[systemd-devel] [PATCH] audit: Fix journal failing on unsupported audit in containers [was: journal: don't complain about audit socket errors in a container.]

Wed May 20 04:53:26 PDT 2015

Hello Frank and systemd devs,

frank.thalberg at tuta.io [2015-04-12 20:51 +0000]:
> This fixes an issue within journald aborting when running inside
> archlinux container via systemd-nspawn on a debian host with audit
> enabled kernel.

We have exactly the same problem with both standard nspawn as well as
user LXC containers. This completely breaks journalling in containers
and also prints a lot of error messages.

Using audit=0 on the host is not satisfying, though:

 - It's hard to discover
 - There is no reason to disable audit support on the host when all
   you need to do is to unbreak containers and disable auditing there.
 - We don't want admins to create static configs which are (1)
   always the same workaround everywhere, and (2) become obsolete once
   the kernel is fixed.

So I'd rather have a dynamic solution. Your patch works, but I don't
like it that much:

> +                        if (errno == EPERM && detect_container(NULL) > 0) {
> +                                log_debug("Audit not supported in 
> containers.");
> +                                return 0;
> +                        }

The detect_container() check is not really related to the question
"does audit work". It's certainly that way today, but future kernels
might change this.

> --- a/src/journal/journald-server.c
> +++ b/src/journal/journald-server.c
> @@ -1585,9 +1585,11 @@ int server_init(Server *s) {
>           if (r < 0)
>                   return r;
> 
> +#ifdef HAVE_AUDIT
>           r = server_open_audit(s);
>           if (r < 0)
>                   return r;
> +#endif

This would require statically enabling/disabling the complete audit
support in the systemd package, while we can do this check at runtime
without much effort.

Also, with your patch you merely unbreak journald itself, but
systemd-journald-audit.socket and other units which have
ConditionSecurity=audit will still fail.

I created a patch which is a more direct approach which makes the
ConditionSecurity=audit check more thorough and actually working in
containers. With that I can leave audit enabled on the host,
containers will boot fine (including journalling) without audit
support, and as soon as the kernel gets fixed it'll automagically start
working in containers as well.

Lennart, WDYT?

Thanks,

Martin
-- 
Martin Pitt                        | http://www.piware.de
Ubuntu Developer (www.ubuntu.com)  | Debian Developer  (www.debian.org)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-audit-Fix-journal-failing-on-unsupported-audit-in-co.patch
Type: text/x-diff
Size: 4408 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20150520/2aad71d2/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20150520/2aad71d2/attachment.sig>