Skip to content

Draft: Add isolation-namespaces and needs-system-services restrictions

Simon McVittie requested to merge smcv/autopkgtest:isolation-namespace into master
  • testdesc: List known restrictions one per line

    If we keep these in a canonicalized order, this will reduce merge conflicts when new restrictions are added.

  • virt: List static capabilities one per line in alphabetical order

    This will minimize merge conflicts when we add more capabilities.

  • Add isolation-namespaces and needs-system-services restrictions

    The naming of isolation-container is misleading, because "container" can mean so many things. When container support was initially added to autopkgtest, it was close-to-synonymous with lxc, which behaves like a lightweight virtual machine: it shares the kernel with the host system, but runs a full operating system from init(8) upwards.

    However, Docker and other OCI runtimes are normally used more like a heavyweight chroot than a lightweight VM: they normally run a single application, server or shell, and do not have a full init system.

    isolation-namespaces is intended to be the restriction that can be provided by Docker, or by a Podman container that is not running a full init system. It's a weaker restriction than isolation-container.

    needs-system-services is the part of isolation-container that Docker does not provide: a full init system implementing the init-system-helpers interfaces, such as systemd or sysv-rc.

  • virt-lxc, -lxd, -qemu: Add isolation-namespaces and system-services caps

    These are implied by both isolation-container and isolation-machine, but explicit is better than implicit.


Enabler for !76 (closed). Only partially tested so far.

Merge request reports

Loading