[systemd-devel] systemd-nspawn: access to disk devices does not work on centos 7/systemd 219

Colin Guthrie gmane at colin.guthr.ie
Thu Jan 17 16:24:01 UTC 2019 

Mailing List SVR wrote on 16/01/2019 21:03:
> Il 16/01/19 19:24, Lennart Poettering ha scritto:
>> On Mi, 16.01.19 09:20, Mailing List SVR (lists at svrinformatica.it) wrote:
>>
>>> Well, this command will make the sd devices readable inside the
>>> container on
>>> centos 7 too
>>>
>>> echo 'b 8:* rw' >
>>> /sys/fs/cgroup/devices/machine.slice/machine-bionic\\x2druntime.scope/devices.allow
>>>
>>>
>>> now I'll will search how to pass to systemd-nspawn using a command line
>>> argument
>> Use --property=DeviceAllow=…
> 
> thanks but this does not seems available in systemd 219, the version
> shipped with centos 7, it fails with unrecognized option error.
> 
> Newer systemd versions work out of the box probably because they have
> DevicePolicy=auto as default,
> 
> so basically I ended up writing a systemd-nspawn wrapper that, launched
> from a systemd service, wait for
> /sys/fs/cgroup/devices/machine.slice/machine-<name>.scope to appear and
> then it sets the required permissions in devices.allow.
> 
> If I use the reboot command inside the container then the cgroup dir is
> recreated and the permissions are lost since my wrapper is not called
> 
> luckily I can control the container and so I changed the reboot command
> so it shutdowns the container instead and I set Restart=always in the
> systemd service so the container is restarted automatically after the
> shutdown,
> 
> so the only way to shutdown the container is using systemctl stop <my
> service> but this is better than nothing,

FWIW (and orthogonal to the actual problem), I think Facebook maintain a
backported systemd package for CentOS 7 that might be worth
investigating. Last time I looked there were still some manual deps you
had to build yourself (or just copy the packages) from Fedora which is a
bit rubbish but not impossible with a bit of jiggery pokery. There is
some degree of confidence that at least the package is used in a "fairly
large" deployment :-p

Worth having a little look over (I haven't had the need yet - like
yourself I've found workarounds for the itches I need to scratch that
are fixed in newer systemds - but may do at some point)

Col


-- 

Colin Guthrie
gmane(at)colin.guthr.ie
http://colin.guthr.ie/

Day Job:
  Tribalogic Limited http://www.tribalogic.net/
Open Source:
  Mageia Contributor http://www.mageia.org/
  PulseAudio Hacker http://www.pulseaudio.org/
  Trac Hacker http://trac.edgewall.org/

More information about the systemd-devel mailing list