On Tue, Jun 9, 2015 at 11:37 PM, Lennart Poettering
wrote:
> On Tue, 09.06.15 13:04, Filipe Brandenburger (filbran...@google.com) wrote:
>
>> On Tue, Jun 9, 2015 at 12:59 PM, Lennart Poettering
>> wrote:
>> > [...] so we comment and ask for a new PR, and close the old one.
>>
>> See my previous c
On Tue, May 19, 2015 at 3:44 PM, Lennart Poettering
wrote:
> On Tue, 19.05.15 13:08, Alban Crequy (al...@endocode.com) wrote:
>
>> The commit be7d9ff730cb88d7c6a869dd5c47754c78ceaef2 ("core: introduce
>> seperate reverse dependencies for Requires= and Requisite=")
&
On Tue, May 19, 2015 at 1:26 AM, Lennart Poettering
wrote:
> On Tue, 19.05.15 00:55, Lennart Poettering (lenn...@poettering.net) wrote:
>
>> On Thu, 14.05.15 21:23, Evert (evert.gen...@planet.nl) wrote:
>>
>> > Hi,
>> >
>> > According to the systemd documentation, Requisite disallows starting a
>>
From: Alban Crequy
When systemd-nspawn gets exec*()ed, it inherits the followings file
descriptors:
- 0, 1, 2: stdin, stdout, stderr
- SD_LISTEN_FDS_START, ... SD_LISTEN_FDS_START+LISTEN_FDS: file
descriptors passed by the system manager (useful for socket
activation). They are passed to the
On Mon, May 18, 2015 at 2:00 PM, Lennart Poettering
wrote:
> On Mon, 18.05.15 10:34, Alban Crequy (al...@endocode.com) wrote:
>
>> On Wed, May 13, 2015 at 6:14 PM, Lennart Poettering
>> wrote:
>> > On Mon, 11.05.15 16:41, Alban Crequy (alban.cre...@gmail.com) wr
From: Alban Crequy
When a service is chrooted with the option RootDirectory=/opt/..., then
the options PrivateDevices, PrivateTmp, ProtectHome, ProtectSystem must
mount the directories under $RootDirectory/{dev,tmp,home,usr,boot}.
The test-ns tool can test setup_namespace() with and without
On Wed, May 13, 2015 at 6:14 PM, Lennart Poettering
wrote:
> On Mon, 11.05.15 16:41, Alban Crequy (alban.cre...@gmail.com) wrote:
>
>> src/nspawn/nspawn.c | 9 -
>> 1 file changed, 8 insertions(+), 1 deletion(-)
>>
>> diff --git a/src/nspawn/nspawn.c
From: Alban Crequy
When a service is chrooted with the option RootDirectory=/opt/..., then
the options PrivateDevices, PrivateTmp, ProtectHome, ProtectSystem must
mount the directories under $RootDirectory/{dev,tmp,home,usr,boot}.
This can be tested with test-ns as root:
# export
From: Alban Crequy
When systemd-nspawn gets exec*()ed, it inherits the followings file
descriptors:
- 0, 1, 2: stdin, stdout, stderr
- SD_LISTEN_FDS_START, ... SD_LISTEN_FDS_START+LISTEN_FDS: file
descriptors passed by the system manager (useful for socket
activation). They are passed to the
From: Alban Crequy
When a process starts systemd-nspawn with exec*() without fork(),
systemd-nspawn can be the parent process of children processes unknown
to systemd-nspawn. It can then receive the signal SIGCHLD for both the
container leader process and the previously started processes. So it
From: Alban Crequy
When a process starts systemd-nspawn with exec*() without fork(),
systemd-nspawn can be the parent process of children processes unknown
to systemd-nspawn. It can then receive the signal SIGCHLD for both the
container leader process and the previously started processes. So it
On Wed, Feb 25, 2015 at 6:48 PM, Lennart Poettering
wrote:
> On Wed, 25.02.15 00:05, Cyrill Gorcunov (gorcu...@gmail.com) wrote:
>
>> Hi all! I would really appreciate if someone enlighten me if there is some
>> simple
>> solution for the problem we met in OpenVZ: modern containers are mostly
>>
On Fri, Apr 24, 2015 at 5:34 PM, Lennart Poettering
wrote:
> On Fri, 24.04.15 17:10, Alban Crequy (al...@endocode.com) wrote:
>
>> On Fri, Apr 24, 2015 at 12:45 PM, Lennart Poettering
>> wrote:
>> > On Wed, 22.04.15 16:55, Alban Crequy (al...@endocode.com) wrote
On Fri, Apr 24, 2015 at 12:45 PM, Lennart Poettering
wrote:
> On Wed, 22.04.15 16:55, Alban Crequy (al...@endocode.com) wrote:
>
>> Thanks for the commits. They don't seem related to containers.
>>
>> I can reproduce my issue on git-master:
>>
>> sudo ~/gi
On Tue, Apr 21, 2015 at 10:35 PM, Zbigniew Jędrzejewski-Szmek
wrote:
> On Tue, Apr 21, 2015 at 03:54:35PM +0200, Alban Crequy wrote:
>> On Sat, Feb 28, 2015 at 5:40 PM, Lennart Poettering
>> wrote:
>> > On Fri, 27.02.15 17:13, Lennart Poettering (lenn...@poettering.net)
On Sat, Feb 28, 2015 at 5:40 PM, Lennart Poettering
wrote:
> On Fri, 27.02.15 17:13, Lennart Poettering (lenn...@poettering.net) wrote:
>
>> On Thu, 26.02.15 16:50, Martin Pitt (martin.p...@ubuntu.com) wrote:
>>
>> > IMHO it would be prudent to skip adding the BindsTo= if at the time of
>> > creat
From: Alban Crequy
When a systemd-nspawn container terminates, systemd umounts all bind
mounts that were mounted in the container and generates a log for each
umount.
This additional log_info was added by
bce93b7ac7642426039863493694d8c12812e2a7 for debugging shutdown. But
surely log_debug is
On Tue, Mar 31, 2015 at 5:35 PM, Dave Reisner wrote:
> On Tue, Mar 31, 2015 at 05:14:48PM +0200, Alban Crequy wrote:
>> From: Alban Crequy
>>
>> Some systems abusively restrict mknod, even when the device node already
>> exists in /dev. This is unfortunate because
From: Alban Crequy
Some systems abusively restrict mknod, even when the device node already
exists in /dev. This is unfortunate because it prevents systemd-nspawn
from creating the basic devices in /dev in the container.
This patch implements a workaround: when mknod fails, fallback on bind
From: Alban Crequy
Some systems abusively restrict mknod, even when the device node already
exists in /dev. This is unfortunate because it prevents systemd-nspawn
from creating the basic devices in /dev in the container.
This patch implements a workaround: when mknod fails, fallback on bind
On Sun, Mar 29, 2015 at 5:24 PM, Tom Gundersen wrote:
>
> On Mar 29, 2015 5:18 PM, "Alban Crequy" wrote:
>>
>> From: Alban Crequy
>>
>> Some systems abusively restrict mknod, even when the device node already
>> exists in /dev. This is unfortun
From: Alban Crequy
Some systems abusively restrict mknod, even when the device node already
exists in /dev. This is unfortunate because it prevents systemd-nspawn
from creating the basic devices in /dev in the container.
This patch implements a workaround: when mknod fails, fallback on bind
On Tue, Mar 17, 2015 at 6:12 PM, Vincent Batts wrote:
> On 11/03/15 15:24 +0100, Iago L?pez Galeiras wrote:
>>
>> Hi,
>>
>> We're looking into adding appc[1] support in systemd-importd. An appc
>> image (ACI) is just a tar with a "rootfs" directory and a json "manifest".
>> We would have to implem
From: Alban Crequy
renameat2() exists since Linux 3.15 but btrfs support for the flag
RENAME_NOREPLACE was added later.
This patch implements a fallback when renameat2() returns EINVAL.
EINVAL is the error returned when the filesystem does not support one of
the flags.
---
src/import/import
From: Alban Crequy
renameat2() exists since Linux 3.15 but btrfs support for the flag
RENAME_NOREPLACE was added later.
This patch implements a fallback when renameat2() returns EINVAL.
EINVAL is the error returned when the filesystem does not support one of
the flags.
---
src/import/import
Comments inline:
On Tue, Mar 10, 2015 at 4:25 PM, Lennart Poettering
wrote:
> On Tue, 10.03.15 16:16, Alban Crequy (alban.cre...@gmail.com) wrote:
>
>> -if (renameat2(AT_FDCWD, t, AT_FDCWD, to, replace ? 0 :
>> RENAME_NOREPLACE) < 0) {
>> -
From: Alban Crequy
renameat2() exists since Linux 3.15 but btrfs support for the flag
RENAME_NOREPLACE was added later.
This patch implements a fallback when renameat2() returns EINVAL.
EINVAL is the error returned when the filesystem does not support one of
the flags.
---
src/import/import
On 9 December 2014 at 17:28, Lennart Poettering wrote:
> On Tue, 09.12.14 16:24, Krzysztof Kotlenga (k.kotle...@sims.pl) wrote:
>
>> Hi.
>>
>> Currently notify socket is unavailable in chrooted services (again)
>> unless you bind mount it there. Is there perhaps another, less
>> cumbersome way?
>>
On 9 December 2014 at 17:28, Lennart Poettering wrote:
> On Tue, 09.12.14 16:24, Krzysztof Kotlenga (k.kotle...@sims.pl) wrote:
>
>> Hi.
>>
>> Currently notify socket is unavailable in chrooted services (again)
>> unless you bind mount it there. Is there perhaps another, less
>> cumbersome way?
>>
From: Alban Crequy
Manpage systemd.mount(5) says: "If the mount point does not exist at the
time of mounting, it is created." However, it was not working for bind
mounts of non-directory files (regular, device, socket, etc).
This patch checks the type of the resource to bind mount
From: Alban Crequy
When a service is chrooted with the option RootDirectory=/opt/..., then
the option PrivateDevices=true must mount the private /dev in
$RootDirectory/dev instead of /dev.
v2:
- create the $RootDirectory/dev directory if missing. This is
consistent with mount unit creating
When a service uses both RootDirectory=/opt/... and PrivateDevices=true,
the private /dev must not be mounted in /dev but in /opt/.../dev.
---
src/core/execute.c | 6 +-
src/core/namespace.c | 10 +-
src/core/namespace.h | 2 +-
src/test/test-ns.c | 2 +-
4 files changed, 12 ins
On 5 February 2015 at 12:48, Vasiliy Tolstov wrote:
>
> 2015-02-05 12:44 GMT+03:00 Alban Crequy :
>>
>> Manual page namespaces(7):
>>
>>Creation of new namespaces using clone(2) and unshare(2) in most
>> cases
>>requires the CAP_SYS_
[reposting - sorry I forgot to Cc the mailing list]
On 4 February 2015 at 23:03, Vasiliy Tolstov wrote:
> Hello!
> Does it possible to create container as regular user? Oh what capabilities i
> need to add to create container not using root?
Hello,
Manual page namespaces(7):
Creation of
From: Alban Crequy
v2:
- simplify the patch: any non-directory file can be mounted on any
non-directory file.
- allow bind mount of files of different types
---
src/nspawn/nspawn.c | 27 +++
1 file changed, 11 insertions(+), 16 deletions(-)
diff --git a/src/nspawn
On 22 January 2015 at 13:51, Lennart Poettering wrote:
> On Thu, 22.01.15 13:25, Alban Crequy (mua...@gmail.com) wrote:
>
>> From: Alban Crequy
>
> Hmm, I wonder if we can actually simplify this. IIRC the rules for
> over-mounting are simpler than I thought initially:
>
From: Alban Crequy
---
src/nspawn/nspawn.c | 7 +--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index 3fce3ad..db57b24 100644
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -911,8 +911,7 @@ static int mount_binds(const char
Before Linux commit 25888e (from 2.6.37-rc4, Nov 2010), fd-passing on Unix
sockets could recursively be stacked, allowing a process to exhaust the open
files limit (/proc/sys/fs/file-max) on the system without restriction from
ulimit -n.
This DoS on Unix sockets was fixed by commit:
> commit 2588
Symptoms:
> kdbus/bus.h:56:14: error: field ‘kref’ has incomplete type
> struct kref kref;
Signed-off-by: Alban Crequy
---
bus.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/bus.h b/bus.h
index a5832b8..c7ce2fa 100644
--- a/bus.h
+++ b/bus.h
@@ -16,6 +16,7 @@
#include
#i
On Wed, 13 Aug 2014 16:37:17 +0200
Lennart Poettering wrote:
> On Thu, 07.08.14 15:19, Alban Crequy (alban.cre...@collabora.co.uk)
> wrote:
>
> > Hi,
> >
> > Should unprivileged processes be allowed to change cgroup?
>
> Well, they shouldn#t do it. But I
Hi,
Should unprivileged processes be allowed to change cgroup?
As I understand it, it is not possible to block processes to
leave a cgroup, but only to block processes to enter a cgroup.
In the following example, session-c4.scope/tasks belongs to root:root
with -rw-r--r-- and user@1000.service/t
41 matches
Mail list logo
