← Back to team overview

touch-packages team mailing list archive

[Bug 1457054] Re: journal is broken in unprivileged LXC and nspawn containers

 

This bug was fixed in the package systemd - 219-10ubuntu1

---------------
systemd (219-10ubuntu1) wily; urgency=medium

  * Merge with Debian experimental branch. Remaining Ubuntu changes:
    - Hack to support system-image read-only /etc, and modify files in
      /etc/writable/ instead.
    - Keep our much simpler udev maintainer scripts (all platforms must
      support udev, no debconf).
    - initramfs init-top: Drop $ROOTDELAY, we do that in a more sensible way
      with wait-for-root. Will get applicable to Debian once Debian gets
      wait-for-root in initramfs-tools.
    - initramfs init-bottom: If LVM is installed, settle udev,
      otherwise we get missing LV symlinks. Workaround for LP #1185394.
    - Add debian/udev.lvm2.init: Dummy SysV init script to satisfy insserv
      dependencies to "lvm2" which is handled with udev rules in Ubuntu.
    - Add debian/udev.lvm2.service to avoid running the dummy lvm2 init
      script.
    - Provide shutdown fallback for upstart. (LP: #1370329)
    - debian/extra/ifup@.service: Additionally run for "auto" class. We don't
      really support "allow-hotplug" in Ubuntu at the moment, so we need to
      deal with "auto" devices appearing after "/etc/init.d/networking start"
      already ran. (LP: #1374521) Also run ifup in the background during boot,
      to avoid blocking network.target. (LP: #1425376)
    - ifup@.service: Drop dependency on networking.service (i. e.
      /etc/init.d/networking), and merely ensure that /run/network exists.
      This avoids unnecessary dependencies/waiting during boot and dependency
      cycles if hooks wait for other interfaces to come up (like ifenslave
      with bonding interfaces). (LP: #1414544)
    - Add Get-RTC-is-in-local-time-setting-from-etc-default-rc.patch: In
      Ubuntu we currently keep the setting whether the RTC is in local or UTC
      time in /etc/default/rcS "UTC=yes|no", instead of /etc/adjtime.
      (LP: #1377258)
    - Put session scopes into all cgroup controllers. This makes unprivileged
      user LXC containers work under systemd. (LP: #1346734)
    - systemctl: Don't forward telinit u to upstart. This works around
      upstart's Restart() always reexec'ing /sbin/init on Restart(), even if
      that changes to point to systemd during the upgrade. This avoids running
      systemd during a dist-upgrade. (LP: #1430479)
    - Drop hwdb-update dependency from udev-trigger.service, which got
      introduced in v219-stable. This causes udev and plymouth to start too
      late and isn't really needed in Ubuntu yet as we don't support stateless
      systems yet and handle hwdb.bin updates through dpkg triggers. This can
      be dropped again with initramfs-tools 0.117.
    - Lower Breaks: to plymouth version which has the udev inotify fix in
      Ubuntu.
    - Lower libappamor dep to the Ubuntu version where it moved to /lib.
    - Lower apparmor Breaks: to the Ubuntu version that dropped $remote_fs.
    - Change systemd-sysv's conflicts to upstart-sysv. (LP: #1422681)
    - Make failure of boot-and-services NSpawn.test_boot non-fatal for now.
      This currently fails when being triggered by Jenkins, but is totally
      unreproducible when running this manually on the exact same machine.

    Upgrade fixes, keep until 16.04 LTS release:
    - systemd Conflicts/Replaces/Provides systemd-services.
    - Remove obsolete systemd-logind upstart job.
    - Clean up obsolete /etc/udev/rules.d/README.

systemd (219-10) experimental; urgency=medium

  * Fix assertion crash with empty Exec*= paths. (LP: #1454173)
  * Drop Avoid-reload-and-re-start-requests-during-early-boot.patch
    and Avoid-reloading-services-when-shutting-down.patch: This was fixed more
    robustly in invoke-rc.d and service now, see #777113.
  * debian/tests/boot-smoke: Allow 10 seconds for systemd jobs to settle down.
  * Fix "tentative" state of devices which are not in /dev (mostly in
    containers), and avoid overzealous cleanup unmounting of mounts from them.
    (LP: #1444402)
  * debian/extra/udev-helpers/net.agent: Eliminate cat and most grep calls.
  * Drop Set-default-polling-interval-on-removable-devices-as.patch; it's long
    obsolete, CD ejection with the hardware button works properly without it.
  * Re-enable-journal-forwarding-to-syslog.patch: Update patch description,
    journal.conf.d/ exists now.
  * journal: Gracefully handle failure to bind to audit socket, which is known
    to fail in namespaces (containers) with current kernels. Also
    conditionalize systemd-journald-audit.socket on CAP_AUDIT_READ.
    (LP: #1457054)
  * Put back *.agent scripts and use net.agent in Ubuntu. This fixes escaping
    of unit names, reduces the delta, and will make it easier to get a common
    solution for integrating ifup.d/ scripts with networkd.
  * When booting with "quiet", run the initramfs' udevd with "notice" log
    level. (LP: #1432171)
  * Add sigpwr-container-shutdown.service: Power off when receiving SIGPWR in
    a container. This makes lxc-stop work for systemd containers.
    (LP: #1457321)
  * write_net_rules: Escape '{' and '}' characters as well, to make this work
    with busybox grep. Thanks Faidon Liambotis! (Closes: #765577)

 -- Martin Pitt <martin.pitt@xxxxxxxxxx>  Thu, 21 May 2015 11:24:52
+0200

** Changed in: systemd (Ubuntu Wily)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1457054

Title:
  journal is broken in unprivileged LXC and nspawn containers

Status in lxc package in Ubuntu:
  Won't Fix
Status in systemd package in Ubuntu:
  Fix Released
Status in systemd source package in Vivid:
  In Progress
Status in systemd source package in Wily:
  Fix Released

Bug description:
  Test case
  -------------
  - Under Ubuntu 15.04 (or 15.10), set up an unprivileged container as in https://www.stgraber.org/2014/01/17/lxc-1-0-unprivileged-containers/
  - Boot it. You'll get a lot of errors like

    [FAILED] Failed to start Journal Service.
    systemd-journald-audit.socket failed to listen on sockets: Operation not permitted
    [FAILED] Failed to listen on Journal Audit Socket.

  - The same happens with systemd-nspawn -b.

  As a result, the journal isn't working at all, and you have a bunch of
  failed journal related units.

  With a fixed systemd package, systemd in the container should realize
  that it cannot listen to the audit socket (as the kernel doesn't allow
  that -- the audit subsystem isn't fit for namespaces right now), and
  "sudo journalctl" should show the journal and systemd-journald.service
  should be running. These systemd fixes are sufficient for nspawn, but
  not completely for unprivileged LXC containers -- there the journal
  will start working, but systemd-journald-audit.socket will still keep
  failing (this is less important)

  REGRESSION POTENTIAL: Very low. This only affects the fallback error
  code path if binding to the audit socket failed. In that case the
  journal is currently not working at all. This usually doesn't happen
  on real iron/VMs (they also always CAP_AUDIT_READ), so there is no
  practical change there.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1457054/+subscriptions


References