For context this puts a toggle on this feature added to nspawn: http://cgit.freedesktop.org/systemd/systemd/commit/?id=28650077f36466d9c5ee27ef2006fae3171a2430
I encouraged Jay to make it an opt-in flag so as to not break other people who had working setups when using nspawn as a minimal ns wrapper. Brandon On Tue, Feb 3, 2015 at 3:22 PM, Jay Faulkner <j...@jvf.cc> wrote: > Hi all, > > As I posted last week, a change merged a while ago to systemd-nspawn adding > seccomp protections with no ability to enable/disable broke the Ironic Python > Agent ramdisk which utilizes CoreOS and systemd. The attached patch makes the > behavior optional, with it defaulting to disabled. I did this for two > reasons; the first being that my (and other consumers of OpenStack Ironic) > use case was broken, as would anyone else using spawn in this manner. > Additionally, seccomp filters can be configured specifically as desired in > the unit file. > > I appreciate your time and effort in getting this patch merged, so I’ll be > able to upgrade and consume a newer systemd. > > Thanks, > Jay Faulkner > > > > > _______________________________________________ > systemd-devel mailing list > systemd-devel@lists.freedesktop.org > http://lists.freedesktop.org/mailman/listinfo/systemd-devel > _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel