systemd v256 seems to require overriding ImportCredential= for all containers

[gibmat]

After #849, privileged Debian sid containers with systemd v256~rc3 work fine, but unprivileged ones don't. Adding the ImportCredential= override for them as well finally makes all my sid containers happy again.

[stgraber]

Unpriv sid containers have been working fine here, so long as you have apparmor 4.0 and so get the new apparmor rule, otherwise you need to use security.nesting=true to allow all mounts.

[gibmat]

Does setting security.nesting=true for unprivileged containers have any other implications/consequences? It's going to be a while before apparmor 4.0 becomes widely available (and some users, such as people running Incus on bookworm hosts will never see it). If that extra step becomes necessary as newer versions of systemd are used in containers, it seems like that will cause confusion for users who expect incus launch images:.... to work out of the box with its defaults.

Are there concerns about overriding ImportCredential= for services in unprivileged containers?

[stgraber]

Probably no real concerns. I'm sure the systemd devs won't like us turning all their security features, but apparmor is a mess so we don't have too much choice.