That's a good catch. I didn't notice that it works correctly with a 24.04 container on a 24.10 host, which is very odd. I've just tested it myself to ensure consistent behaviour.
-- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/2107491 Title: systemd-creds encryption/decryption doesn't work in a 24.04 container nested in a VM Status in linux package in Ubuntu: New Status in systemd package in Ubuntu: Incomplete Bug description: From the host (24.10) ``` $ lxc launch ubuntu:24.04 test-container Launching test-container $ lxc shell test-container root@test-container:~# sudo systemd-creds encrypt --name mysecret - - <<< "This is my secret" Whxqht+dQJax1aZeCGLxmiAAAAABAAAADAAAABAAAABlMLRMJ/Z7up70ybYAAAAAIUjQa/P9P0y87VU pfa6dgJcEXpmAVQA1kAbiw1wx7QsZ+zRmQIZnkirZksWLRGEFmUvtI/SIUBHbq5OjKX3aqILa ``` Starting from the host again ``` $ lxc launch ubuntu:24.04 test-vm --vm Launching test-vm $ lxc shell test-vm root@test-vm:~# SYSTEMD_LOG_LEVEL=debug systemd-creds encrypt --name mysecret - - <<< "This is my secret" Including credential name 'mysecret' in encrypted credential. Including timestamp 'Wed 2025-04-16 17:50:27 UTC' in encrypted credential. Credential secret file '/var/lib/systemd/credential.secret' is not located on encrypted media, using anyway. Found cgroup2 on /sys/fs/cgroup/, full unified hierarchy Found container virtualization none. libtss2-rc.so.0 is not installed: libtss2-rc.so.0: cannot open shared object file: No such file or directory System lacks TPM2 support or running in a container, not attempting to use TPM2. Input of 18 bytes grew to output of 152 bytes (+744%). Whxqht+dQJax1aZeCGLxmiAAAAABAAAADAAAABAAAAB0Ao/wlEFy5YSgPAEAAAAAJ7MwNi/rLExNfPF AZQyVRi7bbyHVAyzGzdr1mRkPXySDsLTt9kDG7vIg4pM9fTJfbL3BpSZB2sYVs0IZg3xsqLDX root@test-vm:~# sudo snap install lxd 2025-04-15T17:11:34Z INFO Waiting for automatic snapd restart... lxd (5.21/stable) 5.21.3-c5ae129 from Canonical✓ installed root@test-vm:~# lxd init --auto root@test-vm:~# lxc launch ubuntu:24.04 test-vm-container Launching test-vm-container root@test-vm:~# lxc shell test-vm-container root@test-vm-container:~# SYSTEMD_LOG_LEVEL=debug systemd-creds encrypt --name mysecret - - <<< "This is my secret" Including credential name 'mysecret' in encrypted credential. Including timestamp 'Wed 2025-04-16 17:49:52 UTC' in encrypted credential. Unable to set file attribute 0x800000 on n/a, ignoring: Operation not supported Failed to set file attributes for secrets file, ignoring: Operation not supported Credential secret file '/var/lib/systemd/credential.secret' is not located on encrypted media, using anyway. Failed to create credential secret /var/lib/systemd/credential.secret: No such file or directory Failed to determine local credential host secret: No such file or directory ``` However, it works fine in 24.10: ``` $ lxc launch ubuntu:24.10 test-vm-10 --vm Launching test-vm-10 $ lxc shell test-vm-10 root@test-vm-10:~# SYSTEMD_LOG_LEVEL=debug systemd-creds encrypt --name mysecret - - <<< "This is my secret" Including credential name 'mysecret' in encrypted credential. Including timestamp 'Wed 2025-04-16 17:52:29 UTC' in encrypted credential. Credential secret file '/var/lib/systemd/credential.secret' is not located on encrypted media, using anyway. Found cgroup2 on /sys/fs/cgroup/, full unified hierarchy Found container virtualization none. Loaded 'libtss2-esys.so.0' via dlopen() libtss2-rc.so.0 is not installed: libtss2-rc.so.0: cannot open shared object file: No such file or directory System lacks TPM2 support or running in a container, not attempting to use TPM2. Input of 18 bytes grew to output of 152 bytes (+744%). Whxqht+dQJax1aZeCGLxmiAAAAABAAAADAAAABAAAAD+X+ujzY3gfPZHR8QAAAAAxj8pPCNloQt7KWv HIAKL6YKN34DDyvaYPgHmrBW/MQ1/tFp1WW1SNC6jaA9j8yFBUG3PL4ycoxNbzjYXujv/kxtf root@test-vm-10:~# lxc launch ubuntu:24.10 test-vm-container Launching test-vm-container root@test-vm-10:~# lxc shell test-vm-container root@test-vm-container:~# SYSTEMD_LOG_LEVEL=debug systemd-creds encrypt --name mysecret - - <<< "This is my secret" Including credential name 'mysecret' in encrypted credential. Including timestamp 'Wed 2025-04-16 17:52:44 UTC' in encrypted credential. Credential secret file '/var/lib/systemd/credential.secret' is not located on encrypted media, using anyway. Found container virtualization lxc. Loaded 'libtss2-esys.so.0' via dlopen() libtss2-rc.so.0 is not installed: libtss2-rc.so.0: cannot open shared object file: No such file or directory System lacks TPM2 support or running in a container, not attempting to use TPM2. Input of 18 bytes grew to output of 152 bytes (+744%). Whxqht+dQJax1aZeCGLxmiAAAAABAAAADAAAABAAAACKfiVSkYQ9eKOfMzkAAAAA+l8lEqCBg/SP5qo 516ZymD/N2J1g0PcoSyOslHDHMnuKzsE74U32P+8KQHYK2GEZSF6SbA6ohKP2K2PAA4ZpNjmj ``` And finally, I've tested this with a 24.10 container inside of a 24.04 VM on a 24.10 host and it works: ``` root@test-vm:~# lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 24.04.2 LTS Release: 24.04 Codename: noble root@test-vm:~# lxc launch ubuntu:24.10 test-vm-container-10 Launching test-vm-container-10 root@test-vm:~# lxc shell test-vm-container-10 root@test-vm-container-10:~# SYSTEMD_LOG_LEVEL=debug systemd-creds encrypt --name mysecret - - <<< "This is my secret" Including credential name 'mysecret' in encrypted credential. Including timestamp 'Wed 2025-04-16 17:57:27 UTC' in encrypted credential. Unable to set file attribute 0x800000 on n/a, ignoring: Operation not supported Failed to set file attributes for secrets file, ignoring: Operation not supported Credential secret file '/var/lib/systemd/credential.secret' is not located on encrypted media, using anyway. Found container virtualization lxc. Loaded 'libtss2-esys.so.0' via dlopen() libtss2-rc.so.0 is not installed: libtss2-rc.so.0: cannot open shared object file: No such file or directory System lacks TPM2 support or running in a container, not attempting to use TPM2. Input of 18 bytes grew to output of 152 bytes (+744%). Whxqht+dQJax1aZeCGLxmiAAAAABAAAADAAAABAAAAAAHKYbgWbmKbzxJvwAAAAAZeTe1RVzlU5/tJZ QWCdFg1iIXKlqm9MvloNnXedwJj+L6dzI7vE1HcdSrIakE//lXmsTImKdPJNuuIuIwFgA95Jl ``` lxc configs: ``` root@test-vm:~# lxc config show test-vm-container architecture: x86_64 config: image.architecture: amd64 image.description: ubuntu 24.04 LTS amd64 (release) (20250403) image.label: release image.os: ubuntu image.release: noble image.serial: "20250403" image.type: squashfs image.version: "24.04" volatile.base_image: 9f684552788a49591b1336a37e943296d346e345252cade971377a8d4df4e9c7 volatile.cloud-init.instance-id: 3d8edafa-18f7-4397-be7a-8b00565305c5 volatile.eth0.host_name: veth66f77d0b volatile.eth0.hwaddr: 00:16:3e:7f:e9:78 volatile.idmap.base: "0" volatile.idmap.current: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]' volatile.idmap.next: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]' volatile.last_state.idmap: '[]' volatile.last_state.power: RUNNING volatile.last_state.ready: "false" volatile.uuid: 0423d992-bc3b-42ec-a2c5-8c6afacac1df volatile.uuid.generation: 0423d992-bc3b-42ec-a2c5-8c6afacac1df devices: {} ephemeral: false profiles: - default stateful: false description: "" ``` ``` root@test-vm:~# lxc config show test-vm-container-10 architecture: x86_64 config: image.architecture: amd64 image.description: ubuntu 24.10 amd64 (release) (20250305) image.label: release image.os: ubuntu image.release: oracular image.serial: "20250305" image.type: squashfs image.version: "24.10" volatile.base_image: 68a83c031676d791d378364b42a0a1d50d4234b95dc9eacec3e956a4bbc0aea9 volatile.cloud-init.instance-id: 14bc2c6c-8a96-4469-b13c-4c1991b229a9 volatile.eth0.host_name: vethee5b90c0 volatile.eth0.hwaddr: 00:16:3e:7e:16:82 volatile.idmap.base: "0" volatile.idmap.current: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]' volatile.idmap.next: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]' volatile.last_state.idmap: '[]' volatile.last_state.power: RUNNING volatile.uuid: 9d2a2577-cab9-44ad-9d3b-5b5ff0bef7d6 volatile.uuid.generation: 9d2a2577-cab9-44ad-9d3b-5b5ff0bef7d6 devices: {} ephemeral: false profiles: - default stateful: false description: "" ``` To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2107491/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
