[systemd-devel] Improving systemd-nspawn at .service (container dir/nonpersistant journal)

[Martin Pitt]

Hello all,

we just got a bug report [1] about the systemd-nspawn at .service not
working very well by default:

First, /var/lib/containers/ does not exist by default. To guard
against information leaks or hard link attacks by users, this
directory should be 0700 by default. LXC does the same (/var/lib/lxc
is 0700 for these reasons). What do you think about adding

    d /var/lib/containers 0700 - - -

to tmpfiles.d/var.conf? I can also add this to the Debian tmpfiles.d
file, but it's not really Debian specific.

Second, systemd-nspawn at .service uses --link-journal=guest. If you
don't have a persistant journal, and /var/log/journal/ does not exist,
then containers fail to start in a rather unfriendly way:

  Spawning container c on /tmp/c.
  Press ^] three times within 1s to kill container.
  Container c failed with error code 1.

I. e. they don't tell you what's wrong. (SYSTEMD_LOG_LEVEL=debug
doesn't help at all). But --link-journal=auto isn't right either as
this then won't create the /var/log/journal/<machineid> symlink if you
do have a persistant journal.

I don't quite like creating /var/log/journal by default in the
package, as that would create persistant journals on the host (for the
guests) even though the admin disabled/didn't enable persistant
journalling.

 - Option 1: Change the unit to use "guest" if /var/log/journal
   exists, and not use --link-journal at all if it doesn't. (This
   can't be directly expressed on the nspawn CLI, thus would need some
   Exec=/bin/sh -c 'if [ -d ... ]' shell commands)

 - Option 2: Make --link-journal=guest nonfatal and just print out a
   warning if /var/log/journal/ does not exist.

 - Any others?

I'm happy to work on either solution.

Thanks,

Martin

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770275
-- 
Martin Pitt                        | http://www.piware.de
Ubuntu Developer (www.ubuntu.com)  | Debian Developer  (www.debian.org)