Ubuntu
systemd package

  1. Bug #1813622
  2. Comment #4

Comment 4 for bug 1813622

Revision history for this message
Dimitri John Ledkov (xnox) wrote :

Jan 28 23:50:06 ottawa audit[10278]: AVC apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxd-improved-kodiak_</var/snap/lxd/common/lxd>" name="/run/systemd/unit-root/home/" pid=10278 comm="(networkd)" flags="ro, nosuid, nodev, remount, bind"
Jan 28 23:50:06 ottawa kernel: audit: type=1400 audit(1548719406.237:332): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxd-improved-kodiak_</var/snap/lxd/common/lxd>" name="/run/systemd/unit-root/home/" pid=10278 comm="(networkd)" flags="ro, nosuid, nodev, remount, bind"
Jan 28 23:50:06 ottawa audit[10310]: AVC apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxd-improved-kodiak_</var/snap/lxd/common/lxd>" name="/run/systemd/unit-root/home/" pid=10310 comm="(networkd)" flags="ro, nosuid, nodev, remount, bind"
Jan 28 23:50:06 ottawa kernel: audit: type=1400 audit(1548719406.273:333): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxd-improved-kodiak_</var/snap/lxd/common/lxd>" name="/run/systemd/unit-root/home/" pid=10310 comm="(networkd)" flags="ro, nosuid, nodev, remount, bind"

So systemd v240 tries to setup mount namespace to further contain execution, and it appears that this is no longer possible inside the lxd container, due to apparmor denies.

I'm not sure if this is a bug/feature of systemd | snapd | lxd | apparmor, as all of these are involved.