Ack thanks.
I think upstream actually has ConditionVirtualization=!private-users now
which can come in handy to do the uid_map check. ( I have just
discovered this myself).
W.r.t. not needed in containers at all, also makes sense. Thanks.
** Changed in: lxd (Ubuntu)
Status: New => Invalid
** Changed in: systemd (Ubuntu)
Status: New => In Progress
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1707901
Title:
systemd-journald-audit.socket attempts to start in unpriviledged LXD
container, but cannot
Status in lxd package in Ubuntu:
Invalid
Status in systemd package in Ubuntu:
In Progress
Bug description:
systemd-journald-audit.socket attempts to start in unpriviledged LXD
container, but cannot.
It fails with resource. There are no interesting logs inside the
container, or on the host.
The socket unit is as below, and both conditions dopass for the
unpriviledged container.
[Unit]
Description=Journal Audit Socket
Documentation=man:systemd-journald.service(8) man:journald.conf(5)
DefaultDependencies=no
Before=sockets.target
ConditionSecurity=audit
ConditionCapability=CAP_AUDIT_READ
[Socket]
Service=systemd-journald.service
ReceiveBuffer=128M
ListenNetlink=audit 1
PassCredentials=yes
Are there any capabilities that are set/not-set for the priviledged
/non-priviledged container in LXD? As in, are there any ways to
distinguish between priviledge / unpriviledged container for which
CAP_AUDIT_READ will in fact work or not?
Currently ubuntu boots degraded inside unpriviledged lxd container,
and that does not look nice. Or attempting to use a capability is the
only way to know for sure?
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxd/+bug/1707901/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
