[systemd-devel] [PATCH] Fix systemd crash (on assert) during shutdown/reboot in unprivileged container

Lennart Poettering lennart at poettering.net
Thu Jan 15 10:20:55 PST 2015

On Thu, 15.01.15 12:14, St├ęphane Graber (stgraber at ubuntu.com) wrote:

> Hello,
> The last big issue I'm running into when running systemd in an
> unprivileged LXC container is that it's crashing on an assert in the
> shutdown/reboot path right after unmounting all devices.
> That's because due to mknod not being allowed inside a user namespace,
> we have to bind-mount all the required device nodes from the host's /dev on
> top of empty files in the container's /dev.
> This all works great until systemd unmounts everything. At which point,
> all of those are 0 byte files. Systemd then opens /dev/urandom and
> attempts to read some bytes from there, gets 0 bytes back and trips an
> assertion.
> To fix that, I've got two different approaches, both with an associated
> patch attached to this e-mail:
>  - 0001-Add-dev-urandom-to-ignore_paths.patch:
>    This very simply adds /dev/urandom to the ignore_paths list alongside
>    /dev/console. That way all the other mount entries are unmounted but
>    /dev/urandom isn't, fixing the issue we're currently seeing.
>  - 0001-Ignore-devices-bind-mounts.patch:
>    This one is a more generic take on the problem and should be more
>    future-proof. Rather than hardcoding /dev/urandom, it extends the
>    existing mount_point_ignore function to ignore any mountpoint which is a
>    character or block device.

I think I'd prefer if we simply would avoid unmounting anything that
sits below /sys, /dev, /proc. i.e. a simple path_startswith() check
before the unmount...


Lennart Poettering, Red Hat

More information about the systemd-devel mailing list