[systemd-devel] Improving systemd-nspawn at .service (container dir/nonpersistant journal)

Martin Pitt martin.pitt at ubuntu.com
Thu Nov 20 05:48:32 PST 2014


Hey,

Lennart Poettering [2014-11-20 12:29 +0100]:
> >     d /var/lib/containers 0700 - - -
> > 
> > to tmpfiles.d/var.conf? I can also add this to the Debian tmpfiles.d
> > file, but it's not really Debian specific.
> 
> Sounds resonable. But first, can you elaborate on the reason for 0700
> rather than 0755?

Mostly so that users on the host can't call suid root binaries in the
container. If containers are restricted with selinux/apparmor or
started as user (both happens in Ubuntu for LXC, for example) this
would open a way to escalate root privs in a container into root privs
on the host. https://launchpad.net/bugs/1244635 has the
details/history of this.

I know that upstream systemd doesn't ship AppArmor/SELinux profiles,
and thus your stanza is that containers are inherently insecure. So if
you aren't convinced by the calling of suid root binaries, 0755 is
also ok for upstream, or we just skip this part entirely (it's really
just a small detail, after all).

Patch attached.

> > Second, systemd-nspawn at .service uses --link-journal=guest. If you
> > don't have a persistant journal, and /var/log/journal/ does not exist,
> > then containers fail to start in a rather unfriendly way:
>
> Hmm, another option would be to introduce --link-journal=try-guest
> which is identical to --link-journal=guest except that it becomes a
> NOP if /var/log/journal doesn't exist and doesn't even generate an
> error or warning. Then, we could change "-j" to mean
> --link-journal=try-guest and make that the default to use in the unit
> file. I think that would be the best option really.

Excellent, sounds good! Patch attached. I went with a new
link_journal_try flag instead of introducing
LINK_TRY_HOST/LINK_TRY_GUEST, as that would make a lot of if
statements more unwieldy, and it's easy to forget to always check for
both cases. But if you prefer that, I'm happy to change the patch
accordingly.

Thanks,

Martin

-- 
Martin Pitt                        | http://www.piware.de
Ubuntu Developer (www.ubuntu.com)  | Debian Developer  (www.debian.org)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-nspawn-Add-try-host-guest-journal-link-modes.patch
Type: text/x-diff
Size: 8033 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20141120/379fccb2/attachment-0002.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-tmpfiles.d-Create-var-lib-containers.patch
Type: text/x-diff
Size: 987 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20141120/379fccb2/attachment-0003.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20141120/379fccb2/attachment-0001.sig>


More information about the systemd-devel mailing list