[systemd-devel] Fedora 21 and systemd-nspawn

[Lennart Poettering]

On Mon, 15.06.15 21:15, Chris Morgan (chmorgan at gmail.com) wrote:

> On a somewhat related topic, are many people making use of nspawn
> containers in production or test environments? I was a little surprised by
> the issues I had when trying them out with f21. f22 seems smoother but
> still required the audit=0 and I think I had to disable selinux to set the
> password but I was trying for a while with a blank password so...
> 
> But yeah, was wondering if there were known users of nspawn containers that
> discussed their use cases.

Until recently the man page clarified that it was a tool for debugging
things only. However, we removed that recently, because I noticed that
people *are* using it in production now. Also, the rkt guys use it as
backend for their stuff these days.

Turning off audit is not necessary anymore since we did the seccomp
hack, at least on x86-64. It's still necessary to turn it off
explicitly on i386. Also note, that even in i386 it's also not
necessary to turn off auditing when you use debian or ubuntu in the
container, only running fedora/redhat inside a container requires
this (because only Fedora's PAM is weird).

My guess is that most people who run nspawn turn off selinux though,
or don't use Fedora, since SELinux appears to be pretty much a
fedora/redhat-only thing.

Both the selinux and audit issues apply to all container managers that
are supposed to run full distros inside, not only nspawn.

Lennart

-- 
Lennart Poettering, Red Hat