You can look at /proc/self/uid_map to see if uid 0 is mapped to a non-0 uid, which would mean that you're not getting real root.
Root in an unprivileged container does hold all the capabilities, but those are tied to the user namespace so they're only useful if the resource you're trying to access is namespaced too. The audit log isn't yet namespaced (there's work to have it be) so even though root does have the CAP_AUDIT_READ capability against the container it doesn't have it against the whole kernel. For now, I'd say just make the unit skip in containers in general. Until audit is namespaced, there's very little reason for a container, even privileged, to interact with it. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1707901 Title: systemd-journald-audit.socket attempts to start in unpriviledged LXD container, but cannot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxd/+bug/1707901/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
