[systemd-devel] Why does nspawn check if in a user session?

Lennart Poettering lennart at poettering.net
Thu Sep 14 07:45:06 UTC 2017


On Do, 14.09.17 00:55, Luke Shumaker (lukeshu at lukeshu.com) wrote:

> Hi all,
> 
> I have another question about `systemd-nspawn` internals.
> 
> When sanity-checking argv, it does:
> 
>         if (arg_keep_unit && arg_register && cg_pid_get_owner_uid(0, NULL) >= 0) {
>                 log_error("--keep-unit --register=yes may not be used when invoked from a user session.");
>                 return -EINVAL;
>         }
> 
>   (the `&& arg_register` bit was added in 234)
> 
> Why does nspawn care if it is in a user session?
> 
> My best guess is that it doesn't want to share its cgroup with any
> other processes, and it is using user session membership as a sloppy
> proxy for that.  If that's the case, wouldn't it be more correct and
> robust to check for other processes in
> "/sys/fs/cgroup/.../cgroup.procs"?

It's simply a check that people don't call the tool from a regular
shell login, and thus make the session scope unit the shell login is
running in the container unit. Because when nspawn then exits it might
continue to be registered with machined as container unit even though
it really doesn't apply anymore.

I think using some kind of wrapper tool around nspawn that stays
running while nspawn is running is an OK thing and shouldn't prohibit
nspawn from registering the unit in machined as container unit, hence
I don't think it would be right to check the PID list as you suggest.

Lennart

-- 
Lennart Poettering, Red Hat


More information about the systemd-devel mailing list