[systemd-commits] 3 commits - TODO src/nspawn
Lennart Poettering
lennart at kemper.freedesktop.org
Thu Jan 22 16:44:29 PST 2015
TODO | 2 --
src/nspawn/nspawn.c | 13 +++++++++++--
2 files changed, 11 insertions(+), 4 deletions(-)
New commits:
commit 9ba762cdd7a5e1293b1d0b79a26839d83a3fd777
Author: Lennart Poettering <lennart at poettering.net>
Date: Fri Jan 23 01:44:14 2015 +0100
update TODO
diff --git a/TODO b/TODO
index 3d1f303..f494f6d 100644
--- a/TODO
+++ b/TODO
@@ -33,8 +33,6 @@ Release 219 preparations:
* rework journald sigbus stuff to use mutex
-* nspawn: don't change superblock mount options from nspawn for cgroup hierarchies
-
* "systemctl kill" is broken
* the dbus1 connection user id is actually the euid, not the uid, and creds should return that
commit c0534580aca48c65a5f240b093f8d0cc33eb98b9
Author: Lennart Poettering <lennart at poettering.net>
Date: Fri Jan 23 01:43:16 2015 +0100
nspawn: when mounting the cgroup hierarchies, use the exact same mount options for the superblock as the host
Otherwise we'll generate kernel runtime warnings about non-matching
mount options.
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index 4e465df..2beb810 100644
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -972,9 +972,17 @@ static int mount_cgroup_hierarchy(const char *dest, const char *controller, cons
mkdir_p(to, 0755);
- if (mount("cgroup", to, "cgroup", MS_NOSUID|MS_NOEXEC|MS_NODEV|(read_only ? MS_RDONLY : 0), controller) < 0)
+ /* The superblock mount options of the mount point need to be
+ * identical to the hosts', and hence writable... */
+ if (mount("cgroup", to, "cgroup", MS_NOSUID|MS_NOEXEC|MS_NODEV, controller) < 0)
return log_error_errno(errno, "Failed to mount to %s: %m", to);
+ /* ... hence let's only make the bind mount read-only, not the
+ * superblock. */
+ if (read_only) {
+ if (mount(NULL, to, NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, NULL) < 0)
+ return log_error_errno(errno, "Failed to remount %s read-only: %m", to);
+ }
return 1;
}
@@ -1044,7 +1052,7 @@ static int mount_cgroup(const char *dest) {
}
}
- r = mount_cgroup_hierarchy(dest, "name=systemd", "systemd", false);
+ r = mount_cgroup_hierarchy(dest, "name=systemd,xattr", "systemd", false);
if (r < 0)
return r;
commit bbb99c30d01a8bcdc27fb151cc6376a7877a6b07
Author: Lennart Poettering <lennart at poettering.net>
Date: Fri Jan 23 01:27:06 2015 +0100
nspawn: mount /tmp in the container, don't leave this to the container's init
We really want /tmp to be properly mounted, especially in containers
that lack CAP_SYS_ADMIN or that are not fully booted up and only get a
shell, hence let's do so in nspawn already.
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index 25828cf..4e465df 100644
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -816,6 +816,7 @@ static int mount_all(const char *dest) {
{ "devpts", "/dev/pts", "devpts","newinstance,ptmxmode=0666,mode=620,gid=" STRINGIFY(TTY_GID), MS_NOSUID|MS_NOEXEC, true },
{ "tmpfs", "/dev/shm", "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME, true },
{ "tmpfs", "/run", "tmpfs", "mode=755", MS_NOSUID|MS_NODEV|MS_STRICTATIME, true },
+ { "tmpfs", "/tmp", "tmpfs", "mode=1777", MS_STRICTATIME, true },
#ifdef HAVE_SELINUX
{ "/sys/fs/selinux", "/sys/fs/selinux", NULL, NULL, MS_BIND, false }, /* Bind mount first */
{ NULL, "/sys/fs/selinux", NULL, NULL, MS_BIND|MS_RDONLY|MS_REMOUNT, false }, /* Then, make it r/o */
More information about the systemd-commits
mailing list