On Fri, Jul 26, 2024 at 11:19 AM Robie Basak <robie.ba...@ubuntu.com> wrote: > I was surprised to see the security.nesting=true workaround going in to > samba in LP: #2046486 though. That, together with developers having to > set security.nesting=true everywhere to continue with their work, does > still seem onerous. If this problem was introduced by a new systemd, why > wouldn't a systemd revert help the situation? >
In short, this is not systemd's bug. For years, there has been a struggle between systemd utilizing various namespaces more to provide sandboxing features, and LXD's AppArmor rules being overly restrictive. Through my discussions with the LXD team, we have agreed that LXD needs to adapt to this, and that by default security.nesting=true makes sense for unprivileged containers. So yes, it should be temporary that users/developers need to do this themselves. If we *really* need to do something in src:systemd to workaround this, there are other workarounds that I would take rather than reverting an entire new upstream version. Thanks, Nick -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
