<div dir="ltr">1. When attaching a service with an extension, the portablectl list shows the base image as 'attached' but the extension as 'detached'. Is the 'detached' state expected or an indication that something is wrong?<div> </div><div>You can expect a detached state because the extension is not actually running in the same process as the base image. The extension is has a different PID, but they share the same memory region. </div><div> </div><div>> 3. What are some approaches to debugging problems with the service's > environment? Two examples of problems I encountered were 1) the base > image was missing a library the extension depended upon </div><div> </div><div>That's a weird problem. Don't laugh, but I ran into a situation where the libraries were installed, but the systemd source code was missing. I'm not sure what a good version of the source code should be. I think I might be referring to an earlier comment. My only suggestion would be to use portablectl debug but you are probably already doing that. </div><div> </div><div>If you use systemd-run, Here is a template for a systemd service file that might help you.</div><div> </div><div>[Unit] Description=My service[Service] Type=oneshot ExecStart=/usr/bin/systemd-run --scope --rootimage=/path/to/root/image --extensionimages=/path/to/extension/image /usr/bin/my-command[Install] WantedBy=multi-user.targetBenjamin Godfrey</div></div> <div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, May 5, 2023 at 5:00 AM <<a href="mailto:systemd-devel-request@lists.freedesktop.org">systemd-devel-request@lists.freedesktop.org</a>> wrote: </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Send systemd-devel mailing list submissions to <a href="mailto:systemd-devel@lists.freedesktop.org" target="_blank">systemd-devel@lists.freedesktop.org</a> To subscribe or unsubscribe via the World Wide Web, visit <a href="https://lists.freedesktop.org/mailman/listinfo/systemd-devel" rel="noreferrer" target="_blank">https://lists.freedesktop.org/mailman/listinfo/systemd-devel</a> or, via email, send a message with subject or body 'help' to <a href="mailto:systemd-devel-request@lists.freedesktop.org" target="_blank">systemd-devel-request@lists.freedesktop.org</a> You can reach the person managing the list at <a href="mailto:systemd-devel-owner@lists.freedesktop.org" target="_blank">systemd-devel-owner@lists.freedesktop.org</a> When replying, please edit your Subject line so it is more specific than "Re: Contents of systemd-devel digest..." Today's Topics: 1. portable service questions (Chuck Tuffli) 2. Re: portable service questions (Luca Boccassi) ---------------------------------------------------------------------- Message: 1 Date: Thu, 4 May 2023 12:52:16 -0700 From: Chuck Tuffli <<a href="mailto:ctuffli@gmail.com" target="_blank">ctuffli@gmail.com</a>> To: <a href="mailto:systemd-devel@lists.freedesktop.org" target="_blank">systemd-devel@lists.freedesktop.org</a> Subject: [systemd-devel] portable service questions Message-ID: <<a href="mailto:CAKAYmMK0g_EcgkaHe7k2bzdEf4ON1COo%2Bz3K5x9TuKcoDKOEOQ@mail.gmail.com" target="_blank">CAKAYmMK0g_EcgkaHe7k2bzdEf4ON1COo+z3K5x9TuKcoDKOEOQ@mail.gmail.com</a>> Content-Type: text/plain; charset="UTF-8" I basically have portable service extensions working, but in the process, there are a few questions that came up. 1. When attaching a service with an extension, the portablectl list shows the base image as 'attached' but the extension as 'detached'. Is the 'detached' state expected or an indication that something is wrong? 2. When using the default profile, systemd attaches a writable /tmp and /var/tmp. But the trusted profile doesn't attach either. From looking at the code, this appears to be expected. For read-only service images running with the trusted profile, is there a way to get a writable tmp directories or is the expectation that the base image is writable? 3. What are some approaches to debugging problems with the service's environment? Two examples of problems I encountered were 1) the base image was missing a library the extension depended upon and 2) the service couldn't create configuration files because of a missing directory. In both cases, I replaced the ExecStart with 'sleep 1d' and used 'nsenter --target $(pidof sleep)' to investigate the environment and figure out where I goofed. Is there a better way to do this? Thanks! --chuck ------------------------------ Message: 2 Date: Thu, 4 May 2023 22:27:26 +0100 From: Luca Boccassi <<a href="mailto:luca.boccassi@gmail.com" target="_blank">luca.boccassi@gmail.com</a>> To: Chuck Tuffli <<a href="mailto:ctuffli@gmail.com" target="_blank">ctuffli@gmail.com</a>> Cc: <a href="mailto:systemd-devel@lists.freedesktop.org" target="_blank">systemd-devel@lists.freedesktop.org</a> Subject: Re: [systemd-devel] portable service questions Message-ID: <CAMw=<a href="mailto:ZnTjRYQ1rP3jh0utiwAfP9Jm_PmKvSLe4FF%2Bry8-ZuJDYQ@mail.gmail.com" target="_blank">ZnTjRYQ1rP3jh0utiwAfP9Jm_PmKvSLe4FF+ry8-ZuJDYQ@mail.gmail.com</a>> Content-Type: text/plain; charset="UTF-8" On Thu, 4 May 2023 at 22:00, Chuck Tuffli <<a href="mailto:ctuffli@gmail.com" target="_blank">ctuffli@gmail.com</a>> wrote: > > I basically have portable service extensions working, but in the > process, there are a few questions that came up. > > 1. When attaching a service with an extension, the portablectl list > shows the base image as 'attached' but the extension as 'detached'. Is > the 'detached' state expected or an indication that something is > wrong? That's a known issue, it's just cosmetic > 2. When using the default profile, systemd attaches a writable /tmp > and /var/tmp. But the trusted profile doesn't attach either. From > looking at the code, this appears to be expected. For read-only > service images running with the trusted profile, is there a way to get > a writable tmp directories or is the expectation that the base image > is writable? This was changed recently and now every profile has a private /tmp > 3. What are some approaches to debugging problems with the service's > environment? Two examples of problems I encountered were 1) the base > image was missing a library the extension depended upon and 2) the > service couldn't create configuration files because of a missing > directory. In both cases, I replaced the ExecStart with 'sleep 1d' and > used 'nsenter --target $(pidof sleep)' to investigate the environment > and figure out where I goofed. Is there a better way to do this? Use systemd-run and pass it RootImage and ExtensionImages and you can do whatever you want, even getting a shell, in an identical environment ------------------------------ Subject: Digest Footer _______________________________________________ systemd-devel mailing list <a href="mailto:systemd-devel@lists.freedesktop.org" target="_blank">systemd-devel@lists.freedesktop.org</a> <a href="https://lists.freedesktop.org/mailman/listinfo/systemd-devel" rel="noreferrer" target="_blank">https://lists.freedesktop.org/mailman/listinfo/systemd-devel</a> ------------------------------ End of systemd-devel Digest, Vol 157, Issue 4 ********************************************* </blockquote></div>