Bug#1042880: systemd: service with PrivateNetwork=yes fails to start inside a lxc container

[Michael Biebl]

Am 02.08.23 um 16:14 schrieb Simon McVittie:

On Wed, 02 Aug 2023 at 13:13:05 +0200, Michael Biebl wrote:

Are you by any chance using unprivileged containers?


I don't know, but not intentionally! My test VM had no special
configuration and no lxc before starting the steps-to-reproduce, so I
was using whatever is the default in bookworm.


Ok, I can reproduce the issue in a bookworm test VM.
Upgrading that VM to trixie the issue appears to be gone.





OpenPGP_signature
Description: OpenPGP digital signature

Bug#1042880: systemd: service with PrivateNetwork=yes fails to start inside a lxc container

[Simon McVittie]

On Wed, 02 Aug 2023 at 13:13:05 +0200, Michael Biebl wrote:
> Are you by any chance using unprivileged containers?

I don't know, but not intentionally! My test VM had no special
configuration and no lxc before starting the steps-to-reproduce, so I
was using whatever is the default in bookworm.

smcv

Bug#1042880: systemd: service with PrivateNetwork=yes fails to start inside a lxc container

[Michael Biebl]

Hi Simon

Am 02.08.23 um 12:32 schrieb Simon McVittie:

However, in a lxc container, this isn't working for me, causing
autopkgtest failure for policykit-1 (>= 123) (which I'm going to work
around by removing the PrivateNetwork=yes option for now). This is
important because ci.debian.net can currently only test packages in an
lxc container.

Steps to reproduce
==


I'm not able to reproduce the issue (running LXC on Debian sid).
I use privileged LXC containers with the following config:

# cat /etc/lxc/default.conf
lxc.net.0.type = veth
lxc.net.0.link = lxcbr0
lxc.net.0.flags = up

lxc.apparmor.profile = generated
lxc.apparmor.allow_nesting = 1
lxc.apparmor.profile = unconfined


Are you by any chance using unprivileged containers?


OpenPGP_signature
Description: OpenPGP digital signature

Bug#1042880: systemd: service with PrivateNetwork=yes fails to start inside a lxc container

[Simon McVittie]

Package: systemd
Version: 254-1
Severity: normal
X-Debbugs-Cc: l...@packages.debian.org

The PrivateNetwork=yes option hardens services by putting them in a private
network namespace.

systemd.exec(5) says:
> Note that the implementation of this setting might be impossible (for
> example if network namespaces are not available), and the unit should be
> written in a way that does not solely rely on this setting for security.

which makes me think that the intended behaviour of this option is: if
possible, put the service in a private network namespace, but if that's
not possible, then launch it anyway.

However, in a lxc container, this isn't working for me, causing
autopkgtest failure for policykit-1 (>= 123) (which I'm going to work
around by removing the PrivateNetwork=yes option for now). This is
important because ci.debian.net can currently only test packages in an
lxc container.

Steps to reproduce
==

On a Debian 12 'bookworm' system (I used a throwaway VM created by
autopkgtest-build-qemu to get a somewhat reproducible environment):

# apt install ca-certificates debootstrap libpam-cgfs lxcfs lxc-templates \
  rsync uidmap autopkgtest
# autopkgtest-build-lxc debian trixie amd64
# lxc-start autopkgtest-trixie-amd64
# lxc-attach autopkgtest-trixie-amd64
root@autopkgtest-trixie-amd64:~# cat > /lib/systemd/system/test.service <

Versions of packages systemd suggests:
ii  libfido2-11.13.0-1
pn  libqrencode4  
pn  libtss2-esys-3.0.2-0  
pn  libtss2-mu0   
pn  libtss2-rc0   
pn  polkitd   
ii  python3   3.11.4-5
pn  python3-pefile
pn  systemd-boot  
pn  systemd-container 
pn  systemd-homed 
pn  systemd-resolved  
pn  systemd-userdbd   

Versions of packages systemd is related to:
ii  dbus-user-session  1.14.8-2
pn  dracut 
pn  initramfs-tools
pn  libnss-systemd 
ii  libpam-systemd 254-1
pn  udev   

-- debconf information:
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
LANGUAGE = (unset),
LC_ALL = (unset),
LC_CTYPE = "C.UTF-8",
LANG = "en_GB.utf8"
are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").