[systemd-devel] [PATCH] Fix systemd crash (on assert) during shutdown/reboot in unprivileged container

Stéphane Graber stgraber at ubuntu.com
Thu Jan 15 09:14:42 PST 2015 

Hello,

The last big issue I'm running into when running systemd in an
unprivileged LXC container is that it's crashing on an assert in the
shutdown/reboot path right after unmounting all devices.

That's because due to mknod not being allowed inside a user namespace,
we have to bind-mount all the required device nodes from the host's /dev on
top of empty files in the container's /dev.

This all works great until systemd unmounts everything. At which point,
all of those are 0 byte files. Systemd then opens /dev/urandom and
attempts to read some bytes from there, gets 0 bytes back and trips an
assertion.


To fix that, I've got two different approaches, both with an associated
patch attached to this e-mail:
 - 0001-Add-dev-urandom-to-ignore_paths.patch:
   This very simply adds /dev/urandom to the ignore_paths list alongside
   /dev/console. That way all the other mount entries are unmounted but
   /dev/urandom isn't, fixing the issue we're currently seeing.

 - 0001-Ignore-devices-bind-mounts.patch:
   This one is a more generic take on the problem and should be more
   future-proof. Rather than hardcoding /dev/urandom, it extends the
   existing mount_point_ignore function to ignore any mountpoint which is a
   character or block device.


I tend to prefer the latter because it's future-proof and avoids
hardcoding paths, however it certainly is more likely to have
side-effects than the first (though I can't think of any obvious one).

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Add-dev-urandom-to-ignore_paths.patch
Type: text/x-diff
Size: 1092 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20150115/f56f60ce/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Ignore-devices-bind-mounts.patch
Type: text/x-diff
Size: 1692 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20150115/f56f60ce/attachment-0001.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20150115/f56f60ce/attachment.sig>

More information about the systemd-devel mailing list