Privileged containers have a much stricter apparmor policy applied than unprivileged containers. That's because unprivileged containers primarily rely on the user namespace to prevent breakout and taking over of the host whereas privileged containers rely entirely on apparmor.
As apparmor isn't particularly good at dealing with mounts, especially with mount namespaces, there is no safe way for us to allow this operation in privileged containers. As you point out above, we've recently started using a systemd generator to dynamically generate unit overrides based on the environment, letting us disable specific features that interfere with container security. This is used in all of the community images, so in this case you could try it by using "images:ubuntu/jammy" instead of "ubuntu-daily:jammy". We've been considering getting the generator into the lxd-agent-loader package which is included in all Ubuntu images though so far we've found it to be too volatile for that (we were updating it up to twice a week for a while...). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1950787 Title: systemd-sysusers cannot mount /dev in privileged containers (to pass credentials) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxd/+bug/1950787/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
