Bug#1088401: Disabling user namespaces breaks many services; fixed in systemd upstream

[John Scott]

Control: forwarded -1 https://github.com/systemd/systemd/issues/35311
Control: tags -1 upstream fixed-upstream
Control: affects -1 hardening-runtime
Control: severity -1 important
Justification: is very likely to make hardened systems—these often being remote servers—unreachable or mostly so

I've been bitten by this: my VPS was mostly unreachable since OpenSSH and other critical services failed to start, so I had to use an escape hatch offered by my hosting provider. I had the hardening-runtime package installed which disables user namespacing out-of-the-box. That triggers this esoteric issue in systemd that's been introduced in the new version..This issue was only reported upstream a few days ago.

As a workaround, commenting out the line in the file installed by hardening-runtime, or simply removing hardening-runtime, can permit services to work again. In particular, if you're able to remotely access the file system but not access the shell, simply deleting or changing this file and triggering a reboot can get you back in.