The problem here is that the host for the lxd container workers is booted with systemd.unified_cgroup_hierarchy=false on the kernel command line. Starting with systemd v258, only fully unified cgroupv2 is supported.
Since the host is booted with systemd.unified_cgroup_hierarchy=false, the container gets: $ mount | grep cgroup tmpfs on /sys/fs/cgroup type tmpfs (ro,nosuid,nodev,noexec,size=4096k,nr_inodes=1024,mode=755,uid=1000000,gid=1000000,inode64) cgroup2 on /sys/fs/cgroup/unified type cgroup2 (rw,nosuid,nodev,noexec,relatime) cgroup on /sys/fs/cgroup/systemd type cgroup (rw,nosuid,nodev,noexec,relatime,xattr,name=systemd) cgroup on /sys/fs/cgroup/cpu,cpuacct type cgroup (rw,nosuid,nodev,noexec,relatime,cpu,cpuacct) cgroup on /sys/fs/cgroup/net_cls,net_prio type cgroup (rw,nosuid,nodev,noexec,relatime,net_cls,net_prio) cgroup on /sys/fs/cgroup/memory type cgroup (rw,nosuid,nodev,noexec,relatime,memory) cgroup on /sys/fs/cgroup/freezer type cgroup (rw,nosuid,nodev,noexec,relatime,freezer) cgroup on /sys/fs/cgroup/perf_event type cgroup (rw,nosuid,nodev,noexec,relatime,perf_event) cgroup on /sys/fs/cgroup/pids type cgroup (rw,nosuid,nodev,noexec,relatime,pids) cgroup on /sys/fs/cgroup/devices type cgroup (rw,nosuid,nodev,noexec,relatime,devices) cgroup on /sys/fs/cgroup/hugetlb type cgroup (rw,nosuid,nodev,noexec,relatime,hugetlb) cgroup on /sys/fs/cgroup/misc type cgroup (rw,nosuid,nodev,noexec,relatime,misc) cgroup on /sys/fs/cgroup/blkio type cgroup (rw,nosuid,nodev,noexec,relatime,blkio) cgroup on /sys/fs/cgroup/cpuset type cgroup (rw,nosuid,nodev,noexec,relatime,cpuset,clone_children) cgroup on /sys/fs/cgroup/rdma type cgroup (rw,nosuid,nodev,noexec,relatime,rdma) Then, when systemd is re-exec'd into v258+ (or when attempting to restart the container after the upgrade), it goes looking for cgroup2 on /sys/fs/cgroup, and when it's not there it attempts the mount itself. This results in the following: $ lxc start worker-amd64:systemd-debug1 $ lxc console worker-amd64:systemd-debug1 --show-log Failed to mount cgroup2 (type cgroup2) on /sys/fs/cgroup (MS_NOSUID|MS_NODEV|MS_NOEXEC "nsdelegate,memory_recursiveprot,memory_hugetlb_accounting"): Permission denied [!!!!!!] Failed to mount API filesystems. Exiting PID 1... ...and the corresponding AppArmor denial on the host: [1759528.520865] audit: type=1400 audit(1763568503.527:57368): apparmor="DENIED" operation="mount" class="mount" info="failed flags match" error=-13 profile="lxd-systemd-debug1_</var/snap/lxd/common/lxd>" name="/sys/fs/cgroup/" pid=3592134 comm="systemd" fstype="cgroup2" srcname="cgroup2" flags="rw, nosuid, nodev, noexec" -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2131829 Title: upgrading systemd in autopkgtest lxd infra breaks testbed To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/2131829/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
