Questions about security.nesting and recent systemd

Hi all, I’m on the Starcraft team at Canonical, and I’m investigating this systemd issue with nested containers.

• Set `security.nesting=true` for LXD projects · Issue #591 · canonical/craft-providers · GitHub
• Enable `security.nesting` by default for unprivileged containers and modern enough images · Issue #13631 · canonical/lxd · GitHub

We’re thinking about setting security.nesting=true by default to address this issue in snapcraft, rockcraft et al, but the question is - do we know which ubuntu/systemd versions require the flag to be set? Or do I need to just set it on all of our build containers across the board?

What specific issues are you encountering that lead you to think you need security.nesting=true by default?

For a while Oracular images did need security.nesting=true because of changes in systemd v256.

See Container issues with Ubuntu Oracular systemd version 256-1ubuntu1 · Issue #13810 · canonical/lxd · GitHub

However LXD 5.0.4 and LXD 5.21.2 onwards support Oracular containers (on compatible host OSes with cgroupv2 enabled) without security.nesting enabled.

From looking at https://matrix.to/#/!NPPCseDHKRvSBMUEXN:ubuntu.com/$l9-msw901I7b885eH4LaGs_T9gmLKbSqE8tVrGLnAAk?via=ubuntu.com&via=matrix.org

it works locally (noble), but it fails in our CI (focal)

This seems to be more the specific problem, that you’re using Focal host.

This is because systemd v256 doesn’t support cgroupv1 anymore, so even with security.nesting=true, Oracular containers on a Focal host won’t work (without the HWE kernel).

See canonical/lxd#13844 (comment)

I suspect your CI runners need to be upgraded to Jammy.

Thanks for looking into this with me, hope you had a good break!

The craft-* tools (snapcraft, charmcraft, etc) need to support running on Focal hosts. So it sounds like, if the host is Focal, we should be able set systemd.unified_cgroup_hierarchy=1 to get functioning systemd in our guests, provided the host is using the HWE kernel 5.15?