[systemd-devel] logind vs CAP_SYS_ADMIN-lessness

Lennart Poettering lennart at poettering.net
Tue Jan 27 05:46:27 PST 2015 

On Tue, 27.01.15 10:53, Christian Seiler (christian at iwakd.de) wrote:

> LXC predates systemd by about 2 years. (And at the very beginning,
> systemd didn't support containers out of the box, so it predates
> systemd's container support by even more.) And at that time, doing that
> was a way to sysvinit containers with no or minimal modification to
> /etc/inittab. So instead of saying that LXC breaks systemd's
> assumptions, you could also say systemd breaks LXC's assumptions. As I
> said: bubbles. ;-)

Well, LXC breaks everbody's assumptions, not just
systemd's. /dev/tty[1-6] refers to the VT, and TERM=linux is the right
$TERM for it. However, if you actually have a pty and an xterm behind
it then these settings will be incorrect for a ton of programs.

> Now I'm not going to argue with you that the method of doing
> $container_ttys= isn't vastly superior to what was there previously,
> because it is. So I don't disagree with the long-term solution at
> all.

Note that $container_ttys= is actually just a frontend for dynamically
instantiating console-getty at .service instances for the specified
ptys. You can just enable them statically too.

(And 'machinectl login' actually even instantiateds them during
runtime to allow dynamic logins to an local container that registers
with it...)

> But LXC 1.0 just doesn't support this yet, so the question is what to do
> in the mean time. If I do what I described:
> 
>  - logind can't open /dev/tty0, so all VT management in there is
>    disabled anyway
>  - within systemd: vt_disallocate can't open /dev/tty0, so it just
>    returns an error, but that error code is never checked in
>    core/execute.c, so it just behaves as if the directive never had
>    been there
>  - getty at .service statically enabled just runs agetty, so really only
>    $TERM is wrong

Well, it's also conditionalized to /dev/tty0. Instead of patching the
unit file you could as well just instantiate container-getty at .service
in /etc, get the right $TERM and be done with it.

> Speaking of, isn't there a bug in container-getty at .service?[*] It uses
> ConditionPathExists=/dev/pts/%I, starts agetty on pts/%I but sets
> TTYPath=/dev/%I instead of /dev/pts/%I... And having the utmp specifier
> be just a number (%I) instead of pts/%I is also probably weird.

True, and true!

Thanks for the pointer. Fixed in git!

> Fair enough[#], but did you receive my patches for the part about
> skipping on missing perms?

Yes, I have a huge backlog of unprocessed mail, and am currently
wading through it backwards in time. Sorry for the delay!

Lennart

-- 
Lennart Poettering, Red Hat

More information about the systemd-devel mailing list