[systemd-devel] [PATCH] Make seccomp protections in systemd-nspawn optional

Brandon Philips brandon at ifup.co
Tue Feb 3 15:49:38 PST 2015


For context this puts a toggle on this feature added to nspawn:
http://cgit.freedesktop.org/systemd/systemd/commit/?id=28650077f36466d9c5ee27ef2006fae3171a2430

I encouraged Jay to make it an opt-in flag so as to not break other
people who had working setups when using nspawn as a minimal ns
wrapper.

Brandon



On Tue, Feb 3, 2015 at 3:22 PM, Jay Faulkner <jay at jvf.cc> wrote:
> Hi all,
>
> As I posted last week, a change merged a while ago to systemd-nspawn adding seccomp protections with no ability to enable/disable broke the Ironic Python Agent ramdisk which utilizes CoreOS and systemd. The attached patch makes the behavior optional, with it defaulting to disabled. I did this for two reasons; the first being that my (and other consumers of OpenStack Ironic) use case was broken, as would anyone else using spawn in this manner. Additionally, seccomp filters can be configured specifically as desired in the unit file.
>
> I appreciate your time and effort in getting this patch merged, so I’ll be able to upgrade and consume a newer systemd.
>
> Thanks,
> Jay Faulkner
>
>
>
>
> _______________________________________________
> systemd-devel mailing list
> systemd-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/systemd-devel
>


More information about the systemd-devel mailing list