Whilst 'lxc.apparmor.profile: unconfined' appears the only way to keep unprivileged lxc guests with systemd v240 alive it defeats the purpose of AppArmor.
Notwithstanding, the tail riding on this bug https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1813622 https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=030919ba5e4931d6ee576d0259fae67fe4ed9770 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1811248 Title: systemd--networkd mounts denied for lxc guest Status in apparmor package in Ubuntu: New Bug description: Host unbuntu cosmic | lxc 3.0.3 | aa 2.12 | systemd 239-7 Guest Arch Linux | systemd 240.0 After having upgraded in the guest systemd from 239.370 to 240.0 the host's AA is exhibiting > audit: type=1400 audit(1547125168.853:722): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc- container-default-cgns" name="/" pid=8426 comm="(networkd)" flags="rw, rslave" and the guest > systemd-networkd.service: Failed to set up mount namespacing: Permission denied > systemd-networkd.service: Failed at step NAMESPACE spawning /usr/lib/systemd/systemd-networkd: Permission denied According to lxc bug tracker https://github.com/lxc/lxc/issues/2778 > While we'd like to allow such mounts we cannot do so until the apparmor_parser is fixed to handle them correctly. other cross references https://github.com/systemd/systemd/issues/11371 https://bugs.archlinux.org/task/61313 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1811248/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
