[systemd-devel] advice for zfs-mount-generator
Hi, when using zfs in combination with systemd, users run into the following problem: - zfs manages mountpoints on its own and systemd is not aware of those. - this leads to problems, when mountpoints for other filesystems are mounted on directories in a zfs dataset or files are created in a directory before zfs could mount its dataset there. - the default behaviour in zfs case is to refuse to mount a filesystem on top of a non-empty directory. In case zfs is loaded via initrd (to allow to use zfs as bootfs) during early boot, writing a generator should be easy: ``` $ zfs get all -H | grep mountpoint zroot/home mountpoint /home local zroot/journal mountpoint /var/lib/journal local zroot/postgres mountpoint /var/lib/postgres local zroot/root mountpoint / local zroot/root/nix mountpoint /nix local zroot/root/tmp mountpoint /tmp local ``` It should be also noted that those filesystems will be not mounted using mount(2), but the command interface `zfs mount` except mountpoint is set the `legacy` However currently some zfs services exists which import zfs pools after the generator run: ```/usr/lib/systemd/system/zfs-import-scan.service [Unit] Description=Import ZFS pools by device scanning DefaultDependencies=no Requires=systemd-udev-settle.service After=systemd-udev-settle.service After=cryptsetup.target Before=dracut-mount.service ConditionPathExists=!/etc/zfs/zpool.cache [Service] Type=oneshot RemainAfterExit=yes ExecStartPre=/sbin/modprobe zfs ExecStart=/usr/bin/zpool import -aN -o cachefile=none [Install] WantedBy=zfs-mount.service WantedBy=zfs.target ``` ```/usr/lib/systemd/system/zfs-mount.service [Unit] Description=Mount ZFS filesystems DefaultDependencies=no After=systemd-udev-settle.service After=zfs-import-cache.service After=zfs-import-scan.service After=systemd-remount-fs.service Before=local-fs.target [Service] Type=oneshot RemainAfterExit=yes ExecStart=/usr/bin/zfs mount -a [Install] WantedBy=zfs-share.service WantedBy=zfs.target ``` As generators will run before unit I run into a Chicken or the egg problem. I would appreciate, if you have suggestions how to make this scheme compatible with the way systemd handle mounts. Thanks Jörg Thalheim. pgpxt6SYytffZ.pgp Description: OpenPGP digital signature ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Time synchronization over HTTP?
On Mon, 27 Jun 2016, at 08:33 PM, Reindl Harald wrote: > normally service level agreemnets contain basic prerequisites and if the > are ignored the customers has to pay a penalty in case of support cases You live in a different world to me. Just going to follow up with a blog I found on the matter of “time over HTTPS”: http://phk.freebsd.dk/time/20151129.html Though he considers this method for sanity checking atm. https://twitter.com/bsdphk/status/747346942351544320 So it doesn't really validate my proposal as an authoritative source. ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] systemd.conf early-bird tickets, cfp and workshops
On 06/27/2016 02:36 PM, Chris Kühl wrote: Workshops: A new addition to this year's conference is the workshop day. The goal of this day is to offer hands-on training sessions to those who want to learn more about systemd. It's intended that these trainings be conducted by systemd community members. Proposals for workshops can be submitted at https://cfp.systemd.io If you have questions about workshops please contact us at i...@systemd.io Or you can just be replied to here since you advertise 300 euro participation fee for workshop schedule that a) does not exist and b) is not part of the professional package ( read as corporate sponsored individuals since we do have quite few that would be considered professionals in the community, where this might be a value add to ) is expected to be conducted by systemd community members for systemd community members ( since they would also have to pay 300 euro fee also to attend ). It would be good to know who's the genius behind this idea, ( read sat somewhere at an meeting and had the "hey here's an idea let's add workshop to the mix, have the community manage it and charge 300 euros for it in the process" ) the pricing behind it and where does all that money go? JBG ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] Use of namespaced cgroups (aka Docker in systemd-nspawn containers)
Hi List, My company is currently conducting research into the most viable container technology that fits our stack (CentOS based) and given our already widespread reliance on systemd, I have a personal stake in preferring not to introduce other tooling (LXD, the 2nd place leader) into our stack. I'd like to know what is required to fulfil our use-case (Docker in LXD/systemd-nspawn) Here's what I (think I) know: - Docker can't run in systemd-nspawn because cgroup fs is mounted ro, and the systemd-nspwan container sees the entire system's cgroupfs (no namespacing) - cgroups filesystem normally mounted ro in containers, to protect the host (or, something related to privileged containers) - When mounted rw it can break the host (not the worst problem in the world, we're not defending against malice here, but apparently it's trivial to brick the host by having systemd fight over ttys, etc) - it might be fair to say that privilidged containers - namespaces cgroups are relatively new in linux - available 4.6 [1] - backported to 4.4+ on Ubuntu kernels - We think LXD does something around setns() [2] to make sure that the container has a correct view of the cgroup "subtree". I suspect something can be done in .nspawn files to grant certain privileges to work around issues related to ro/rw cgroups trees, etc but I think systemd-nspawn has to know about creating the correct cgroup hierarchy before passing control to the Please excuse the "idiot knows what he's talking about tone" I'm very deep into this stuff today, and not in a good way. Thanks sincerely, --- [1]: https://www.phoronix.com/scan.php?page=news_item=CGroup-Namespaces-Linux-4.6 [2]: https://github.com/lxc/lxd/blob/c8a2956fae6d5d2092e17a3229e4640b53c8a854/lxd/nsexec.go#L107-L126 Lee Hambley http://lee.hambley.name/ +49 (0) 170 298 5667 ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] systemd.conf early-bird tickets, cfp and workshops
Hi all, Here's a quick set of updates and reminders regarding systemd.conf 2016 Important dates: We've got a number of important dates that are approaching for systemd.conf 2016. * June 30th: Early-bird ticket sales ends. Save yourself or your organization 20% by purchasing early-bird bird tickets before July 1st. https://ti.to/systemdconf/systemdconf-2016/ * August 1st: Call for Participation ends for talks and workshops. Please get your proposal in on time. https://cfp.systemd.io Workshops: A new addition to this year's conference is the workshop day. The goal of this day is to offer hands-on training sessions to those who want to learn more about systemd. It's intended that these trainings be conducted by systemd community members. Proposals for workshops can be submitted at https://cfp.systemd.io If you have questions about workshops please contact us at i...@systemd.io Sponsorship: Thanks to the organizations that have signed on to sponsor systemd.conf 2016. If you're organization would like to join those ranks, contact the systemd.conf team at sponsors...@systemd.io As always, you can find more information about the conference at https://conf.systemd.io/ or contact us at i...@systemd.io Cheers, Chris ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Depending on services from a service unit template
2016-06-27 13:49 GMT+02:00 Andrei Borzenkov: > On Mon, Jun 27, 2016 at 9:25 AM, Paul Menzel > wrote: >> Dear systemd folks, >> >> >> having a template for a service unit like `example@.service`, and >> starting several services from it, is there a way, to let another >> service unit require all services started from that template? >> > > I do not think it is possible. In other direction it may work with > some workaround (i.e. make every instance of template be required by > specific services). PartOf= in the template service might be what you are looking for. -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Time synchronization over HTTP?
Am 27.06.2016 um 08:30 schrieb Kai Hendry: On Mon, 27 Jun 2016, at 01:03 PM, Mantas Mikulėnas wrote: (I also have a strong dislike for network admins who cling to their "HTTP only" firewall policies... I don't see why NTP is a 'lesser' protocol than HTTP and DNS, both of which require either the respective ports or a local proxy in order to work. Timesyncd already supports picking up local NTP servers from DHCP, afaik.) I'm with you, and I've fought this problem for a while. But the typical confusing "connection untrusted" due to bad time customer support requests is costing me too much no, your own doing wrong costs you too much normally service level agreemnets contain basic prerequisites and if the are ignored the customers has to pay a penalty in case of support cases it's not your job to work around idiot administrators, write a invoice to their management with a clear reason and they will start to learn their job or be gone - but don't fuckup default setups with by design silly ideas like NTP over HTTP signature.asc Description: OpenPGP digital signature ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Depending on services from a service unit template
On Mon, Jun 27, 2016 at 9:25 AM, Paul Menzelwrote: > Dear systemd folks, > > > having a template for a service unit like `example@.service`, and > starting several services from it, is there a way, to let another > service unit require all services started from that template? > I do not think it is possible. In other direction it may work with some workaround (i.e. make every instance of template be required by specific services). ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] x bits set on /run/systemd/private, any particular reason?
Hi, Thx for the answer. >> Either way, +x has no meaning on sockets (only +w matters). I guess this was the fact I was actually interested in. Best regards Marko Hoyer Software Group II (ADITG/SW2) Tel. +49 5121 49 6948 From: Mantas Mikulėnas [mailto:graw...@gmail.com] Sent: Freitag, 24. Juni 2016 18:31 To: Hoyer, Marko (ADITG/SW2) Cc: systemd Mailing List Subject: Re: [systemd-devel] x bits set on /run/systemd/private, any particular reason? On Fri, Jun 24, 2016 at 2:24 PM, Hoyer, Marko (ADITG/SW2)> wrote: Hi, I’m not an expert on Linux access right management but I’m wondering why systemd’s private socket (/run/systemd/private) has the x bits set. Did it happen accidently? Immediately after bind(), the socket will have all permissions that weren't masked out by the current umask – there doesn't seem to be an equivalent to the mode parameter of open(). The default umask for init is 0; it seems that while systemd does set a more restrictive umask when necessary, it doesn't bother doing so when setting up the private socket, so it ends up having 0777 permissions by default... Either way, +x has no meaning on sockets (only +w matters). Checking `find /run -type s -ls`, it seems services aren't very consistent whether to keep or remove it for their own sockets... -- Mantas Mikulėnas > ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Time synchronization over HTTP?
On Mon, 27 Jun 2016, at 01:03 PM, Mantas Mikulėnas wrote: > Who would host the sync server? Or would you just point it at a random > site > and hope its operators don't mind? It's already bad enough that systemd > defaults to Google's private NTP servers, IMHO. Reminds me of the "Am I on the Internet?" problem. Yeah, most people default to google.com as that example does: https://github.com/ccrisan/motioneyeos/blob/master/board/common/overlay/etc/init.d/S50date#L21 > (I also have a strong dislike for network admins who cling to their "HTTP > only" firewall policies... I don't see why NTP is a 'lesser' protocol > than > HTTP and DNS, both of which require either the respective ports or a > local > proxy in order to work. Timesyncd already supports picking up local NTP > servers from DHCP, afaik.) I'm with you, and I've fought this problem for a while. But the typical confusing "connection untrusted" due to bad time customer support requests is costing me too much. Cheers, ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Time synchronization over HTTP?
On Mon, 27 Jun 2016, at 10:42 AM, Reindl Harald wrote: > are you aware that in case of many machines you should setp *one* ntpd > and the other machines only acess this internal host to take away load > from pool.ntp.org which would also solve the problem access port 123 > outside your network from all the other deployments? Yes I am, but the administrators who deploy Webconverger don't do this sadly. I heard from someone that some routers do this automatically, but anyway, it doesn't help me come up with a general solution. ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] Depending on services from a service unit template
Dear systemd folks, having a template for a service unit like `example@.service`, and starting several services from it, is there a way, to let another service unit require all services started from that template? Thanks, Paul signature.asc Description: This is a digitally signed message part ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel