[systemd-devel] advice for zfs-mount-generator

[Jörg Thalheim]

Hi,

when using zfs in combination with systemd, users run into the following 
problem:

- zfs manages mountpoints on its own and systemd is not aware of those.
- this leads to problems, when mountpoints for other filesystems are mounted
  on directories in a zfs dataset or files are created in a directory before 
zfs could
  mount its dataset there. 
- the default behaviour in zfs case is to refuse to mount a filesystem on top 
of a non-empty directory.

In case zfs is loaded via initrd (to allow to use zfs as bootfs) during early 
boot, writing a generator should be easy:

```
$ zfs get all -H | grep mountpoint
zroot/home  mountpoint  /home  local
zroot/journal   mountpoint  /var/lib/journal  local
zroot/postgres  mountpoint  /var/lib/postgres  local
zroot/root  mountpoint  / local
zroot/root/nix  mountpoint  /nix  local
zroot/root/tmp  mountpoint  /tmp  local
```

It should be also noted that those filesystems will be not mounted using 
mount(2),
but the command interface `zfs mount` except mountpoint is set the `legacy`

However currently some zfs services exists which import zfs pools after the 
generator run:

```/usr/lib/systemd/system/zfs-import-scan.service
[Unit]
Description=Import ZFS pools by device scanning
DefaultDependencies=no
Requires=systemd-udev-settle.service
After=systemd-udev-settle.service
After=cryptsetup.target
Before=dracut-mount.service
ConditionPathExists=!/etc/zfs/zpool.cache

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStartPre=/sbin/modprobe zfs
ExecStart=/usr/bin/zpool import -aN -o cachefile=none

[Install]
WantedBy=zfs-mount.service
WantedBy=zfs.target
```

```/usr/lib/systemd/system/zfs-mount.service
[Unit]
Description=Mount ZFS filesystems
DefaultDependencies=no
After=systemd-udev-settle.service
After=zfs-import-cache.service
After=zfs-import-scan.service
After=systemd-remount-fs.service
Before=local-fs.target

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/bin/zfs mount -a

[Install]
WantedBy=zfs-share.service
WantedBy=zfs.target
```

As generators will run before unit I run into a Chicken or the egg problem.
I would appreciate, if you have suggestions how to make this scheme compatible 
with the way systemd handle mounts.

Thanks Jörg Thalheim.


pgpxt6SYytffZ.pgp
Description: OpenPGP digital signature
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Time synchronization over HTTP?

[Kai Hendry]

On Mon, 27 Jun 2016, at 08:33 PM, Reindl Harald wrote:
> normally service level agreemnets contain basic prerequisites and if the 
> are ignored the customers has to pay a penalty in case of support cases

You live in a different world to me.



Just going to follow up with a blog I found on the matter of “time over
HTTPS”:
http://phk.freebsd.dk/time/20151129.html

Though he considers this method for sanity checking atm.
https://twitter.com/bsdphk/status/747346942351544320

So it doesn't really validate my proposal as an authoritative source.
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] systemd.conf early-bird tickets, cfp and workshops

[Jóhann B . Guðmundsson]

On 06/27/2016 02:36 PM, Chris Kühl wrote:


Workshops:

A new addition to this year's conference is the workshop day. The goal
of this day is to offer hands-on training sessions to those who want
to learn more about systemd. It's intended that these trainings be
conducted by systemd community members. Proposals for workshops can be
submitted at https://cfp.systemd.io

If you have questions about workshops please contact us at i...@systemd.io

Or you can just be replied to here since you advertise 300 euro 
participation fee for workshop schedule that a) does not exist and b) is 
not part of the professional package ( read as corporate sponsored 
individuals since we do have quite few that would be considered 
professionals in the community, where this might be a value add to ) is 
expected to be conducted by systemd community members for systemd 
community members ( since they would also have to pay 300 euro fee also 
to attend ).


It would be good to know who's the genius behind this idea, ( read sat 
somewhere at an meeting and had the "hey here's an idea let's add 
workshop to the mix, have the community manage it and charge 300 euros 
for it in the process" )  the pricing behind it and where does all that 
money go?


JBG
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

[systemd-devel] Use of namespaced cgroups (aka Docker in systemd-nspawn containers)

[Lee Hambley]

Hi List,

My company is currently conducting research into the most viable container
technology that fits our stack (CentOS based) and given our already
widespread reliance on systemd, I have a personal stake in preferring not
to introduce other tooling (LXD, the 2nd place leader) into our stack.

I'd like to know what is required to fulfil our use-case (Docker in
LXD/systemd-nspawn)

Here's what I (think I) know:

   - Docker can't run in systemd-nspawn because cgroup fs is mounted ro,
   and the systemd-nspwan container sees the entire system's cgroupfs (no
   namespacing)
   - cgroups filesystem normally mounted ro in containers, to protect the
   host (or, something related to privileged containers)
  - When mounted rw it can break the host (not the worst problem in the
  world, we're not defending against malice here, but apparently
it's trivial
  to brick the host by having systemd fight over ttys, etc)
  - it might be fair to say that privilidged containers
   - namespaces cgroups are relatively new in linux
  - available 4.6 [1]
  - backported to 4.4+ on Ubuntu kernels
   - We think LXD does something around setns() [2] to make sure that the
   container has a correct view of the cgroup "subtree".


I suspect something can be done in .nspawn files to grant certain
privileges to work around issues related to ro/rw cgroups trees, etc but I
think systemd-nspawn has to know about creating the correct cgroup
hierarchy before passing control to the

Please excuse the "idiot knows what he's talking about tone" I'm very deep
into this stuff today, and not in a good way.

Thanks sincerely,

---

[1]:
https://www.phoronix.com/scan.php?page=news_item=CGroup-Namespaces-Linux-4.6
[2]:
https://github.com/lxc/lxd/blob/c8a2956fae6d5d2092e17a3229e4640b53c8a854/lxd/nsexec.go#L107-L126

Lee Hambley
http://lee.hambley.name/
+49 (0) 170 298 5667
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

[systemd-devel] systemd.conf early-bird tickets, cfp and workshops

[Chris Kühl]

Hi all,

Here's a quick set of updates and reminders regarding systemd.conf 2016

Important dates:

We've got a number of important dates that are approaching for
systemd.conf 2016.

* June 30th: Early-bird ticket sales ends. Save yourself or your
organization 20% by purchasing early-bird bird tickets before July
1st. https://ti.to/systemdconf/systemdconf-2016/
* August 1st: Call for Participation ends for talks and workshops.
Please get your proposal in on time. https://cfp.systemd.io

Workshops:

A new addition to this year's conference is the workshop day. The goal
of this day is to offer hands-on training sessions to those who want
to learn more about systemd. It's intended that these trainings be
conducted by systemd community members. Proposals for workshops can be
submitted at https://cfp.systemd.io

If you have questions about workshops please contact us at i...@systemd.io

Sponsorship:

Thanks to the organizations that have signed on to sponsor
systemd.conf 2016. If you're organization would like to join those
ranks, contact the systemd.conf team at sponsors...@systemd.io

As always, you can find more information about the conference at
https://conf.systemd.io/ or contact us at i...@systemd.io

Cheers,
Chris
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Depending on services from a service unit template

[Michael Biebl]

2016-06-27 13:49 GMT+02:00 Andrei Borzenkov :
> On Mon, Jun 27, 2016 at 9:25 AM, Paul Menzel
>  wrote:
>> Dear systemd folks,
>>
>>
>> having a template for a service unit like `example@.service`, and
>> starting several services from it, is there a way, to let another
>> service unit require all services started from that template?
>>
>
> I do not think it is possible. In other direction it may work with
> some workaround (i.e. make every instance of template be required by
> specific services).


PartOf= in the template service might be what you are looking for.


-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Time synchronization over HTTP?

[Reindl Harald]

Am 27.06.2016 um 08:30 schrieb Kai Hendry:

On Mon, 27 Jun 2016, at 01:03 PM, Mantas Mikulėnas wrote:

(I also have a strong dislike for network admins who cling to their "HTTP
only" firewall policies... I don't see why NTP is a 'lesser' protocol
than
HTTP and DNS, both of which require either the respective ports or a
local
proxy in order to work. Timesyncd already supports picking up local NTP
servers from DHCP, afaik.)


I'm with you, and I've fought this problem for a while. But the typical
confusing "connection untrusted" due to bad time customer support
requests is costing me too much


no, your own doing wrong costs you too much

normally service level agreemnets contain basic prerequisites and if the 
are ignored the customers has to pay a penalty in case of support cases


it's not your job to work around idiot administrators, write a invoice 
to their management with a clear reason and they will start to learn 
their job or be gone - but don't fuckup default setups with by design 
silly ideas like NTP over HTTP




signature.asc
Description: OpenPGP digital signature
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Depending on services from a service unit template

[Andrei Borzenkov]

On Mon, Jun 27, 2016 at 9:25 AM, Paul Menzel
 wrote:
> Dear systemd folks,
>
>
> having a template for a service unit like `example@.service`, and
> starting several services from it, is there a way, to let another
> service unit require all services started from that template?
>

I do not think it is possible. In other direction it may work with
some workaround (i.e. make every instance of template be required by
specific services).
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] x bits set on /run/systemd/private, any particular reason?

[Hoyer, Marko (ADITG/SW2)]

Hi,

Thx for the answer.

>> Either way, +x has no meaning on sockets (only +w matters).

I guess this was the fact I was actually interested in.

Best regards

Marko Hoyer
Software Group II (ADITG/SW2)

Tel. +49 5121 49 6948
From: Mantas Mikulėnas [mailto:graw...@gmail.com]
Sent: Freitag, 24. Juni 2016 18:31
To: Hoyer, Marko (ADITG/SW2)
Cc: systemd Mailing List
Subject: Re: [systemd-devel] x bits set on /run/systemd/private, any particular 
reason?

On Fri, Jun 24, 2016 at 2:24 PM, Hoyer, Marko (ADITG/SW2) 
> wrote:
Hi,

I’m not an expert on Linux access right management but I’m wondering why 
systemd’s private socket (/run/systemd/private) has the x bits set. Did it 
happen accidently?

Immediately after bind(), the socket will have all permissions that weren't 
masked out by the current umask – there doesn't seem to be an equivalent to the 
mode parameter of open().

The default umask for init is 0; it seems that while systemd does set a more 
restrictive umask when necessary, it doesn't bother doing so when setting up 
the private socket, so it ends up having 0777 permissions by default...

Either way, +x has no meaning on sockets (only +w matters). Checking `find /run 
-type s -ls`, it seems services aren't very consistent whether to keep or 
remove it for their own sockets...

--
Mantas Mikulėnas >
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Time synchronization over HTTP?

[Kai Hendry]

On Mon, 27 Jun 2016, at 01:03 PM, Mantas Mikulėnas wrote:
> Who would host the sync server? Or would you just point it at a random
> site
> and hope its operators don't mind? It's already bad enough that systemd
> defaults to Google's private NTP servers, IMHO.

Reminds me of the "Am I on the Internet?" problem. Yeah, most people
default to google.com as that example does:
https://github.com/ccrisan/motioneyeos/blob/master/board/common/overlay/etc/init.d/S50date#L21

> (I also have a strong dislike for network admins who cling to their "HTTP
> only" firewall policies... I don't see why NTP is a 'lesser' protocol
> than
> HTTP and DNS, both of which require either the respective ports or a
> local
> proxy in order to work. Timesyncd already supports picking up local NTP
> servers from DHCP, afaik.)

I'm with you, and I've fought this problem for a while. But the typical
confusing "connection untrusted" due to bad time customer support
requests is costing me too much.

Cheers,
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Time synchronization over HTTP?

[Kai Hendry]

On Mon, 27 Jun 2016, at 10:42 AM, Reindl Harald wrote:
> are you aware that in case of many machines you should setp *one* ntpd 
> and the other machines only acess this internal host to take away load 
> from pool.ntp.org which would also solve the problem access port 123 
> outside your network from all the other deployments?

Yes I am, but the administrators who deploy Webconverger don't do this
sadly.

I heard from someone that some routers do this automatically, but
anyway, it doesn't help me come up with a general solution.
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

[systemd-devel] Depending on services from a service unit template

[Paul Menzel]

Dear systemd folks,


having a template for a service unit like `example@.service`, and
starting several services from it, is there a way, to let another
service unit require all services started from that template?


Thanks,

Paul

signature.asc
Description: This is a digitally signed message part
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel