On Tue, 4 Jun 2019, John Johansen wrote: > Yes, on Ubuntu & suse you can lauch lxd system containers with the > container having a system policy bounding the container, and the container > having its own apparmor policy namespace. So it loads and has its own > policy that is enforced. > > This allows for us to run older versions of ubuntu (say 16.04) on an > 18.04 host, and have the 16.04 policy behave just as if it was the host. How well does the LSM stacking scale to 100s or more containers? > This approach won't be an option for the 19.10 release and we will be > needing the full patchset. I should be able to provide some benchmark > and testing data soon. Great. -- James Morris <jmorris@xxxxxxxxx>
