summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2014-03-11 05:40:36 +0100
committerLennart Poettering <lennart@poettering.net>2014-03-11 05:40:36 +0100
commita7b1c3971a30546fe633e320d45033aba8b2ca3c (patch)
treee247dc4cc5234eee372079acd7dad27c2ff6210b
parent236af516b866473c22f980b556a2d7535cef4d9b (diff)
downloadsystemd-a7b1c3971a30546fe633e320d45033aba8b2ca3c.tar.gz
systemd-a7b1c3971a30546fe633e320d45033aba8b2ca3c.tar.bz2
systemd-a7b1c3971a30546fe633e320d45033aba8b2ca3c.zip
README: document that we still encourage people to turn off audit when they want to use containers
-rw-r--r--README7
1 files changed, 7 insertions, 0 deletions
diff --git a/README b/README
index 7a227e7327..ace13cf075 100644
--- a/README
+++ b/README
@@ -89,6 +89,13 @@ REQUIREMENTS:
runtime using the kernel command line option "audit=0", or
turn it off at kernel compile time using:
CONFIG_AUDIT=n
+ If systemd is compiled with libseccomp support on
+ architectures which do not use socketcall() and where seccomp
+ is supported (this effectively means x86-64 and ARM, but
+ excludes 32bit x86!), then nspawn will now install a
+ work-around seccomp filter that makes containers boot even
+ with audit being enabled. This works correctly only on kernels
+ 3.14 and newer though. TL;DR: turn audit off, still.
glibc >= 2.14
libcap