[systemd-devel] Improving systemd-nspawn at .service (container dir/nonpersistant journal)
Lennart Poettering
lennart at poettering.net
Thu Nov 20 03:29:23 PST 2014
On Thu, 20.11.14 10:32, Martin Pitt (martin.pitt at ubuntu.com) wrote:
> Hello all,
heya,
> we just got a bug report [1] about the systemd-nspawn at .service not
> working very well by default:
>
> First, /var/lib/containers/ does not exist by default. To guard
> against information leaks or hard link attacks by users, this
> directory should be 0700 by default. LXC does the same (/var/lib/lxc
> is 0700 for these reasons). What do you think about adding
>
> d /var/lib/containers 0700 - - -
>
> to tmpfiles.d/var.conf? I can also add this to the Debian tmpfiles.d
> file, but it's not really Debian specific.
Sounds resonable. But first, can you elaborate on the reason for 0700
rather than 0755?
> Second, systemd-nspawn at .service uses --link-journal=guest. If you
> don't have a persistant journal, and /var/log/journal/ does not exist,
> then containers fail to start in a rather unfriendly way:
>
> Spawning container c on /tmp/c.
> Press ^] three times within 1s to kill container.
> Container c failed with error code 1.
>
> I. e. they don't tell you what's wrong. (SYSTEMD_LOG_LEVEL=debug
> doesn't help at all). But --link-journal=auto isn't right either as
> this then won't create the /var/log/journal/<machineid> symlink if you
> do have a persistant journal.
>
> I don't quite like creating /var/log/journal by default in the
> package, as that would create persistant journals on the host (for the
> guests) even though the admin disabled/didn't enable persistant
> journalling.
>
> - Option 1: Change the unit to use "guest" if /var/log/journal
> exists, and not use --link-journal at all if it doesn't. (This
> can't be directly expressed on the nspawn CLI, thus would need some
> Exec=/bin/sh -c 'if [ -d ... ]' shell commands)
>
> - Option 2: Make --link-journal=guest nonfatal and just print out a
> warning if /var/log/journal/ does not exist.
>
> - Any others?
Hmm, another option would be to introduce --link-journal=try-guest
which is identical to --link-journal=guest except that it becomes a
NOP if /var/log/journal doesn't exist and doesn't even generate an
error or warning. Then, we could change "-j" to mean
--link-journal=try-guest and make that the default to use in the unit
file. I think that would be the best option really.
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list