Open mihalicyn opened 3 months ago
I believe we have no choice and should set
security.nesting=true
(unprivileged case only) for modern enough images.
From a security point of view, is it more dangerous to have nesting enabled if the (unprivileged) container is Jammy or Oracular?
If the answer is no, I think we should discuss whether we always enable security.nesting
for unprivileged containers as even Noble and earlier releases have diverse issues with systemd units using namespace features.
Seems relevant https://github.com/lxc/incus/pull/650
I believe we have no choice and should set
security.nesting=true
(unprivileged case only) for modern enough images (e.g. starting from Oracular [1]). This depends on a systemd version, not really a distro-specific thing.For privileged containers, problem even more serious [2] as these days Noble doesn't work in a privileged container. And only works with nesting enabled which makes a container escapable.
See also: [1] https://github.com/canonical/lxd/pull/12698 [2] https://github.com/canonical/lxd/issues/12967