Giuseppe Scrivano

We can decide if be backward compatible and handle only prestart and poststop when the type is not specified. On the other hand there are not probably many users out...

@rhatdan I think that is expected. Writing to `/proc/sys/*` is done from the container process itself during the setup and AFAIK only root in the init user namespace has write...

I am not sure, it might be possible that the parent process writes to the `/proc/fs` mounted by the container (as a hook would do) but it will be half...

1. I think it is still useful to generate a default configuration OCI file, even if not present, so that users can manually edit it, I find it quite handly...

we have the possibility to specify another runtime now, so atomic is less bound to runc and bwrap-oci, if that helps for this issue

could you use $DESTDIR instead of hardcoding the path for WorkingDirectory? That will be helpful for atomic updates as the service will point to the correct location on the file...

@baude would you like that I take care of this PR?

could you try with `KillMode=none` in the systemd unit file? Does that solve the issue you are seeing? Another thing I was wondering about, does firewalld load kernel modules? If...

a read-only rslave bind mount is fine, in case it is ever overriden on the host, we will get the changes. I've not seen the SELinux failure and the `KillMode=`...

1. yes, the reason why we copy the files to `/etc` and bind mount them into the container is that in this way users can configure it in the usual...