| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
This makes things a bit simpler and the build a bit faster, because we don't
have to rewrite files to do the trivial substitution. @rootbindir@ is always in
our internal $PATH that we use for non-absolute paths, so there should be no
functional change.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Devices referred to by `DeviceAllow=` sandboxing are resolved into their
corresponding major numbers when the unit is loaded by looking at
`/proc/devices`. If a reference is made to a device which is not yet
available, the `DeviceAllow` is ignored and the unit's processes cannot
access that device.
In both logind and nspawn, we have `DeviceAllow=` lines, and `modprobe`
in `ExecStartPre=` to load some kernel modules. Those kernel modules
cause device nodes to become available when they are loaded: the device
nodes may not exist when the unit itself is loaded. This means that the
unit's processes will not be able to access the device since the
`DeviceAllow=` will have been resolved earlier and denied it.
One way to fix this would be to re-evaluate the available devices and
re-apply the policy to the cgroup, but this cannot work atomically on
cgroupsv1. So we fall back to a second approach: instead of running
`modprobe` via `ExecStartPre`, we move this out to a separate unit and
order it before the units which want the module.
Closes #14322.
Fixes: #13943.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As discussed on systemd-devel [1], in Fedora we get lots of abrt reports
about the watchdog firing [2], but 100% of them seem to be caused by resource
starvation in the machine, and never actual deadlocks in the services being
monitored. Killing the services not only does not improve anything, but it
makes the resource starvation worse, because the service needs cycles to restart,
and coredump processing is also fairly expensive. This adds a configuration option
to allow the value to be changed. If the setting is not set, there is no change.
My plan is to set it to some ridiculusly high value, maybe 1h, to catch cases
where a service is actually hanging.
[1] https://lists.freedesktop.org/archives/systemd-devel/2019-October/043618.html
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1300212
|
| |
|
|
|
|
| |
Yuck, but I don't see any prettier solution.
Fixes: #13130
|
| |
|
|
| |
It's a long-running daemon, and it's easy to enable, hence do it.
|
| | |
|
| |
|
|
|
|
| |
We need it to make LUKS devices work.
Fixes: #6525
|
| |
|
|
| |
This fixes a race condition during boot, where an nspawn container would start
before /var/lib/machines got mounted resulting in a failure.
|
| |
|
|
|
|
|
| |
This way, the nspawn internal check whether resolved is running will
succeed if it is enabled.
Fixes: #4649
|
| |
|
|
|
|
|
|
| |
comment (#5289)
Sometimes we have comments which don't make sense outside of the systemd
codebase, so let's filter them out from the user-visible files.
Fixes #5286.
|
| | |
|
| |\
| |
| | |
Assorted fixes
|
| | |
| |
| |
| |
| |
| | |
When a container scope is allocated via machined it gets 16K set already since
cf7d1a30e44bf380027a2e73f9bf13f423a33cc1. Make sure when a container is run as
system service it gets the same values.
|
| |/
|
|
|
|
| |
https://github.com/systemd/systemd/pull/3685 introduced
/run/systemd/inaccessible/{chr,blk} to map inacessible devices,
this patch allows systemd running inside a nspawn container to create
/run/systemd/inaccessible/{chr,blk}.
|
| |
|
|
|
| |
Now that user namespacing is supported in a pretty automatic way, actually turn
it on by default if the systemd-nspawn@.service template is used.
|
| |
|
|
|
|
|
|
| |
When using `%I` for instances of `systemd-nspawn@.service`, the result
will be `systemd-nspawn` trying to launch a container named e.g.
`fedora/23` instead of `fedora-23`.
Using `%i` instead prevents escaping `-` in a container name and uses
the unmodified container name from the machine store.
|
| | |
|
| |
|
|
|
|
|
| |
/dev/loop*p* block devices are of the "blkext" subsystem, not of loop,
hence whitelist this too.
Fixes #1446
|
| |
|
|
|
|
|
| |
nspawn needs access to /dev/loop to implement --image=, hence grant that
in the service file.
Fixes #1446.
|
| |
|
|
| |
systemd-nspawn@.service
|
| |
|
|
|
|
| |
machine.slice
https://plus.google.com/112206451048767236518/posts/SYAueyXHeEX
|
| |
|
|
|
|
|
|
| |
This way we know that any bridges and other user-created network devices
are in place, and can be properly added to the container.
In the long run this should be dropped, and replaced by direct calls
inside nspawn that cause the devices to be created when necessary.
|
| |
|
|
| |
on the command line
|
| |
|
|
|
| |
Given the recent improvements in networkd, it's probably the better
default now.
|
| |
|
|
|
|
|
|
|
|
|
| |
- Unescape instance name so that we can take almost anything as instance
name.
- Introduce "machines.target" which consists of all enabled nspawns and
can be used to start/stop them altogether
- Look for container directory using -M instead of harcoding the path in
/var/lib/container
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
--link-journal={host,guest} fail if the host does not have persistent
journalling enabled and /var/log/journal/ does not exist. Even worse, as there
is no stdout/err any more, there is no error message to point that out.
Introduce two new modes "try-host" and "try-guest" which don't fail in this
case, and instead just silently skip the guest journal setup.
Change -j to mean "try-guest" instead of "guest", and fix the wrong --help
output for it (it said "host" before).
Change systemd-nspawn@.service.in to use "try-guest" so that this unit works
with both persistent and non-persistent journals on the host without failing.
https://bugs.debian.org/770275
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
subhierarchies
For priviliged units this resource control property ensures that the
processes have all controllers systemd manages enabled.
For unpriviliged services (those with User= set) this ensures that
access rights to the service cgroup is granted to the user in question,
to create further subgroups. Note that this only applies to the
name=systemd hierarchy though, as access to other controllers is not
safe for unpriviliged processes.
Delegate=yes should be set for container scopes where a systemd instance
inside the container shall manage the hierarchies below its own cgroup
and have access to all controllers.
Delegate=yes should also be set for user@.service, so that systemd
--user can run, controlling its own cgroup tree.
This commit changes machined, systemd-nspawn@.service and user@.service
to set this boolean, in order to ensure that container management will
just work, and the user systemd instance can run fine.
|
| |
|
|
|
| |
THis way we can remove cgroup priviliges after setup, but get them back
for the next restart, as we need it.
|
| |
|
|
|
| |
This causes the container to shut down cleanly when the service is
stopped.
|
| | |
|
| | |
|
| |
|
|
|
| |
ControlGroup= is obsolete, so let's drop it from the default nspawn unit
file.
|
|
|
running containers as system services
|
