Draft: Add isolation-namespaces and needs-system-services restrictions
-
testdesc: List known restrictions one per line
If we keep these in a canonicalized order, this will reduce merge conflicts when new restrictions are added.
-
virt: List static capabilities one per line in alphabetical order
This will minimize merge conflicts when we add more capabilities.
-
Add isolation-namespaces and needs-system-services restrictions
The naming of isolation-container is misleading, because "container" can mean so many things. When container support was initially added to autopkgtest, it was close-to-synonymous with lxc, which behaves like a lightweight virtual machine: it shares the kernel with the host system, but runs a full operating system from init(8) upwards.
However, Docker and other OCI runtimes are normally used more like a heavyweight chroot than a lightweight VM: they normally run a single application, server or shell, and do not have a full init system.
isolation-namespaces is intended to be the restriction that can be provided by Docker, or by a Podman container that is not running a full init system. It's a weaker restriction than isolation-container.
needs-system-services is the part of isolation-container that Docker does not provide: a full init system implementing the init-system-helpers interfaces, such as systemd or sysv-rc.
-
virt-lxc, -lxd, -qemu: Add isolation-namespaces and system-services caps
These are implied by both isolation-container and isolation-machine, but explicit is better than implicit.
Enabler for !76 (closed). Only partially tested so far.