So systemd v240 tries to setup mount namespace to further contain execution, and it appears that this is no longer possible inside the lxd container, due to apparmor denies.
I'm not sure if this is a bug/feature of systemd | snapd | lxd | apparmor, as all of these are involved.
Jan 28 23:50:06 ottawa audit[10278]: AVC apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile= "lxd-improved- kodiak_ </var/snap/ lxd/common/ lxd>" name="/ run/systemd/ unit-root/ home/" pid=10278 comm="(networkd)" flags="ro, nosuid, nodev, remount, bind" 6.237:332) : apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile= "lxd-improved- kodiak_ </var/snap/ lxd/common/ lxd>" name="/ run/systemd/ unit-root/ home/" pid=10278 comm="(networkd)" flags="ro, nosuid, nodev, remount, bind" "lxd-improved- kodiak_ </var/snap/ lxd/common/ lxd>" name="/ run/systemd/ unit-root/ home/" pid=10310 comm="(networkd)" flags="ro, nosuid, nodev, remount, bind" 6.273:333) : apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile= "lxd-improved- kodiak_ </var/snap/ lxd/common/ lxd>" name="/ run/systemd/ unit-root/ home/" pid=10310 comm="(networkd)" flags="ro, nosuid, nodev, remount, bind"
Jan 28 23:50:06 ottawa kernel: audit: type=1400 audit(154871940
Jan 28 23:50:06 ottawa audit[10310]: AVC apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile=
Jan 28 23:50:06 ottawa kernel: audit: type=1400 audit(154871940
So systemd v240 tries to setup mount namespace to further contain execution, and it appears that this is no longer possible inside the lxd container, due to apparmor denies.
I'm not sure if this is a bug/feature of systemd | snapd | lxd | apparmor, as all of these are involved.