Etienne Champetier

Related, in the past I think system user created during compose were created from 400 up, and on the host from 998 down, it might have changed with systemd-sysusers (or...

> Instead we should generate them on first boot if they don't exist. This may require OS level work. We could have rpm-ostree generate them when missing when 'unpacking' a...

this triggers SELinux ``` (typeattributeset cil_gen_require systemd_tmpfiles_t) (typeattributeset cil_gen_require shadow_t) (allow systemd_tmpfiles_t shadow_t (file (getattr setattr relabelfrom relabelto))) ```

BTW this is the same value as cri-o https://github.com/cri-o/cri-o/blob/91816d7e8a38df2c307811f80d2e34fb53f01a21/contrib/systemd/crio.service#L20C1-L20C20

My response here, with some example of what the current to be released default will break: https://github.com/containerd/containerd/pull/8924#issuecomment-1903629621

Facing the same issue, ie containerd not listening on stream port when enabling NRI, but only on server boot it seems, containerd restart and it works

Possible fix in NRI: https://github.com/containerd/nri/pull/66

@mikebrow go see the NRI PR, it explains the root cause

Possible fix in NRI: https://github.com/containerd/nri/pull/66

@mikebrow the issue is that when you enable NRI with launched plugins, sometimes containerd doesn't listen on the stream port anymore (and a restart will likely fix it) see my...