Systemd-creds errors in Debian 13 LXC containers

H

haimg

Member
Nov 13, 2022
2
0
6
I've upgraded the host and one of my LXC containers to Debian 13, and now I'm facing the following error: many systemd services in the container are failing with `243/CREDENTIALS`, which appears to be a problem with systemd-creds inside the container. It's not a new issue, apparently, just much more acute in Debian 13: the affected services are "journald", "agetty", and others.

I saw suggestions to turn on nesting, and indeed, it helps in unprivileged containers. But what about the privileged ones? Turning on nesting is a terrible idea from a security point of view. Are there any reasonable tweaks I can apply on the host (ProxMox) side? AppArmor changes?
 
I would recommend migrating to unprivileged containers
 
  • Like
Reactions: Johannes S
@fabian, this is a good suggestion, but not always feasible/easy.

What I ended up doing: got lxc.generator from LXC distrobuilder, placed it in "/etc/systemd/system-generators/lxc", and that solved this problem (and a bunch of other LXC-specific problems as well). All it does is disable "ImportCreds=" statements in a number of systemd service files...

I'd like to suggest doing something similar in ProxMox pveam templates for Debian 13, they are unusable as they are (unless you enable nesting). It makes little sense to enable nesting just to get access to systemd credentials, which (I guess) very few people use.
 
You must log in or register to reply here.
Top Bottom