[systemd-devel] avoid unmounts in unprivileged containers

Rodny Molina rodnymolina at gmail.com
Tue Feb 23 19:06:43 UTC 2021 

Partially answering my own questions ...

The code that I was referring to (systemd-shutdown) that takes into account
containerized environments (ConditionVirtualization) and avoids doing the
unmounts, is invoked at a later stage
<https://github.com/systemd/systemd/blob/main/src/core/main.c#L1558> in the
shutdown cycle. By the time that this code executes, all the
mountpoints that I care about (those extracted from /proc/pid/mountinfo at
runtime) are already unmounted.

So I have no answer for my original question: is there any config knob to
avoid doing unmounts during the container-shutdown process?

Thanks!

On Fri, Feb 19, 2021 at 7:17 PM Rodny Molina <rodnymolina at gmail.com> wrote:

> Hi,
>
> As part of a prototype I'm working on to run systemd within an
> unprivileged docker container, I would like to prevent mountpoints created
> at runtime from being unmounted during the container shutdown process. I
> understand that systemd creates "<blah>.mount" units dynamically for
> these mountpoints as they show up in /proc/pid/mountinfo, but after reading
> the docs + code, I don't see a way to avoid these unmounts during the
> shutdown.target execution.
>
> Interestingly, I see that there's code
> <https://github.com/systemd/systemd/blob/main/src/shutdown/shutdown.c#L398> that
> skips the unmounting cycle attending to the ConditionVirtualization /
> containeinarized settings, which is what I need, but I'm not able to see
> that code being called during the container shutdown -- probably i'm not
> understanding systemd's fsm unwinding logic well enough ...
>
> Any suggestions?
>
> Thanks!
>
> PS: Last few logs obtained during my container shutdown process ...
>
> ---
> Feb 20 03:00:23 08363a0a79ee umount[1273]: umount: /var/lib/kubelet: must
> be superuser to unmount.
> Feb 20 03:00:23 08363a0a79ee systemd[1]: Received SIGCHLD from PID 1273
> (umount).
> Feb 20 03:00:23 08363a0a79ee systemd[1]: Child 1273 (umount) died
> (code=exited, status=32/n/a)
> Feb 20 03:00:23 08363a0a79ee systemd[1]: var-lib-kubelet.mount: Child 1273
> belongs to var-lib-kubelet.mount.
> Feb 20 03:00:23 08363a0a79ee systemd[1]: var-lib-kubelet.mount: Mount
> process exited, code=exited, status=32/n/a
> Feb 20 03:00:23 08363a0a79ee systemd[1]: var-lib-kubelet.mount: Changed
> unmounting -> mounted
> Feb 20 03:00:23 08363a0a79ee systemd[1]: var-lib-kubelet.mount: Job 180
> var-lib-kubelet.mount/stop finished, result=failed
> Feb 20 03:00:23 08363a0a79ee systemd[1]: Failed unmounting
> /var/lib/kubelet.
> Feb 20 03:00:23 08363a0a79ee systemd[1]: systemd-journald.service:
> Received EPOLLHUP on stored fd 47 (stored), closing.
> Feb 20 03:00:23 08363a0a79ee systemd[1]: local-fs-pre.target changed
> active -> dead
> Feb 20 03:00:23 08363a0a79ee systemd[1]: local-fs-pre.target: Job 156
> local-fs-pre.target/stop finished, result=done
> Feb 20 03:00:23 08363a0a79ee systemd[1]: Stopped target Local File Systems
> (Pre).
> Feb 20 03:00:23 08363a0a79ee systemd[1]: umount.target changed dead ->
> active
> Feb 20 03:00:23 08363a0a79ee systemd[1]: umount.target: Job 168
> umount.target/start finished, result=done
> Feb 20 03:00:23 08363a0a79ee systemd[1]: Reached target Unmount All
> Filesystems.
> Feb 20 03:00:23 08363a0a79ee systemd[1]:
> systemd-tmpfiles-setup-dev.service: Succeeded.
> Feb 20 03:00:23 08363a0a79ee systemd[1]:
> systemd-tmpfiles-setup-dev.service: Service restart not allowed.
> Feb 20 03:00:23 08363a0a79ee systemd[1]:
> systemd-tmpfiles-setup-dev.service: Changed exited -> dead
> Feb 20 03:00:23 08363a0a79ee systemd[1]:
> systemd-tmpfiles-setup-dev.service: Job 105
> systemd-tmpfiles-setup-dev.service/stop finished, result=done
> Feb 20 03:00:23 08363a0a79ee systemd[1]: Stopped Create Static Device
> Nodes in /dev.
> Feb 20 03:00:23 08363a0a79ee systemd[1]: systemd-sysusers.service:
> Succeeded.
> Feb 20 03:00:23 08363a0a79ee systemd[1]: systemd-sysusers.service: Service
> restart not allowed.
> Feb 20 03:00:23 08363a0a79ee systemd[1]: systemd-sysusers.service: Changed
> exited -> dead
> Feb 20 03:00:23 08363a0a79ee systemd[1]: systemd-sysusers.service: Job 164
> systemd-sysusers.service/stop finished, result=done
> Feb 20 03:00:23 08363a0a79ee systemd[1]: Stopped Create System Users.
> Feb 20 03:00:23 08363a0a79ee systemd[1]: systemd-remount-fs.service:
> Succeeded.
> Feb 20 03:00:23 08363a0a79ee systemd[1]: systemd-remount-fs.service:
> Service restart not allowed.
> Feb 20 03:00:23 08363a0a79ee systemd[1]: systemd-remount-fs.service:
> Changed exited -> dead
> Feb 20 03:00:23 08363a0a79ee systemd[1]: systemd-remount-fs.service: Job
> 117 systemd-remount-fs.service/stop finished, result=done
> Feb 20 03:00:23 08363a0a79ee systemd[1]: Stopped Remount Root and Kernel
> File Systems.
> Feb 20 03:00:23 08363a0a79ee systemd[1]: shutdown.target changed dead ->
> active
> Feb 20 03:00:23 08363a0a79ee systemd[1]: shutdown.target: Job 89
> shutdown.target/start finished, result=done
> Feb 20 03:00:23 08363a0a79ee systemd[1]: Reached target Shutdown.
> Feb 20 03:00:23 08363a0a79ee systemd[1]: final.target changed dead ->
> active
> Feb 20 03:00:23 08363a0a79ee systemd[1]: final.target: Job 167
> final.target/start finished, result=done
> Feb 20 03:00:23 08363a0a79ee systemd[1]: Reached target Final Step.
> Feb 20 03:00:23 08363a0a79ee systemd[1]: systemd-halt.service: Failed to
> reset devices.allow/devices.deny: Operation not permitted
> Feb 20 03:00:23 08363a0a79ee systemd[1]: systemd-halt.service: Failed to
> set invocation ID on control group /system.slice/systemd-halt.service,
> ignoring: Operation not permitted
> Feb 20 03:00:23 08363a0a79ee systemd[1]: systemd-halt.service: Failed to
> remove delegate flag on control group /system.slice/systemd-halt.service,
> ignoring: Operation not permitted
> Feb 20 03:00:23 08363a0a79ee systemd[1]: systemd-halt.service: Passing 0
> fds to service
> Feb 20 03:00:23 08363a0a79ee systemd[1]: systemd-halt.service: About to
> execute: /usr/bin/systemctl --force halt
> Feb 20 03:00:23 08363a0a79ee systemd[1]: systemd-halt.service: Forked
> /usr/bin/systemctl as 1281
> Feb 20 03:00:23 08363a0a79ee systemd[1281]: PR_SET_MM_ARG_START failed,
> attempting PR_SET_MM_ARG_END hack: Operation not permitted
> Feb 20 03:00:23 08363a0a79ee systemd[1281]: PR_SET_MM_ARG_END hack failed,
> proceeding without: Operation not permitted
> Feb 20 03:00:23 08363a0a79ee systemd[1]: systemd-halt.service: Changed
> dead -> start
> Feb 20 03:00:23 08363a0a79ee systemd[1]: Starting Halt...
> Feb 20 03:00:23 08363a0a79ee systemd[1281]: systemd-halt.service:
> Executing: /usr/bin/systemctl --force halt
> Feb 20 03:00:23 08363a0a79ee systemd[1]: systemd-journald.service: Got
> notification message from PID 185 (FDSTORE=1)
> Feb 20 03:00:23 08363a0a79ee systemd[1]: systemd-journald.service: Added
> fd 24 (n/a) to fd store.
> Hangup
> ---
>
>
> --
> /Rodny
>


-- 
/Rodny
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20210223/49ddefd7/attachment-0001.htm>

More information about the systemd-devel mailing list