Quentin Deslandes

> I've only had a quick look for now, but some thoughts: > > Maybe I missed it, but I don't see a reasoning for making the mount executable configurable....

> > What you suggest would be to only be aware of the running user when `chown` is actually called, instead of storing it within `MkosiArgs`, is that what you...

Rebased on main branch, fixed the merge conflict and added a check in [Use rootidmap with nspawn's bind mounts](https://github.com/systemd/mkosi/pull/1151/commits/59d774c5af1c03ee2f0c15171ab0e6e1ab6fb16d) to ensure we use systemd-nspawn 252 or later. Last commit ([Use...

> I suspect this needs a guard if ID mapping is actually supported? I rebased the code on main, having a look at the guard for ID mapping.

> Looking at [#6432 (comment)](https://github.com/systemd/systemd/issues/6432#issuecomment-571174932) it appears this PR doesn't cover use cases where as far as I understand the idea is not to keep sensitive data in journald but...

> Also my fuzz targets didn't get far > > ``` > Jul 26 15:33:31 C systemd-journald[1160]: File /var/log/journal/89048b4b503f455f861e1cda6e724d83.wat/system.journal corrupted or uncleanly shut down, renaming and replacing. > Jul 26...

> Having finished reading that thread I wonder why this setting can't be used to filter out messages coming from `systemd` itself? It came up quite a few times there...

> I think it should be possible to add a couple of knobs to cover those use cases (if it's decided that it should be configurable). Agreed. Also, I would...

> > Are you referring only to the concurrency between cgroup creation/deletion and log processing by journald, or is there an other concern? > > I was mostly talking about...

> So, hmm, a single regex per unit. Is that really enough? I implicitly assumed it would have to be a list of regexes, to make it easy to filter...