Hi, Wolfgang Bumiller: > Sorry for the delay...
Well, what can I say… > Looks like additional unit sandboxing features have been added, I guess. My understanding is: it's not about new unit sandboxing features but rather that before systemd v240, failure to set up these sandboxing features used to be non-fatal (so units would not benefit from systemd's sandboxing features but at least they would start). > I can get the test-suite to not abort by using the following config in, > tested with an unprivileged container on buster with the apparmor > patches cherry-picked into the 3.0.2 tag. For avoidance of doubt: I assume "the apparmor patches" means 434381b00..e7311a84e from lxc upstream Git master branch minus those that are already in the 3.0 branch, so: 1800f92 and e7311a84. > (Though I cannot really decipher whether the output is generally good > or bad now ;-) ) > lxc.apparmor.profile = generated > lxc.apparmor.raw = mount options=(ro,remount,bind) -> > /run/systemd/unit-root/**/, > […] I see that lxc 3.1.0 has your commit e6ec0a9 which implements something similar. Great :) Thanks a lot for the quick feedback and fixes! I've successfully run the test procedure [1] proposed by Michael Biebl, slightly updated (I'll report the details on that Debian bug report later today). I've used lxc from Debian sid (3.0.3-1) + the 2 commits from the AppArmor profiles generation patchset + commit e6ec0a9. In the config of the LXC container I use for autopkgtests I've set: lxc.apparmor.profile = generated lxc.apparmor.allow_nesting = 1 So I'm going to ask the lxc maintainers in Debian to apply these 3 patches so we have them even if Buster is released with 3.0.x. Then I'll suggest the debci (Debian's autopkgtest CI system) maintainers they set the 2 aforementioned options for containers used for autopkgtests. Makes sense? [1] https://bugs.debian.org/911806#20 Cheers, -- intrigeri -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
