[systemd-devel] [PATCH] Drop ConditionCapability=CAP_MKNOD from *udev* units

[Gerardo Exequiel Pozzi]

On 07/25/2013 02:00 PM, Lennart Poettering wrote:
> On Wed, 24.07.13 18:41, Gerardo Exequiel Pozzi (vmlinuz386 at yahoo.com.ar) wrote:
> 
> We generally try to make conditions specific to a feature rather than an
> execution environment. Containers should run without CAP_MKMNOD, and as
> udev originally was in the business of creating device nodes we hence
> bound it to this capability.
> 

OK

> Now, since very recently udev doesn'#t create a single device node
> anymore (it's all done by the kernel in devtmpfs/container manager and
> tmpfiles now), so it probably would make sense to change the capability
> check, but certainly not remove it. (I'd vote by replacing it by
> ConditionPathIsReadWrite=/sys since sane container managers mount that
> read-only.)
> 

Exactly.

> Anyway, I don't get what you are trying to achieve by your patch please
> elaborate.

My thought was simple: "Hey! what is doing CAP_MKNOD here since is not
needed anymore for udev, remove them!". Ok course, I did not think in
containers, my bad.

Anyway, this should be changed to something more "obvious" thing for
testing about running environment.

Q: If udev should not run in container why not udevd itself check about
this?

Thanks for your feedback.


> 
>> Signed-off-by: Gerardo Exequiel Pozzi <vmlinuz386 at yahoo.com.ar>
>> ---
>>  units/systemd-udev-settle.service.in  | 1 -
>>  units/systemd-udev-trigger.service.in | 1 -
>>  units/systemd-udevd-control.socket    | 1 -
>>  units/systemd-udevd-kernel.socket     | 1 -
>>  4 files changed, 4 deletions(-)
>>
>> diff --git a/units/systemd-udev-settle.service.in b/units/systemd-udev-settle.service.in
>> index 037dd9a..148aa9d 100644
>> --- a/units/systemd-udev-settle.service.in
>> +++ b/units/systemd-udev-settle.service.in
>> @@ -16,7 +16,6 @@ DefaultDependencies=no
>>  Wants=systemd-udevd.service
>>  After=systemd-udev-trigger.service
>>  Before=sysinit.target
>> -ConditionCapability=CAP_MKNOD
>>  
>>  [Service]
>>  Type=oneshot
>> diff --git a/units/systemd-udev-trigger.service.in b/units/systemd-udev-trigger.service.in
>> index 604c369..ea3cb62 100644
>> --- a/units/systemd-udev-trigger.service.in
>> +++ b/units/systemd-udev-trigger.service.in
>> @@ -12,7 +12,6 @@ DefaultDependencies=no
>>  Wants=systemd-udevd.service
>>  After=systemd-udevd-kernel.socket systemd-udevd-control.socket
>>  Before=sysinit.target
>> -ConditionCapability=CAP_MKNOD
>>  
>>  [Service]
>>  Type=oneshot
>> diff --git a/units/systemd-udevd-control.socket b/units/systemd-udevd-control.socket
>> index ca17102..12a66d2 100644
>> --- a/units/systemd-udevd-control.socket
>> +++ b/units/systemd-udevd-control.socket
>> @@ -10,7 +10,6 @@ Description=udev Control Socket
>>  Documentation=man:systemd-udevd.service(8) man:udev(7)
>>  DefaultDependencies=no
>>  Before=sockets.target
>> -ConditionCapability=CAP_MKNOD
>>  
>>  [Socket]
>>  Service=systemd-udevd.service
>> diff --git a/units/systemd-udevd-kernel.socket b/units/systemd-udevd-kernel.socket
>> index 4b8a5b0..64e6f63 100644
>> --- a/units/systemd-udevd-kernel.socket
>> +++ b/units/systemd-udevd-kernel.socket
>> @@ -10,7 +10,6 @@ Description=udev Kernel Socket
>>  Documentation=man:systemd-udevd.service(8) man:udev(7)
>>  DefaultDependencies=no
>>  Before=sockets.target
>> -ConditionCapability=CAP_MKNOD
>>  
>>  [Socket]
>>  Service=systemd-udevd.service
> 
> 
> Lennart
> 


-- 
Gerardo Exequiel Pozzi
\cos^2\alpha + \sin^2\alpha = 1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 555 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20130725/3647955a/attachment.pgp>