touch-packages team mailing list archive

Thread
Date

Re: [Bug 1457054] Re: journal is broken in unprivileged LXC and nspawn containers

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Serge Hallyn <1457054@xxxxxxxxxxxxxxxxxx>
Date: Thu, 21 May 2015 00:08:50 -0000
Reply-to: Bug 1457054 <1457054@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Quoting Martin Pitt (martin.pitt@xxxxxxxxxx):
> The cap_audit_* are a lie, the audit subsystem in current kernels isn't

To be pedantic, it is not a lie - you have that capability against your
own user namespace, but the only check for that capability is explicitly
against the initial user namespace.

But it certainly seems the easiest (short-term) workaround is to drop
that capability.  Unfortunately that will be tough coordinate with the
(soon-coming) namespaced audit.  If we drop it now in container configs,
how do we tell userspace to re-enable it when available.  The cleaner
way from our pov would be for systemd to check using bind() whether it
has the access.  Then as soon as the kernel provided the ability to
do that in a non-init userns, containers could use it.

To put it another way, the check for capability bounding set is always
explitily a check for capabilities against your user namespace.  If the
question is "can I read audit logs", then "do I have CAP_AUDIT_READ in
my bounding set" is simply the wrong check.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1457054

Title:
  journal is broken in unprivileged LXC and nspawn containers

Status in lxc package in Ubuntu:
  New
Status in systemd package in Ubuntu:
  Fix Committed
Status in systemd source package in Vivid:
  In Progress
Status in systemd source package in Wily:
  Fix Committed

Bug description:
  Test case
  -------------
  - Under Ubuntu 15.04 (or 15.10), set up an unprivileged container as in https://www.stgraber.org/2014/01/17/lxc-1-0-unprivileged-containers/
  - Boot it. You'll get a lot of errors like

    [FAILED] Failed to start Journal Service.
    systemd-journald-audit.socket failed to listen on sockets: Operation not permitted
    [FAILED] Failed to listen on Journal Audit Socket.

  - The same happens with systemd-nspawn -b.

  As a result, the journal isn't working at all, and you have a bunch of
  failed journal related units.

  With a fixed systemd package, systemd in the container should realize
  that it cannot listen to the audit socket (as the kernel doesn't allow
  that -- the audit subsystem isn't fit for namespaces right now), and
  "sudo journalctl" should show the journal and systemd-journald.service
  should be running. These systemd fixes are sufficient for nspawn, but
  not completely for unprivileged LXC containers -- there the journal
  will start working, but systemd-journald-audit.socket will still keep
  failing (this is less important)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1457054/+subscriptions

References

[Bug 1457054] [NEW] journal is broken in unprivileged LXC and nspawn containers
From: Martin Pitt, 2015-05-20
[Bug 1457054] Re: journal is broken in unprivileged LXC and nspawn containers
From: Martin Pitt, 2015-05-20