: Main process exited, code=exited, status=217/USER Jun 19 05:21:32 autopkgtest-unstable-amd64 systemd[1]: dynuser.service: Failed with result 'exit-code'. Jun 19 05:21:32 autopkgtest-unstable-amd64 systemd[1]: Failed to start dynuser.service - DynamicUser test. This does *not* affect Debian testing. I ran the same steps there, and it's fine. I worked around this in the package by deleting the DynamicUser= option and creating a static user [2], but that's of course very intrusive -- it doesn't test at all what's actually going to happen for real users. I manually tested that DynamicUser= works fine *without* LXC (i.e. right on the host) on Debian 12. Thanks, Martin [1] https://ci.debian.net/packages/c/cockpit/unstable/amd64/47401459/ [2] https://salsa.debian.org/utopia-team/cockpit/-/blob/master/debian/tests/smoke?ref_type=heads
