[systemd-devel] [PATCH] Fix systemd crash (on assert) during shutdown/reboot in unprivileged container

Stéphane Graber stgraber at ubuntu.com
Thu Jan 15 16:24:25 PST 2015 

On Thu, Jan 15, 2015 at 07:20:55PM +0100, Lennart Poettering wrote:
> On Thu, 15.01.15 12:14, Stéphane Graber (stgraber at ubuntu.com) wrote:
> 
> > Hello,
> > 
> > The last big issue I'm running into when running systemd in an
> > unprivileged LXC container is that it's crashing on an assert in the
> > shutdown/reboot path right after unmounting all devices.
> > 
> > That's because due to mknod not being allowed inside a user namespace,
> > we have to bind-mount all the required device nodes from the host's /dev on
> > top of empty files in the container's /dev.
> > 
> > This all works great until systemd unmounts everything. At which point,
> > all of those are 0 byte files. Systemd then opens /dev/urandom and
> > attempts to read some bytes from there, gets 0 bytes back and trips an
> > assertion.
> > 
> > 
> > To fix that, I've got two different approaches, both with an associated
> > patch attached to this e-mail:
> >  - 0001-Add-dev-urandom-to-ignore_paths.patch:
> >    This very simply adds /dev/urandom to the ignore_paths list alongside
> >    /dev/console. That way all the other mount entries are unmounted but
> >    /dev/urandom isn't, fixing the issue we're currently seeing.
> > 
> >  - 0001-Ignore-devices-bind-mounts.patch:
> >    This one is a more generic take on the problem and should be more
> >    future-proof. Rather than hardcoding /dev/urandom, it extends the
> >    existing mount_point_ignore function to ignore any mountpoint which is a
> >    character or block device.
> 
> I think I'd prefer if we simply would avoid unmounting anything that
> sits below /sys, /dev, /proc. i.e. a simple path_startswith() check
> before the unmount...
> 
> Lennart

Something like that?

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Skip-anything-in-dev-sys-or-proc-on-unmount.patch
Type: text/x-diff
Size: 1433 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20150115/a85c7c5c/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20150115/a85c7c5c/attachment.sig>

More information about the systemd-devel mailing list