touch-packages team mailing list archive

Thread
Date

[Bug 1457054] Re: journal is broken in unprivileged LXC and nspawn containers

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Martin Pitt <martin.pitt@xxxxxxxxxx>
Date: Thu, 21 May 2015 05:19:29 -0000
Reply-to: Bug 1457054 <1457054@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

> To be pedantic, it is not a lie - you have that capability against
your own user namespace,

Ah, so that says "you can do it", but it's never actually going to work?
I guess that's just another expression of audit not working in
namespaces then..

> Unfortunately that will be tough coordinate with the (soon-coming)
namespaced audit.

Ooh, is that coming? Then I guess we shouldn't bother much, it's not an
important problem. For the most part unpriv containers work fine now.

** Changed in: lxc (Ubuntu)
       Status: New => Won't Fix

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1457054

Title:
  journal is broken in unprivileged LXC and nspawn containers

Status in lxc package in Ubuntu:
  Won't Fix
Status in systemd package in Ubuntu:
  Fix Committed
Status in systemd source package in Vivid:
  In Progress
Status in systemd source package in Wily:
  Fix Committed

Bug description:
  Test case
  -------------
  - Under Ubuntu 15.04 (or 15.10), set up an unprivileged container as in https://www.stgraber.org/2014/01/17/lxc-1-0-unprivileged-containers/
  - Boot it. You'll get a lot of errors like

    [FAILED] Failed to start Journal Service.
    systemd-journald-audit.socket failed to listen on sockets: Operation not permitted
    [FAILED] Failed to listen on Journal Audit Socket.

  - The same happens with systemd-nspawn -b.

  As a result, the journal isn't working at all, and you have a bunch of
  failed journal related units.

  With a fixed systemd package, systemd in the container should realize
  that it cannot listen to the audit socket (as the kernel doesn't allow
  that -- the audit subsystem isn't fit for namespaces right now), and
  "sudo journalctl" should show the journal and systemd-journald.service
  should be running. These systemd fixes are sufficient for nspawn, but
  not completely for unprivileged LXC containers -- there the journal
  will start working, but systemd-journald-audit.socket will still keep
  failing (this is less important)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1457054/+subscriptions

References

[Bug 1457054] [NEW] journal is broken in unprivileged LXC and nspawn containers
From: Martin Pitt, 2015-05-20