switch-root: use MS_MOVE for /run when switchig from initrd (LP: #2064096)
Before commit 7c764d4599 ("switch-root: always use MS_BIND to move api vfs over"),
when switching root from an initrd, the old procfs, sysfs, /dev/ and
/run would be moved using MS_MOVE. According to that commit, this change
was mostly a simplification because systemd already cleans up the old
mount hierarchy before the switch root, and no longer needed to rely on
the clean up side-effect of MS_MOVE.
However, this change broke some systemd services that also have an
associated AppArmor profile. For example, in Ubuntu, rsyslog has an
AppArmor profile configured, and when it tries to access
/run/systemd/notify during start up (after the switch root has
occurred), we see the denial:
The difference in MS_BIND vs MS_MOVE affects the view that AppArmor has
of the mount tree. With MS_BIND, AppArmor will not know that e.g.
/run/systemd/notify is in the current mount tree after the pivot_root,
because it is tracking this path from the old root. But with MS_MOVE,
the original mount is preserved and does not affect AppArmor's view.
Ultimately, this is most likely something that should be addressed in
AppArmor, but that is not going to happen in the short term. For now,
just go back to MS_MOVE when switching from the initrd.
debian/systemd.postinst: don't restart user managers if too old (LP: #2054761)
Restarting user managers this way was added in v250. Upgrades to Noble
are supported from Mantic (systemd released as 253.5-1ubuntu6), and
Jammy (systemd released as 249.11-0ubuntu3). Do not try to restart user
managers on upgrades from Jammy, as it will end up killing the whole user
session.
In come cases, copying /etc/resolv.conf to /run/systemd/resolve/stub-resolv.conf
will fail, despite the checks that happen beforehand. In particular,
this can happen if a user disabled the stub-resolver, and in doing so,
made /etc/resolv.conf a symlink to /run/systemd/resolve/resolv.conf.
This is unnecessary because systemd-resolved will make stub-resolv.conf
a symlink to resolv.conf if DNSStubListener=no. In these cases, it is
safe to just ignore the cp because it is unnecssary to begin with.