README: document that we still encourage people to turn off audit when they want to use containers

2014-03-11 05:40:36 +01:00 · 2014-03-11 05:40:36 +01:00 · a7b1c3971a
parent 236af516b8
commit a7b1c3971a
1 changed files with 7 additions and 0 deletions
--- a/7
+++ b/7
@ -89,6 +89,13 @@ REQUIREMENTS:
        runtime using the kernel command line option "audit=0", or
        turn it off at kernel compile time using:
          CONFIG_AUDIT=n
+        If systemd is compiled with libseccomp support on
+        architectures which do not use socketcall() and where seccomp
+        is supported (this effectively means x86-64 and ARM, but
+        excludes 32bit x86!), then nspawn will now install a
+        work-around seccomp filter that makes containers boot even
+        with audit being enabled. This works correctly only on kernels
+        3.14 and newer though. TL;DR: turn audit off, still.

        glibc >= 2.14
        libcap