[systemd-devel] [PATCH] nspawn: do not check audit if --boot argument is not set
Zbigniew Jędrzejewski-Szmek
zbyszek at in.waw.pl
Sun Feb 16 15:50:58 PST 2014
On Sun, Feb 16, 2014 at 10:14:00PM +0100, Lennart Poettering wrote:
> On Sun, 16.02.14 17:40, Zbigniew Jędrzejewski-Szmek (zbyszek at in.waw.pl) wrote:
>
> >
> > On Sun, Feb 16, 2014 at 12:03:21AM +0100, Djalal Harouni wrote:
> > > Currently systemd-nspawn will call reset_audit_loginuid() and check
> > > if audit is enabled in the kernel even if it was invoked without the
> > > --boot argument. This makes systemd-nspawn print the audit error message
> > > and sleep(5) on every execution.
> > >
> > > This was introduced by commit db999e0f923ca6. Fix it by checking if
> > > arg_boot is set before before calling reset_audit_loginuid().
> > I'd argue that reset_audit_loginuid() should be called always, and the
> > loginuid reset if possible. One might execute the real init later
> > anyway.
> >
> > But later after db999e0f923ca6 Lennart added the seccomp wrapper, when
> > it turned out that resetting the audit loginuid is not enough. So
> > maybe with that additional change audit doesn't break containers even
> > with older kernels and the message and the delay could be done away
> > with altogether?
>
> We only generate the warning now if we cannot reset the loginuid,
> i.e. on kernels < 0.3.14, which should be the right thing to do?
Yes, but the proposed patch would completely avoid resetting the uid
in some cases, which is what I don't think is right.
OK, I now tested, and login works with kernel 3.14, and not with lower
ones. So current code with the warning is fine.
Zbyszek
More information about the systemd-devel
mailing list