Dec 14 19:24:24 noble (sd-[2184]: Failed to mount n/a (type n/a) on /dev/shm (MS_RDONLY|MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_REMOUNT|MS_NOSYMFOLLOW|MS_BIND ""): Permission denied
from the journal output above. Taking a look at the AppArmor profile create by LXD, it seems that the problematic flag isMS_NOSYMFOLLOW; there is a rule in /var/snap/lxd/common/lxd/security/apparmor/profiles/lxd-noble on my machine that allows the flags (ro,remount,bind,nosuid,noexec,nodev) for /dev/shm and others.
I think it probably makes the most sense to allow this flag combination in the AppArmor profile create by LXD.
This is the apparmor denial:
audit: type=1400 audit(170429909 1.131:665) : apparmor="DENIED" operation="mount" class="mount" info="failed flags match" error=-13 profile= "lxd-noble_ </var/snap/ lxd/common/ lxd>" name="/dev/shm/" pid=71828 comm="( sd-mkdcreds) " flags="ro, nosuid, nodev, noexec, remount, bind"
which corresponds to:
Dec 14 19:24:24 noble (sd-[2184]: Failed to mount n/a (type n/a) on /dev/shm (MS_RDONLY| MS_NOSUID| MS_NODEV| MS_NOEXEC| MS_REMOUNT| MS_NOSYMFOLLOW| MS_BIND ""): Permission denied
from the journal output above. Taking a look at the AppArmor profile create by LXD, it seems that the problematic flag isMS_NOSYMFOLLOW; there is a rule in /var/snap/ lxd/common/ lxd/security/ apparmor/ profiles/ lxd-noble on my machine that allows the flags (ro,remount, bind,nosuid, noexec, nodev) for /dev/shm and others.
I think it probably makes the most sense to allow this flag combination in the AppArmor profile create by LXD.