[Bug 1813622] Re: systemd-resolved, systemd-networkd and others fail to start in lxc container with v240 systemd

Dimitri John Ledkov Mon, 28 Jan 2019 16:01:36 -0800

Jan 28 23:50:06 ottawa audit[10278]: AVC apparmor="DENIED" operation="mount" 
info="failed flags match" error=-13 
profile="lxd-improved-kodiak_</var/snap/lxd/common/lxd>" 
name="/run/systemd/unit-root/home/" pid=10278 comm="(networkd)" flags="ro, 
nosuid, nodev, remount, bind"
Jan 28 23:50:06 ottawa kernel: audit: type=1400 audit(1548719406.237:332): 
apparmor="DENIED" operation="mount" info="failed flags match" error=-13 
profile="lxd-improved-kodiak_</var/snap/lxd/common/lxd>" 
name="/run/systemd/unit-root/home/" pid=10278 comm="(networkd)" flags="ro, 
nosuid, nodev, remount, bind"
Jan 28 23:50:06 ottawa audit[10310]: AVC apparmor="DENIED" operation="mount" 
info="failed flags match" error=-13 
profile="lxd-improved-kodiak_</var/snap/lxd/common/lxd>" 
name="/run/systemd/unit-root/home/" pid=10310 comm="(networkd)" flags="ro, 
nosuid, nodev, remount, bind"
Jan 28 23:50:06 ottawa kernel: audit: type=1400 audit(1548719406.273:333): 
apparmor="DENIED" operation="mount" info="failed flags match" error=-13 
profile="lxd-improved-kodiak_</var/snap/lxd/common/lxd>" 
name="/run/systemd/unit-root/home/" pid=10310 comm="(networkd)" flags="ro, 
nosuid, nodev, remount, bind"



So systemd v240 tries to setup mount namespace to further contain
execution, and it appears that this is no longer possible inside the lxd
container, due to apparmor denies.

I'm not sure if this is a bug/feature of systemd | snapd | lxd |
apparmor, as all of these are involved.

** Summary changed:

- systemd-resolved fails to start in a container
+ systemd-resolved, systemd-networkd and others fail to start in lxc container 
with v240 systemd

** Also affects: lxd (Ubuntu)
   Importance: Undecided
       Status: New

** Also affects: apparmor (Ubuntu)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1813622

Title:
  systemd-resolved, systemd-networkd and others fail to start in lxc
  container with v240 systemd

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1813622/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1813622] Re: systemd-resolved, systemd-networkd and others fail to start in lxc container with v240 systemd

Reply via email to