Hi, Pierre-Elliott Bécue: > Please review and comment:
> - > https://salsa.debian.org/lxc-team/lxc/commit/1e8ca3640eec0b82297314d10435b68918907fc8 > (patch inclusion) > - > https://salsa.debian.org/lxc-team/lxc/commit/84df6216317542961bbad08a08e159f38e623de7 > (minimalist default.conf) Looks good to me, thanks! > Could you also provide me with a paragraph I could put in README.Debian > and NEWS regarding what end users should know about these profiles. > You dived in it more than me and I don't rely on apparmor, so it'd be > better if you write it. > Otherwise I can try to write a relevant thing. Now that /etc/lxc/default.conf has permissive enough settings, I'm not sure whether we should tell users anything particular about these profiles: things should work out of the box. Unfortunately, even on the upstream master branch, lxc.container.conf(5) does not document our new default settings ("lxc.apparmor.profile = generated" and "lxc.apparmor.allow_nesting"), which is a bit inconvenient. But thankfully, in case AppArmor breaks LXC things for users, that manpage documents how to specify that a given container should run unconfined, i.e. rollback to how things were by default on Stretch, so perhaps that's good enough? Cheers! -- intrigeri
