[systemd-commits] README man/systemd-nspawn.xml src/nspawn
Lennart Poettering
lennart at kemper.freedesktop.org
Thu May 9 15:17:46 PDT 2013
README | 7 +++++++
man/systemd-nspawn.xml | 15 +++++++++------
src/nspawn/nspawn.c | 19 +++++++++++++++++++
3 files changed, 35 insertions(+), 6 deletions(-)
New commits:
commit 77b6e19458f37cfde127ec6aa9494c0ac45ad890
Author: Lennart Poettering <lennart at poettering.net>
Date: Fri May 10 00:14:12 2013 +0200
audit: since audit is apparently never going to be fixed for containers tell the user what's going on
Let's try to be helpful to the user and give him a hint what he can do
to make nspawn work with normal OS containers.
https://bugzilla.redhat.com/show_bug.cgi?id=893751
diff --git a/README b/README
index b8d1f42..3cd93f0 100644
--- a/README
+++ b/README
@@ -79,6 +79,13 @@ REQUIREMENTS:
CONFIG_EFI_VARS
CONFIG_EFI_PARTITION
+ Note that kernel auditing is broken when used with systemd's
+ container code. When using systemd in conjunction with
+ containers please make sure to either turn off auditing at
+ runtime using the kernel command line option "audit=0", or
+ turn it off at kernel compile time using:
+ CONFIG_AUDIT=n
+
dbus >= 1.4.0
libcap
libblkid >= 2.20 (from util-linux) (optional)
diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml
index d9fb899..1bc61e8 100644
--- a/man/systemd-nspawn.xml
+++ b/man/systemd-nspawn.xml
@@ -142,16 +142,19 @@
might be necessary to add this file to the container
tree manually if the OS of the container is too old to
contain this file out-of-the-box.</para>
+ </refsect1>
+
+ <refsect1>
+ <title>Incompatibility with Auditing</title>
<para>Note that the kernel auditing subsystem is
currently broken when used together with
containers. We hence recommend turning it off entirely
- when using <command>systemd-nspawn</command> by
- booting with <literal>audit=0</literal> on the kernel
- command line, or by turning it off at kernel build
- time. If auditing is enabled in the kernel operating
- systems booted in an nspawn container might refuse
- log-in attempts.</para>
+ by booting with <literal>audit=0</literal> on the
+ kernel command line, or by turning it off at kernel
+ build time. If auditing is enabled in the kernel
+ operating systems booted in an nspawn container might
+ refuse log-in attempts.</para>
</refsect1>
<refsect1>
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index 09153c8..b91b0b8 100644
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -1219,6 +1219,18 @@ finish:
return r;
}
+static bool audit_enabled(void) {
+ int fd;
+
+ fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_AUDIT);
+ if (fd >= 0) {
+ close_nointr_nofail(fd);
+ return true;
+ }
+
+ return false;
+}
+
int main(int argc, char *argv[]) {
pid_t pid = 0;
int r = EXIT_FAILURE, k;
@@ -1284,6 +1296,13 @@ int main(int argc, char *argv[]) {
goto finish;
}
+ if (audit_enabled()) {
+ log_warning("The kernel auditing subsystem is known to be incompatible with containers.\n"
+ "Please make sure to turn off auditing with 'audit=0' on the kernel command\n"
+ "line before using systemd-nspawn. Sleeping for 5s...\n");
+ sleep(5);
+ }
+
if (path_equal(arg_directory, "/")) {
log_error("Spawning container on root directory not supported.");
goto finish;
More information about the systemd-commits
mailing list