Re-use the hacks used to link user keyring, when creating the session keyring. This way changing ownership of the keyring is not required, and thus incovation_id can be correctly created in restricted environments. Creating invocation_id with root permissions works and linking it into session keyring works, as at that point session keyring is possessed. Simple way to validate this is with following commands: $ journalctl -f & $ sudo systemd-run --uid 1000 /bin/sh -c 'keyctl describe @s; keyctl list @s; keyctl read `keyctl search @s user invocation_id`' which now works in LXD containers as well as on the host. Fixes: https://github.com/systemd/systemd/issues/7655