<html>
    <head>
      <base href="https://bugs.freedesktop.org/" />
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - sdnotify-proxy in systemd-nspawn"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=89844">89844</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>sdnotify-proxy in systemd-nspawn
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>systemd
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>unspecified
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>Other
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>medium
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>general
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>systemd-bugs@lists.freedesktop.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>alban.crequy@gmail.com
          </td>
        </tr>

        <tr>
          <th>QA Contact</th>
          <td>systemd-bugs@lists.freedesktop.org
          </td>
        </tr></table>
      <p>
        <div>
        <pre>When an application is started in a container with systemd-nspawn, the
application cannot just call sd_notify() [1] from the container to notify
systemd on the host because:

1. the processes in the container will be in a different cgroup than the
process executing systemd-nspawn. I think even NotifyAccess=all will not work. 

2. if the container uses a new network namespace, the notify socket will not
work if it uses an abstract unix socket. An file socket will also not work
because the container does not have access to the file socket on the host.
Systemd uses either an abstract unix socket or a unix socket file, depending on
its version [4].

Flannel would need that. To workaround this problem, flanneld.service [2] bind
mount a proxy socket file and uses sdnotify-proxy [3] to proxy it. It is using
Docker today but it is the same problem with systemd-nspawn. It would be nice
if systemd-nspawn made sd_notify easier to use.

[1] sd_notify
<a href="http://www.freedesktop.org/software/systemd/man/sd_notify.html">http://www.freedesktop.org/software/systemd/man/sd_notify.html</a>
[2] flanneld.service
<a href="https://github.com/coreos/coreos-overlay/blob/master/app-admin/flannel/files/flanneld.service">https://github.com/coreos/coreos-overlay/blob/master/app-admin/flannel/files/flanneld.service</a>
[3] sdnotify-proxy
<a href="https://github.com/coreos/sdnotify-proxy">https://github.com/coreos/sdnotify-proxy</a>
[4] socket types
<a href="http://lists.freedesktop.org/archives/systemd-devel/2014-December/026129.html">http://lists.freedesktop.org/archives/systemd-devel/2014-December/026129.html</a>
<a href="http://lists.freedesktop.org/archives/systemd-devel/2015-March/029096.html">http://lists.freedesktop.org/archives/systemd-devel/2015-March/029096.html</a></pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are the QA Contact for the bug.</li>
          <li>You are the assignee for the bug.</li>
      </ul>
    </body>
</html>