[systemd-devel] [PATCH] journal: don't complain about audit socket errors in a container.
Lennart Poettering
lennart at poettering.net
Mon Apr 13 07:08:28 PDT 2015
On Sun, 12.04.15 20:51, frank.thalberg at tuta.io (frank.thalberg at tuta.io) wrote:
> This fixes an issue within journald aborting when running inside
> archlinux container via systemd-nspawn on a debian host with audit
> enabled kernel.
What kind of containers are these? LXC? docker?
nspawn at least grants audit caps to containers. If you don't grant
audit caps you cannot boot distros like Fedora at all, since much of
the PAM audit code in Fedora is written to fail completely if audit is on
in the kernel, but cannot be used.
> +#ifdef HAVE_AUDIT
> r = server_open_audit(s);
> if (r < 0)
> return r;
> +#endif
Hmm, exluding the audit code from the build if HAVE_AUDIT is not set
is certainly a good idea, but we generally try to keep #ifdeffery out
of .c files. More specifically, the journald-audit.c file should not
be compiled and linked at all on non-audit builds, and
journald-audit.h should contain the #ifdeffery that causes
server_open_audit() to become a NOP on such builds. Would be happy to
take a patch for that.
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list