From c8a9b7f5d7e8351949b961e07c347850293f0842 Mon Sep 17 00:00:00 2001
From: Simon Deziel <simon.deziel@canonical.com>
Date: Fri, 15 Apr 2022 21:35:25 -0400
Subject: [PATCH] main: override systemd features only when
 security.nesting=false

Signed-off-by: Simon Deziel <simon.deziel@canonical.com>
---
 distrobuilder/main.go | 32 ++++++++++++++++++--------------
 1 file changed, 18 insertions(+), 14 deletions(-)

diff --git a/distrobuilder/main.go b/distrobuilder/main.go
index 1a8e9e4a2..219c73655 100644
--- a/distrobuilder/main.go
+++ b/distrobuilder/main.go
@@ -729,14 +729,24 @@ fi
 
 # Workarounds for containers.
 if is_lxc_container; then
-	# Apply systemd overrides
-	if [ "${systemd_version}" -ge 244 ]; then
-		fix_systemd_override_unit system/service
-	else
-		# Setup per-unit overrides
-		find /lib/systemd /etc/systemd /run/systemd /usr/lib/systemd -name "*.service" -type f | sed 's#/\(lib\|etc\|run\|usr/lib\)/systemd/##g'| while read -r service_file; do
-			fix_systemd_override_unit "${service_file}"
-		done
+	# Overriding some systemd features is only needed if security.nesting=false
+	# in which case, /dev/.lxc will be missing
+	if [ ! -d /dev/.lxc ]; then
+		# Apply systemd overrides
+		if [ "${systemd_version}" -ge 244 ]; then
+			fix_systemd_override_unit system/service
+		else
+			# Setup per-unit overrides
+			find /lib/systemd /etc/systemd /run/systemd /usr/lib/systemd -name "*.service" -type f | sed 's#/\(lib\|etc\|run\|usr/lib\)/systemd/##g'| while read -r service_file; do
+				fix_systemd_override_unit "${service_file}"
+			done
+		fi
+
+		# Workarounds for privileged containers.
+		if ! grep -q 4294967295 /proc/self/uid_map && { [ "${ID}" = "altlinux" ] || [ "${ID}" = "arch" ] || [ "${ID}" = "fedora" ]; }; then
+			fix_ro_paths systemd-networkd.service
+			fix_ro_paths systemd-resolved.service
+		fi
 	fi
 
 	# Ignore failures on some units.
@@ -760,12 +770,6 @@ if is_lxc_container; then
 		fix_nm_force_up eth0
 	fi
 
-	# Workarounds for privileged containers.
-	if ! grep -q 4294967295 /proc/self/uid_map && { [ "${ID}" = "altlinux" ] || [ "${ID}" = "arch" ] || [ "${ID}" = "fedora" ]; }; then
-		fix_ro_paths systemd-networkd.service
-		fix_ro_paths systemd-resolved.service
-	fi
-
 	# Workarounds for NetworkManager in containers
 	if [ "${nm_exists}" -eq 1 ]; then
 		if [ "${ID}" = "ol" ] || [ "${ID}" = "centos" ]; then