To avoid grave-digging, I’m starting a new thread (I’m not sure it would be the faux pas the warning on the side suggested, but to be safe I won’t grave-dig a resolved thread), but it’s related to this:
Are you able to shed a bit more light on when/why this would be required by LXD?
We’ve been looking at doing some general hardening, and consistent advice is that if you don’t need this feature you should turn it off, and the only thing I’ve been able to find that reliably uses it is browsers for sandboxing purposes (not in my use case in the slightest).
From my testing, LXD seems to function fine without this set - on Ubuntu, LXD itself runs as “root” (albeit in a snap container?), and all the functions that I have tested seem to work (I haven’t tested anything CRIU related, but honestly CRIU has never worked right for me anyway).
But for some reason, LXD’s Snap startup script specifically resets this to 1 if it’s set to zero: lxd-pkg-snap/daemon.start at 6a8b5bee9c78bfef92bd89d4810bc74b6e670d69 · lxc/lxd-pkg-snap · GitHub
I’ve yet to find anything on my home machine that doesn’t work when this is disabled, but is there something I’m missing? If it’s just the case of “anything that needs this will fail on the host” I can live with that, I’m just wondering if there’s something specific about LXD that requires it.
Thanks a lot!