touch-packages team mailing list archive

Thread
Date

[Bug 1457054] Re: journal is broken in unprivileged LXC and nspawn containers

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1457054@xxxxxxxxxxxxxxxxxx>
Date: Wed, 10 Jun 2015 18:21:30 -0000
Reply-to: Bug 1457054 <1457054@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This bug was fixed in the package systemd - 219-7ubuntu6

---------------
systemd (219-7ubuntu6) vivid; urgency=medium

  * Fix assertion crash with empty Exec*= paths. (LP: #1454173)
  * systemd-fsckd autopkgtest: Stop assuming that
    /etc/default/grub.d/90-autopkgtest.cfg exists.
  * systemd-fsckd autopkgtest: Add missing plymouth test dependency.
  * debian/tests/boot-smoke: Allow 10 seconds for systemd jobs to settle down.
  * Fix "tentative" state of devices which are not in /dev (mostly in
    containers), and avoid overzealous cleanup unmounting of mounts from them.
    (LP: #1444402)
  * journal: Gracefully handle failure to bind to audit socket, which is known
    to fail in namespaces (containers) with current kernels. Also
    conditionalize systemd-journald-audit.socket on CAP_AUDIT_READ.
    (LP: #1457054)
  * Add sigpwr-container-shutdown.service: Power off when receiving SIGPWR in
    a container. This makes lxc-stop work for systemd containers.
    (LP: #1457321)

 -- Martin Pitt <martin.pitt@xxxxxxxxxx>  Thu, 21 May 2015 14:47:46
+0200

** Changed in: systemd (Ubuntu Vivid)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1457054

Title:
  journal is broken in unprivileged LXC and nspawn containers

Status in lxc package in Ubuntu:
  Won't Fix
Status in systemd package in Ubuntu:
  Fix Released
Status in systemd source package in Vivid:
  Fix Released
Status in systemd source package in Wily:
  Fix Released

Bug description:
  Test case
  -------------
  - Under Ubuntu 15.04 (or 15.10), set up an unprivileged container as in https://www.stgraber.org/2014/01/17/lxc-1-0-unprivileged-containers/
  - Boot it. You'll get a lot of errors like

    [FAILED] Failed to start Journal Service.
    systemd-journald-audit.socket failed to listen on sockets: Operation not permitted
    [FAILED] Failed to listen on Journal Audit Socket.

  - The same happens with systemd-nspawn -b.

  As a result, the journal isn't working at all, and you have a bunch of
  failed journal related units.

  With a fixed systemd package, systemd in the container should realize
  that it cannot listen to the audit socket (as the kernel doesn't allow
  that -- the audit subsystem isn't fit for namespaces right now), and
  "sudo journalctl" should show the journal and systemd-journald.service
  should be running. These systemd fixes are sufficient for nspawn, but
  not completely for unprivileged LXC containers -- there the journal
  will start working, but systemd-journald-audit.socket will still keep
  failing (this is less important)

  REGRESSION POTENTIAL: Very low. This only affects the fallback error
  code path if binding to the audit socket failed. In that case the
  journal is currently not working at all. This usually doesn't happen
  on real iron/VMs (they also always CAP_AUDIT_READ), so there is no
  practical change there.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1457054/+subscriptions

References

[Bug 1457054] [NEW] journal is broken in unprivileged LXC and nspawn containers
From: Martin Pitt, 2015-05-20