This is looking like a kernel bug to me. I tried the following:
| Host | Container | Bug? |
---------------------------
24.04...24.04.........Y
24.04...24.10.........N
24.10...24.04.........N
24.10...24.10.........N
The systemd-creds code is slightly different in 24.04 vs 24.10. But,
since a 24.04 vs 24.10 *host* makes the difference for a 24.04
*container* points to a kernel issue.
In particular, in the *failing* scenario, I see:
root@test-noble-on-noble:~# strace systemd-creds setup
...SNIP...
writev(2, [{iov_base="\33[0;1;38;5;185m", iov_len=15}, {iov_base="Credential
secret file '/var/lib"..., iov_len=108}, {iov_base="\33[0m", iov_len=4},
{iov_base="\r\n", iov_len=2}], 4Credential secret file
'/var/lib/systemd/credential.secret' is not located on encrypted media, using
anyway.
) = 129
linkat(3, "", 4, "credential.secret", AT_EMPTY_PATH) = -1 ENOENT (No such file
or directory) <-------- Failure
close(3) = 0
close(4) = 0
writev(2, [{iov_base="\33[0;1;31m", iov_len=9}, {iov_base="Failed to setup
credentials host"..., iov_len=63}, {iov_base="\33[0m", iov_len=4},
{iov_base="\r\n", iov_len=2}], 4Failed to setup credentials host key: No such
file or directory
) = 78
exit_group(1) = ?
+++ exited with 1 +++
root@test-noble-on-noble:~# uname -a
Linux test-container-noble 6.8.0-57-generic #59-Ubuntu SMP PREEMPT_DYNAMIC Sat
Mar 15 17:40:59 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
But, in the good case, I see:
root@test-noble-on-oracular:~# strace systemd-creds setup
...SNIP...
writev(2, [{iov_base="\33[0;1;38;5;185m", iov_len=15}, {iov_base="Credential
secret file '/var/lib"..., iov_len=108}, {iov_base="\33[0m", iov_len=4},
{iov_base="\r\n", iov_len=2}], 4Credential secret file
'/var/lib/systemd/credential.secret' is not located on encrypted media, using
anyway.
) = 129
linkat(3, "", 4, "credential.secret", AT_EMPTY_PATH) = 0 <-------- Success
fsync(4) = 0
close(3) = 0
close(4) = 0
writev(2, [{iov_base="4096 byte credentials host key s"..., iov_len=38},
{iov_base="\r\n", iov_len=2}], 24096 byte credentials host key set up.
) = 40
exit_group(0) = ?
+++ exited with 0 +++
root@test-noble-on-oracular:~# uname -a
Linux test-container-noble 6.11.0-19-generic #19-Ubuntu SMP PREEMPT_DYNAMIC Wed
Feb 12 21:43:43 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
When I first saw this, I thought it might be because CAP_DAC_READ_SEARCH
was missing from effective caps, but I checked an that is not the case.
** Changed in: systemd (Ubuntu)
Status: New => Incomplete
** Changed in: systemd (Ubuntu)
Importance: Undecided => Low
** Also affects: linux (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2107491
Title:
systemd-creds encryption/decryption doesn't work in a 24.04 container
nested in a VM
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2107491/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
