> I was surprised to see the security.nesting=true workaround going in to
> samba in LP: #2046486 though. That, together with developers having to
> set security.nesting=true everywhere to continue with their work, does
> still seem onerous. If this problem was introduced by a new systemd, why
> wouldn't a systemd revert help the situation?
>
In short, this is not systemd's bug. For years, there has been a
struggle between systemd utilizing various namespaces more to provide
sandboxing features, and LXD's AppArmor rules being overly
restrictive. Through my discussions with the LXD team, we have agreed
that LXD needs to adapt to this, and that by default
security.nesting=true makes sense for unprivileged containers. So yes,
it should be temporary that users/developers need to do this
themselves.
If we *really* need to do something in src:systemd to workaround this,
there are other workarounds that I would take rather than reverting an
entire new upstream version.
Thanks,
Nick
--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel