Hi LXC maintainers, intrigeri: > Ideally, picking the best strategy and implementing it would be > a matter of coordination between LXC and systemd (ideally upstream, > but quite possibly distro maintainers will need to be involved > here). I'll raise this issue to the Ubuntu LXC and AppArmor folks.
Done. To sum up: - LX*D* apparently has the support needed to set up AppArmor policy in a way that should not be affected by the problem this thread is about (running systemd v240+ in a container). autopkgtest has a LXD backend but LXD is not in Debian yet (WIP, see #768073; I'm not counting on this being completed in time for the Buster freeze). - Similar support was added to LXC 3.x branch. It won't be backported to 2.x (that we currently have in testing/sid). I've asked about the timeline to release 3.x as stable and Stéphane Graber replied: "I think we were aiming towards February-ish originally but there's no real reason to wait that long either, so if Christian isn't waiting for some big changes to land before doing a non-LTS feature release, we should be able to tag one next month. It'd be worth someone make sure that current master with the apparmor work that was done by Wolfgang will do the right thing out of the box though, otherwise that wouldn't really achieve a whole lot." So on the LXC + AppArmor vs. systemd v240+ front, I think the next steps are: 1. Try running current systemd master branch and its autopkgtests inside a container managed by LXC 2.x on current testing/sid. Goal: confirm the issues Michael discovered and have a baseline to evaluate LXC 3.x against. 2. Try running current systemd master branch and its autopkgtests inside a container managed by LXC 3.x on current testing/sid. Report any issue so they're fixed before 3.x becomes stable and is hopefully included in Buster. For details, see: https://lists.ubuntu.com/archives/apparmor/2018-October/011830.html … except Stéphane Graber's messages are apparently held for moderation so they don't appear in the list archives yet. Cheers, -- intrigeri