canonical-ubuntu-qa team mailing list archive

[Tim Andersson <mp+467776@xxxxxxxxxxxxxxxxxx>]

The proposal to merge ~andersson123/autopkgtest-cloud:lxd-security-nesting-true into autopkgtest-cloud:master has been updated.

Commit message changed to:

fix: lxd-worker: add security.nesting=true to lxd config

There's a version of systemd in oracular-proposed which is purported to
break armhf tests (for oracular) once it migrates to the release pocket.

TLDR; Any systemd units with credentials on unprivileged containers will
fail on oracular tests with the new version of systemd in proposed.

This would cause systemd-tmpfiles-setup.service to be broken on the lxd
containers, which is a service which creates /var/run/utmp, which is how
runlevel is stored. runlevel is checked in lib/VirtSubProc.py [1] in the
wait_booted function. So, subsequently, wait_booted would eventually
timeout, as systemd-tmpfiles-setup.service would never store runlevel
appropriately on the testbed.

The workaround was discussed [2] between the systemd maintainer (enr0n)
and the lxd team, and the solution was to enable security.nesting for
the lxd containers running our armhf tests.

security.nesting simply allows for nested containerisation. [3]

To summarise, we would be hitting [4] because of [5].

[1] https://salsa.debian.org/ubuntu-ci-team/autopkgtest/-/blob/master/lib/VirtSubproc.py?ref_type=heads#L454
[2] https://github.com/canonical/lxd/issues/13631
[3] https://discuss.linuxcontainers.org/t/what-does-security-nesting-true/7156/4
[4] https://bugs.launchpad.net/ubuntu/+source/autopkgtest/+bug/1998943
[5] https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/2046486

For more details, see:
https://code.launchpad.net/~andersson123/autopkgtest-cloud/+git/autopkgtest-cloud/+merge/467776
-- 
Your team Canonical's Ubuntu QA is requested to review the proposed merge of ~andersson123/autopkgtest-cloud:lxd-security-nesting-true into autopkgtest-cloud:master.