Alexander Mikhalitsyn

Hi Pavel, > https://lore.kernel.org/lkml/[email protected]/T/ > > It quite suspiciously reminds me of this issue. Long story short, multishot poll should only be used with nonblocking files. I assumed Christian was...

Hi Pavel, I'm really sorry for long delay with reply. I've just missed a notification and then forget to back to the issue. After we have landed this https://github.com/lxc/lxc/pull/4304 and...

Likely, this is a place where it fails https://gitlab.com/virtio-fs/virtiofsd/-/blob/main/src/util.rs#L64 pidfd_open is not available on 4.15 kernel

Hi @peat-psuwit! Thanks a lot for your report. Yes, we are aware of some issues with AppArmor in case when privileged container is used. We strongly recommend to always use...

I did some additional investigation and found, than systemd these days want's even more than just changing a mount propagation flags. It also wants to rbind `/`, do pivot_root and...

This issue is a real pain. Because as it was said above, systemd now created mount namespaces by default and performs recursive bindmount of `/` (inside the container) to some...

It is interesting. If `apparmor_parser` doesn't know anything about `nosymfollow` why kernel still applies policies on this? It would make more sense to allow everything which is not supported by...

This https://github.com/canonical/lxd-pkg-snap/pull/477 unblocks this PR. But we need to properly check AppArmor version from the LXD side.

Slightly reworked version https://github.com/canonical/lxd/pull/13681

Hi @raldone01 Sorry for long delay with reply. >Running an unprivileged user with app armor confinement fails. >Is it possible to run an unprivileged container with confinement? You need to...