Enable security.nesting by default for unprivileged containers and modern enough images

[mihalicyn]

I believe we have no choice and should set security.nesting=true (unprivileged case only) for modern enough images (e.g. starting from Oracular [1]).
This depends on a systemd version, not really a distro-specific thing.

For privileged containers, problem even more serious [2] as these days Noble doesn't work in a privileged container. And only works with nesting enabled which makes a container escapable.

See also:
[1] #12698
[2] #12967

[simondeziel]

I believe we have no choice and should set security.nesting=true (unprivileged case only) for modern enough images.

From a security point of view, is it more dangerous to have nesting enabled if the (unprivileged) container is Jammy or Oracular?

If the answer is no, I think we should discuss whether we always enable security.nesting for unprivileged containers as even Noble and earlier releases have diverse issues with systemd units using namespace features.

[tomponline]

Seems relevant lxc/incus#650