[Bug 1783305] Re: apparmor DENIED when a systemd unit with DynamicUsers=yes is launched in a lxd container
*** This bug is a duplicate of bug 1780227 *** https://bugs.launchpad.net/bugs/1780227 This is an AppArmor bug that I reported and which is tracked here: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1780227 So please close here in favor of that bug. Christian ** Changed in: lxd (Ubuntu) Status: New => Invalid ** Changed in: systemd (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1783305 Title: apparmor DENIED when a systemd unit with DynamicUsers=yes is launched in a lxd container To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1783305/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1770481] [NEW] core: fall back to bind-mounts for PrivateDevices= execution environments
Public bug reported: Hey, Currently any service that has PrivateDevices=true set will fail to start in unprivileged containers since mknod is not possible and in privileged containers that drop CAP_MKNOD. I pushed a patch to systemd upstream that solves this problem and makes PrivateDevices useable in both scenarios. It would be great if this could be backported to Ubuntu 16.04 and 18.04. We already have a lot of users that would like this feature enabled/don't want to edit each service file: 16498617443da94533ef9ae28be0ffaace40c526 : https://github.com/systemd/systemd/commit/af984e137e7f53ca3e2fd885b03a25e17fdd0fad af984e137e7f53ca3e2fd885b03a25e17fdd0fad : https://github.com/systemd/systemd/commit/16498617443da94533ef9ae28be0ffaace40c526 Thanks! Christian ** Affects: systemd (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1770481 Title: core: fall back to bind-mounts for PrivateDevices= execution environments To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1770481/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1734410] [NEW] systemd: handle undelegated cgroup2 hierarchy
Public bug reported: Hey everyone, Current systemd versions all fail when the unified cgroup hierarchy is not-writable. This is especially problematic in containers where the systemd administrator might decide to not delegate the unified hierarchy or when running with a liblxc driver that doesn't yet know how to handle the unified cgroup hierarchy. I've pushed patches to systemd upstream that let systemd ingnore the non-delegated unified hierarchy. The relevant commits are: e07aefbd675b651f8d45b5fb458f2747b04d6e04 2d56b80a1855836abf1d7458394c345ad9d55382 1ff654e28b7b8e7d0a0be33522a84069ac6b07c0 These patches will be in 235 but should be backported from xenial upwards. Christian ** Affects: systemd (Ubuntu) Importance: Undecided Assignee: Dimitri John Ledkov (xnox) Status: New -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1734410 Title: systemd: handle undelegated cgroup2 hierarchy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1734410/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1734409] [NEW] systemd-sysctl: exit gracefully on EPERM/EACCESS
Public bug reported: Hi everyone, systemd-sysctl in systemd versions prior to 232 will exit with FAILED when not being able to apply kernel variables. In containers it should simply move on and exit with SUCCESS. Upstream systemd carries appropriate patches for this already. The relevant commits are: 411e869f497c7c7bd0688f1e3500f9043bc56e48 39540de8abe24886693ca29a9caeea85c88089aa these should be backported to xenial's systemd. Christian ** Affects: systemd (Ubuntu) Importance: Undecided Assignee: Dimitri John Ledkov (xnox) Status: New -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1734409 Title: systemd-sysctl: exit gracefully on EPERM/EACCESS To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1734409/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1686361] [NEW] systemd does not respect nofile ulimit when running in container
Public bug reported: When systemd currently starts in a container that has RLIMIT_NOFILE set to e.g. 10 systemd will lower it to 65536 since this value is hard-coded into systemd. I've pushed a patch to systemd upstream that will try to set the nofile limit to the allowed kernel maximum. If this fails, it will compute the minimum of the current set value (the limit that is set on the container) and the maximum value as soft limit and the currently set maximum value as the maximum value. This way it retains the limit set on the container. It would be great if we could backport this patch to have system adhere to nofile limits set for the container. This is especially important since user namespaces will allow you to lower the limit but not raise it back up afterwards. The upstream patch is appended. ** Affects: systemd (Ubuntu) Importance: Undecided Status: New ** Patch added: "0001-main-improve-RLIMIT_NOFILE-handling-5795.patch" https://bugs.launchpad.net/bugs/1686361/+attachment/4868175/+files/0001-main-improve-RLIMIT_NOFILE-handling-5795.patch -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1686361 Title: systemd does not respect nofile ulimit when running in container To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1686361/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs