[systemd-devel] [PATCH] journal: don't complain about audit socket errors in a container.

frank.thalberg at tuta.io frank.thalberg at tuta.io
Sun Apr 12 13:51:33 PDT 2015


This fixes an issue within journald aborting when running inside
archlinux container via systemd-nspawn on a debian host with audit
enabled kernel.

The journald binary in the archlinux container would try to bind an
audit netlink socket which isn't allowed from within containers.
The failed bind call then leads to a abort of journald which in turn
disables loggingfor the whole container.

This commit fixes this by logging and ignoring the EPERM error raised
from the kernel after the bind call if it detects that it's running
inside a container.
---
  src/journal/journald-audit.c  | 8 +++++++-
  src/journal/journald-server.c | 2 ++
  2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/journal/journald-audit.c b/src/journal/journald-audit.c
index 46eb82f..1b36984 100644
--- a/src/journal/journald-audit.c
+++ b/src/journal/journald-audit.c
@@ -20,6 +20,7 @@
  ***/

  #include "missing.h"
+#include "virt.h"
  #include "journald-audit.h"

  typedef struct MapField {
@@ -533,8 +534,13 @@ int server_open_audit(Server *s) {
                  }

                  r = bind(s->audit_fd, &http://sa.sa, sizeof(http://sa.nl));
-                if (r < 0)
+                if (r < 0) {
+                        if (errno == EPERM && detect_container(NULL) > 0) {
+                                log_debug("Audit not supported in 
containers.");
+                                return 0;
+                        }
                          return log_error_errno(errno, "Failed to join audit 
multicast group: %m");
+                }
          } else
                  fd_nonblock(s->audit_fd, 1);

diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c
index 5e07ce3..21f383a 100644
--- a/src/journal/journald-server.c
+++ b/src/journal/journald-server.c
@@ -1585,9 +1585,11 @@ int server_init(Server *s) {
          if (r < 0)
                  return r;

+#ifdef HAVE_AUDIT
          r = server_open_audit(s);
          if (r < 0)
                  return r;
+#endif

          r = server_open_kernel_seqnum(s);
          if (r < 0)
--
2.3.5
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20150412/fe551b2e/attachment-0001.html>


More information about the systemd-devel mailing list