Alexander Mikhalitsyn
Alexander Mikhalitsyn
This adds ability to set per-container configuration parameters (boolean). This can be very useful in some workloads if system administrator (or container administrator) want's to have some specific LXCFS configuration...
Let's tighten capability checks in mknod interception code to align this with what we have in the kernel. So, if mknod interception is enabled then only user with CAP_MKNOD in...
LXCFS will instantly crash if the version of FUSE used for the binary differs from that used for the library. We should have a way to quickly check the major...
Closes https://github.com/canonical/lxd/pull/12698
I believe we have no choice and should set `security.nesting=true` (**unprivileged** case only) for modern enough images (e.g. starting from Oracular [1]). This depends on a systemd version, not really...
snapd 2.64 is not released yet. We are waiting for it and: https://github.com/snapcore/snapd/pull/14118 to be included
Investigate and fix all the issues TODO list: - [x] fix **un**privileged containers case (covered by https://github.com/canonical/lxd/pull/13820) - [ ] try to fix privileged containers case (we need https://github.com/canonical/lxd-imagebuilder/commit/c928d22574893208fd9ddbdb8c7dcf7e3899c19d )...
This should fix distros with modern versions of systemd. It's worth mentioning that `nosymfollow` flag is supported only in fresh enough versions of AppArmor: https://gitlab.com/apparmor/apparmor/-/merge_requests/1005
Since we have prepared ourselves by enabling unconfined profile for LXD snap we can stop disabling unprivileged user namespace restrictions. This depends on: - snapcraft.yaml: enable unconfined mode in lxd-support...
Not fully ready to be merged yet. ToDo: - [ ] support file-backed and read-only mappings https://github.com/torvalds/linux/commit/f807123d578df4218e2580a1e1bb3436f4567c4a - [x] handle VM_WIPEONFORK in CRIU & test - [x] some more code...