[systemd-devel] [PATCH 3/4] shutdown: don't do final unmounting when inside the container and running without CAP_SYS_ADMIN
Michal Sekletar
msekleta at redhat.com
Wed Oct 8 07:49:35 PDT 2014
On Wed, Oct 08, 2014 at 01:41:16PM +0200, Lennart Poettering wrote:
> On Tue, 07.10.14 14:17, Michal Sekletar (msekleta at redhat.com) wrote:
>
> > On Thu, Oct 02, 2014 at 12:04:02PM +0200, Lennart Poettering wrote:
> > > On Thu, 02.10.14 09:57, Michal Sekletar (msekleta at redhat.com) wrote:
> > >
> > > > #define FINALIZE_ATTEMPTS 50
> > > >
> > > > @@ -207,7 +208,11 @@ int main(int argc, char *argv[]) {
> > > >
> > > > in_container = detect_container(NULL) > 0;
> > > >
> > > > - need_umount = true;
> > > > + if (in_container && !have_effective_cap(CAP_SYS_ADMIN))
> > > > + need_umount = false;
> > > > + else
> > > > + need_umount = true;
> > > > +
> > > > need_swapoff = !in_container;
> > > > need_loop_detach = !in_container;
> > > > need_dm_detach = !in_container;
> > >
> > > Hmm, I think we should just do "need_umount = !in_container", like we
> > > do for the other things like loopback detaching, dm detaching or
> > > swapoff. After all, if we run in a container we run in a mount
> > > namespace anyway, so unmounting things is done by the kernel
> > > implicitly if the namespace dies. At least in theory this means we can
> > > simply skip the unmounting in all containers, but I must admit that I
> > > am not entirely clear on this one, so this needs to be tested in the
> > > common container managers really, I figure...
> >
> > Do you mind if I push just need_umount = !in_container then?
>
> Well, yes.
>
> I'd be thankful if you'd test this a bit first, so that this doesn't
> break anything. Testing nspawn and on bare-metal should be enough.
Works just fine on F21 KVM guest and in rawhide nspawn container.
Michal
>
> Lennart
>
> --
> Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list