On Thu, 20.11.14 10:32, Martin Pitt ([email protected]) wrote: > Hello all,
heya, > we just got a bug report [1] about the [email protected] not > working very well by default: > > First, /var/lib/containers/ does not exist by default. To guard > against information leaks or hard link attacks by users, this > directory should be 0700 by default. LXC does the same (/var/lib/lxc > is 0700 for these reasons). What do you think about adding > > d /var/lib/containers 0700 - - - > > to tmpfiles.d/var.conf? I can also add this to the Debian tmpfiles.d > file, but it's not really Debian specific. Sounds resonable. But first, can you elaborate on the reason for 0700 rather than 0755? > Second, [email protected] uses --link-journal=guest. If you > don't have a persistant journal, and /var/log/journal/ does not exist, > then containers fail to start in a rather unfriendly way: > > Spawning container c on /tmp/c. > Press ^] three times within 1s to kill container. > Container c failed with error code 1. > > I. e. they don't tell you what's wrong. (SYSTEMD_LOG_LEVEL=debug > doesn't help at all). But --link-journal=auto isn't right either as > this then won't create the /var/log/journal/<machineid> symlink if you > do have a persistant journal. > > I don't quite like creating /var/log/journal by default in the > package, as that would create persistant journals on the host (for the > guests) even though the admin disabled/didn't enable persistant > journalling. > > - Option 1: Change the unit to use "guest" if /var/log/journal > exists, and not use --link-journal at all if it doesn't. (This > can't be directly expressed on the nspawn CLI, thus would need some > Exec=/bin/sh -c 'if [ -d ... ]' shell commands) > > - Option 2: Make --link-journal=guest nonfatal and just print out a > warning if /var/log/journal/ does not exist. > > - Any others? Hmm, another option would be to introduce --link-journal=try-guest which is identical to --link-journal=guest except that it becomes a NOP if /var/log/journal doesn't exist and doesn't even generate an error or warning. Then, we could change "-j" to mean --link-journal=try-guest and make that the default to use in the unit file. I think that would be the best option really. Lennart -- Lennart Poettering, Red Hat _______________________________________________ systemd-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/systemd-devel
