touch-packages team mailing list archive
-
touch-packages team
-
Mailing list archive
-
Message #79495
[Bug 1457054] Re: journal is broken in unprivileged LXC and nspawn containers
Fixed upstream:
http://cgit.freedesktop.org/systemd/systemd/commit/?id=417a7fdc418
http://cgit.freedesktop.org/systemd/systemd/commit/?id=01906c76c
However, there's one more detail to fix in unprivileged containers:
root@v:/# getpcaps $$
Capabilities for `608': = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_syslog,cap_wake_alarm,cap_block_suspend,37+ep
The cap_audit_* are a lie, the audit subsystem in current kernels isn't
namespace aware and thus unprivileged containers can't have these caps.
The failed systemd-journald-audit.socket unit there isn't a big deal,
but this should be fixed in LXC.
** Also affects: lxc (Ubuntu)
Importance: Undecided
Status: New
** Description changed:
Test case
-------------
- Under Ubuntu 15.04 (or 15.10), set up an unprivileged container as in https://www.stgraber.org/2014/01/17/lxc-1-0-unprivileged-containers/
- Boot it. You'll get a lot of errors like
- [FAILED] Failed to start Journal Service.
- systemd-journald-audit.socket failed to listen on sockets: Operation not permitted
- [FAILED] Failed to listen on Journal Audit Socket.
+ [FAILED] Failed to start Journal Service.
+ systemd-journald-audit.socket failed to listen on sockets: Operation not permitted
+ [FAILED] Failed to listen on Journal Audit Socket.
- The same happens with systemd-nspawn -b.
- As a result, the journal isn't working at all.
+ As a result, the journal isn't working at all, and you have a bunch of
+ failed journal related units.
With a fixed systemd package, systemd in the container should realize
that it cannot listen to the audit socket (as the kernel doesn't allow
that -- the audit subsystem isn't fit for namespaces right now), and
"sudo journalctl" should show the journal and systemd-journald.service
- should be running.
+ should be running. These systemd fixes are sufficient for nspawn, but
+ not completely for unprivileged LXC containers -- there the journal will
+ start working, but systemd-journald-audit.socket will still keep failing
+ (this is less important)
** Changed in: lxc (Ubuntu Wily)
Importance: Undecided => Medium
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1457054
Title:
journal is broken in unprivileged LXC and nspawn containers
Status in lxc package in Ubuntu:
New
Status in systemd package in Ubuntu:
In Progress
Status in lxc source package in Vivid:
New
Status in systemd source package in Vivid:
Confirmed
Status in lxc source package in Wily:
New
Status in systemd source package in Wily:
In Progress
Bug description:
Test case
-------------
- Under Ubuntu 15.04 (or 15.10), set up an unprivileged container as in https://www.stgraber.org/2014/01/17/lxc-1-0-unprivileged-containers/
- Boot it. You'll get a lot of errors like
[FAILED] Failed to start Journal Service.
systemd-journald-audit.socket failed to listen on sockets: Operation not permitted
[FAILED] Failed to listen on Journal Audit Socket.
- The same happens with systemd-nspawn -b.
As a result, the journal isn't working at all, and you have a bunch of
failed journal related units.
With a fixed systemd package, systemd in the container should realize
that it cannot listen to the audit socket (as the kernel doesn't allow
that -- the audit subsystem isn't fit for namespaces right now), and
"sudo journalctl" should show the journal and systemd-journald.service
should be running. These systemd fixes are sufficient for nspawn, but
not completely for unprivileged LXC containers -- there the journal
will start working, but systemd-journald-audit.socket will still keep
failing (this is less important)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1457054/+subscriptions
Follow ups
References