Hi, it's been brought to my attention [1] that the systemd master branch, that should become v240 soonish, includes changes to its namespacing behavior that may break a great number of services when run in a LXC container with AppArmor enabled.
[1] https://bugs.debian.org/911806 This has been discussed and worked on quite a bit in systemd upstream in the last few months but AFAICT the focus has been on making the systemd test suite pass inside containers, e.g. by skipping specific tests when the privileges systemd needs to to set up its namespacing are not available. Christian Brauner has been very helpful there. My concern is that we may be missing another part of the problem, i.e. if/how these changes will break real-world use cases outside of the "run some CI jobs in LXC" context; skipping test cases won't help there. I did not test this myself, but my understanding is that the AppArmor policy we ship for LXC in Debian (the pristine 2.0.9 upstream one) prevents systemd from setting up its namespacing inside a LXC container, which used to be silently ignored but is now a fatal error. If my hunch is correct, then this will break LXC containers that run systemd v240+ in any distro that enables a similar AppArmor policy. I don't use LXC myself, I know very little about Linux namespaces and their interaction with AppArmor in a LXC context, so I'm not in a position to do much about this. If the issue I'm wary of actually exists and is not addressed in time for the Debian Buster freeze, the best I will be able to do is to recommend the Debian LXC maintainers to turn AppArmor confinement of containers off by default. So here is a call for help to anyone who cares about running systemd in LXC containers confined by AppArmor and has the skills to investigate this further :) Thanks in advance! For those who want to dive deeper, these should be good starting points: https://github.com/systemd/systemd/issues/10166 https://github.com/systemd/systemd/issues/9700 https://github.com/systemd/systemd/issues/10011 https://github.com/systemd/systemd/pull/10012 Cheers, -- intrigeri -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
