[systemd-devel] Unable to remove images using machinectl

[Lennart Poettering]

On Tue, 03.03.15 14:22, Erik Johnson (erik at saltstack.com) wrote:

> On Mon, Mar 02, 2015 at 11:01:44PM +0100, Lennart Poettering wrote:
> >On Mon, 02.03.15 14:10, Erik Johnson (erik at saltstack.com) wrote:
> >
> >>On Mon, Mar 02, 2015 at 07:51:35PM +0100, Lennart Poettering wrote:
> >>>On Mon, 02.03.15 11:06, Erik Johnson (erik at saltstack.com) wrote:
> >>>
> >>>>I'm getting a similar error to the one described in the following post
> >>>>from a couple weeks ago:
> >>>>
> >>>>https://www.mail-archive.com/systemd-devel@lists.freedesktop.org/msg28255.html
> >>>>
> >>>>I get an "access denied" error when running machinectl remove, even as
> >>>>root.
> >>>
> >>>This was a bug in the dbus policy. It should be fixed with this commit:
> >>>
> >>>http://cgit.freedesktop.org/systemd/systemd/commit/src/machine/org.freedesktop.machine1.conf?id=72c3897f77a7352618ea76b880a6764f52d6327b
> >>>
> >>>Lennart
> >>>
> >>>--
> >>>Lennart Poettering, Red Hat
> >>
> >>
> >>Thanks. I applied the patch, restarted dbus, and now I get the
> >>following after a 20-30 second pause:
> >>
> >>Could not remove image: Activation of org.freedesktop.machine1 timed out
> >
> >dbus is not a service that cannot be restarted during normal
> >operation. This is a well-known limitation of dbus. Reloading
> >configuration should be sufficient.
> >
> >You probably need to reboot now to get back to a working system...
> >
> >Lennart
> >
> >-- 
> >Lennart Poettering, Red Hat
> 
> 
> OK. After rebooting, it's still not working. Were the necessary changes
> limited to that one commit?

Oh, umm, so there are actually more changes necessary: machined lacked
the right caps to execute the deletion ioctl.

Changing the CapabilityBoundingSet= line in systemd-machined to this
should make this work:

CapabilityBoundingSet=CAP_KILL CAP_SYS_PTRACE CAP_SYS_ADMIN CAP_SETGID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE

Lennart

-- 
Lennart Poettering, Red Hat