Lennart Poettering

So it seems that rawhide libbpf has no support for kprobes on ppc64le and s390x yet which causes those systems fail

And suse appears to build the bpf stuff with gcc, which apparently has issues with 5 argument functions, unlike llvm. I think this is fixed by https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109068#c2

> ``` > /* test_id */23:49 > Found cgroup2 on /sys/fs/cgroup/unified, unified hierarchy for systemd controller23:49 > Assertion 'path_equal(p, "/sys/fs/cgroup")' failed at src/test/test-cgroup.c:142, function test_id(). Aborting. > ``` urks, lxc...

> If `/sys/fs/cgroup/unified` is mounted it means that the distro has chosen a hybrid cgroup layout which we simply mirror. I still don't udnerstand what this has anything to do...

Should be ready for review now, finally. Added the missing integration tests, which was the last part missing. PTAL.

> @poettering If we don't need a veth, nor a cgroup, would it then be possible to pass a userns fd via `sd_listen_fds()` and have nspawn use that while remaining...

> If I understand clearly, this will make it possible to use systemd-nspawn without root (since it says it will fix #30239). However, I'm trying to use systemd-nspawn in a...

> > If the disk image is located in a regular file in one of the directories /var/lib/machines/, /var/lib/portables/, /var/lib/extensions/, /var/lib/confexts/ or their counterparts in the /etc/, /run/, /usr/lib/ it...

> > > > Apart from this one: if there is an actual check for OS-level verity that's fine, but package manager's do not provide any protections. Actually I don't...

> This is new though, setuid stuff is old and known and there are many ways to block them. If something is shipping a verity-protected /usr, why wouldn't they also...