[systemd-devel] [PATCH] nspawn: do not check audit if --boot argument is not set

Lennart Poettering lennart at poettering.net
Sun Feb 16 13:14:00 PST 2014

On Sun, 16.02.14 17:40, Zbigniew Jędrzejewski-Szmek (zbyszek at in.waw.pl) wrote:

> On Sun, Feb 16, 2014 at 12:03:21AM +0100, Djalal Harouni wrote:
> > Currently systemd-nspawn will call reset_audit_loginuid() and check
> > if audit is enabled in the kernel even if it was invoked without the
> > --boot argument. This makes systemd-nspawn print the audit error message
> > and sleep(5) on every execution.
> > 
> > This was introduced by commit db999e0f923ca6. Fix it by checking if
> > arg_boot is set before before calling reset_audit_loginuid().
> I'd argue that reset_audit_loginuid() should be called always, and the
> loginuid reset if possible. One might execute the real init later
> anyway.
> But later after db999e0f923ca6 Lennart added the seccomp wrapper, when
> it turned out that resetting the audit loginuid is not enough. So
> maybe with that additional change audit doesn't break containers even
> with older kernels and the message and the delay could be done away
> with altogether?

We only generate the warning now if we cannot reset the loginuid,
i.e. on kernels < 0.3.14, which should be the right thing to do?


Lennart Poettering, Red Hat

More information about the systemd-devel mailing list