lxd: Permission denied - Can't open /dev/null

After switching to Linux 4.18 some of my LXD containers suddenly failed to start:


EROR[09-17|22:33:04] Failed starting container                action=start created=2018-09-17T22:33:02+0200 ephemeral=false name=c1 stateful=false used=1970-01-01T01:00:00+0100
DBUG[09-17|22:33:04] Failure for task operation: b1f65abc-845d-4201-ae03-547c82ea1a18: Failed to run: /home/schu/code/go/bin/lxd forkstart c1 /var/lib/lxd/containers /var/log/lxd/c1/lxc.conf:


$ lxc info --show-log local:c1 | grep ERROR
lxc 20180917203304.722 ERROR    lxc_utils - utils.c:open_devnull:1786 - Permission denied - Can't open /dev/null
lxc 20180917203304.722 ERROR    lxc_sync - sync.c:__sync_wait:57 - An error occurred in another process (expected sequence number 5)
lxc 20180917203304.787 ERROR    lxc_container - lxccontainer.c:wait_on_daemonized_start:754 - Received container state "ABORTING" instead of "RUNNING"
lxc 20180917203304.787 ERROR    lxc_start - start.c:__lxc_start:1530 - Failed to spawn container "c1".

Specifically, all unprivileged containers that with LXD run in a user namespace by default.

This is caused by “vfs: Allow userns root to call mknod on owned filesystems“ and in recent versions of liblxc bypassed through adjusting the heuristic for populating /dev (autodev: adapt to changes in Linux 4.18). systemd’s PrivateDevices is also affected.

On Debian, I purged the liblxc1 package (2.0.9-6.1) and installed liblxc out of git.