feat(ubuntu): disable some unit sandboxing options globally

f-bn · f-bn · commit 352d66811893 · 2026-04-18T13:44:03.000+02:00
diff --git a/ubuntu/24.04-init/Dockerfile b/ubuntu/24.04-init/Dockerfile
@@ -1,8 +1,5 @@
 FROM docker.io/ubuntu:24.04
 
-COPY --chown=0:0 \
-  ssh-keygen.service /etc/systemd/system/ssh-keygen.service
-
 RUN --mount=type=bind,source=extra-packages,target=/extra-packages \
   set -ex ; \
     export DEBIAN_FRONTEND=noninteractive ; \
@@ -11,6 +8,11 @@ RUN --mount=type=bind,source=extra-packages,target=/extra-packages \
     apt clean all ; \
     rm -rf /var/lib/apt/lists/* /etc/ssh/ssh_host_*
 
+COPY --chown=0:0 \
+  ssh-keygen.service /etc/systemd/system/ssh-keygen.service
+COPY --chown=0:0 \
+  systemd/10-disable-sandboxing.conf /etc/systemd/system/service.d/10-disable-sandboxing.conf
+
 RUN systemctl enable ssh-keygen.service
 
 RUN truncate -s0 /etc/machine-id /var/lib/dbus/machine-id
diff --git a/ubuntu/24.04-init/systemd/10-disable-sandboxing.conf b/ubuntu/24.04-init/systemd/10-disable-sandboxing.conf
@@ -0,0 +1,19 @@
+# Disable sandboxing options globally that will not work in a container environment
+[Service]
+ProcSubset=all
+ProtectProc=default
+ProtectControlGroups=no
+ProtectKernelTunables=no
+NoNewPrivileges=no
+ProtectKernelLogs=no
+ProtectKernelModules=no
+PrivateTmp=no
+PrivateDevices=no
+ProtectHome=no
+ProtectSystem=no
+RestrictNamespaces=no
+LockPersonality=no
+RestrictRealtime=no
+ReadWritePaths=
+ReadOnlyPaths=
+ImportCredential=
diff --git a/ubuntu/26.04-init/Dockerfile b/ubuntu/26.04-init/Dockerfile
@@ -1,8 +1,5 @@
 FROM docker.io/ubuntu:26.04
 
-COPY --chown=0:0 \
-  ssh-keygen.service /etc/systemd/system/ssh-keygen.service
-
 RUN --mount=type=bind,source=extra-packages,target=/extra-packages \
   set -ex ; \
     export DEBIAN_FRONTEND=noninteractive ; \
@@ -11,6 +8,11 @@ RUN --mount=type=bind,source=extra-packages,target=/extra-packages \
     apt clean all ; \
     rm -rf /var/lib/apt/lists/* /etc/ssh/ssh_host_*
 
+COPY --chown=0:0 \
+  ssh-keygen.service /etc/systemd/system/ssh-keygen.service
+COPY --chown=0:0 \
+  systemd/10-disable-sandboxing.conf /etc/systemd/system/service.d/10-disable-sandboxing.conf
+
 RUN systemctl enable ssh-keygen.service
   
 RUN truncate -s0 /etc/machine-id /var/lib/dbus/machine-id
diff --git a/ubuntu/26.04-init/systemd/10-disable-sandboxing.conf b/ubuntu/26.04-init/systemd/10-disable-sandboxing.conf
@@ -0,0 +1,19 @@
+# Disable sandboxing options globally that will not work in a container environment
+[Service]
+ProcSubset=all
+ProtectProc=default
+ProtectControlGroups=no
+ProtectKernelTunables=no
+NoNewPrivileges=no
+ProtectKernelLogs=no
+ProtectKernelModules=no
+PrivateTmp=no
+PrivateDevices=no
+ProtectHome=no
+ProtectSystem=no
+RestrictNamespaces=no
+LockPersonality=no
+RestrictRealtime=no
+ReadWritePaths=
+ReadOnlyPaths=
+ImportCredential=
