I found that after working around this issue (with seccomp rules) there are yet more AppArmor denials during namespace set up.
All in all, systemd services with sandboxing settings (i.e. settings that require the use of various namespaces) hit more and more denials in LXD containers. So, after discussing with LXD folks, the plan is to enable security.nesting: true by default for unprivileged containers [1]. [1] https://github.com/canonical/lxd/issues/13631 ** Summary changed: - units with SetCredential= fail in LXD containers + units with credentials fail in LXD containers ** Tags added: block-proposed ** Bug watch added: github.com/canonical/lxd/issues #13631 https://github.com/canonical/lxd/issues/13631 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2046486 Title: units with credentials fail in LXD containers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/2046486/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
