Re: [systemd-devel] [PATCH] Drop ConditionCapability=CAP_MKNOD from *udev* units
Le mercredi 24 juillet 2013 à 18:41 -0300, Gerardo Exequiel Pozzi a écrit : Signed-off-by: Gerardo Exequiel Pozzi vmlinuz...@yahoo.com.ar --- units/systemd-udev-settle.service.in | 1 - units/systemd-udev-trigger.service.in | 1 - units/systemd-udevd-control.socket| 1 - units/systemd-udevd-kernel.socket | 1 - 4 files changed, 4 deletions(-) What do you expect to fix with this patch ? This will just break distro containers (nspawn / lxc) since it will cause udev to be started there. -- Frederic Crozat fcro...@suse.com SUSE ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH] Drop ConditionCapability=CAP_MKNOD from *udev* units
Am 25.07.2013 10:18, schrieb Frederic Crozat: Le mercredi 24 juillet 2013 à 18:41 -0300, Gerardo Exequiel Pozzi a écrit : Signed-off-by: Gerardo Exequiel Pozzi vmlinuz...@yahoo.com.ar --- units/systemd-udev-settle.service.in | 1 - units/systemd-udev-trigger.service.in | 1 - units/systemd-udevd-control.socket| 1 - units/systemd-udevd-kernel.socket | 1 - 4 files changed, 4 deletions(-) What do you expect to fix with this patch ? This will just break distro containers (nspawn / lxc) since it will cause udev to be started there. If these units should not be started in containers, this should be reflected with ConditionVirtualization. ConditionCapability is not related to containers at all. signature.asc Description: OpenPGP digital signature ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH] Drop ConditionCapability=CAP_MKNOD from *udev* units
Le jeudi 25 juillet 2013 à 10:45 +0200, Thomas Bächler a écrit : Am 25.07.2013 10:18, schrieb Frederic Crozat: Le mercredi 24 juillet 2013 à 18:41 -0300, Gerardo Exequiel Pozzi a écrit : Signed-off-by: Gerardo Exequiel Pozzi vmlinuz...@yahoo.com.ar --- units/systemd-udev-settle.service.in | 1 - units/systemd-udev-trigger.service.in | 1 - units/systemd-udevd-control.socket| 1 - units/systemd-udevd-kernel.socket | 1 - 4 files changed, 4 deletions(-) What do you expect to fix with this patch ? This will just break distro containers (nspawn / lxc) since it will cause udev to be started there. If these units should not be started in containers, this should be reflected with ConditionVirtualization. ConditionCapability is not related to containers at all. Kay changed from ConditionVirtualizaton to ConditionCapability with commit 9371e6f3e04b03692c23e392fdf005a08ccf1edb (Date: Wed Oct 12 02:02:16 2011 +0200) -- Frederic Crozat fcro...@suse.com SUSE ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH] Drop ConditionCapability=CAP_MKNOD from *udev* units
'Twas brillig, and Frederic Crozat at 25/07/13 09:54 did gyre and gimble: Le jeudi 25 juillet 2013 à 10:45 +0200, Thomas Bächler a écrit : Am 25.07.2013 10:18, schrieb Frederic Crozat: Le mercredi 24 juillet 2013 à 18:41 -0300, Gerardo Exequiel Pozzi a écrit : Signed-off-by: Gerardo Exequiel Pozzi vmlinuz...@yahoo.com.ar --- units/systemd-udev-settle.service.in | 1 - units/systemd-udev-trigger.service.in | 1 - units/systemd-udevd-control.socket| 1 - units/systemd-udevd-kernel.socket | 1 - 4 files changed, 4 deletions(-) What do you expect to fix with this patch ? This will just break distro containers (nspawn / lxc) since it will cause udev to be started there. If these units should not be started in containers, this should be reflected with ConditionVirtualization. ConditionCapability is not related to containers at all. Kay changed from ConditionVirtualizaton to ConditionCapability with commit 9371e6f3e04b03692c23e392fdf005a08ccf1edb (Date: Wed Oct 12 02:02:16 2011 +0200) I guess the fact that the udev units no longer need CAP_MKNOD (with that functionality moving to kmod and tmpfiles) means that this condition seems rather wrong these days. Perhaps the ConditionVirtualization may be the more appropriate one again these days? Col -- Colin Guthrie gmane(at)colin.guthr.ie http://colin.guthr.ie/ Day Job: Tribalogic Limited http://www.tribalogic.net/ Open Source: Mageia Contributor http://www.mageia.org/ PulseAudio Hacker http://www.pulseaudio.org/ Trac Hacker http://trac.edgewall.org/ ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH] Drop ConditionCapability=CAP_MKNOD from *udev* units
On Wed, 24.07.13 18:41, Gerardo Exequiel Pozzi (vmlinuz...@yahoo.com.ar) wrote: We generally try to make conditions specific to a feature rather than an execution environment. Containers should run without CAP_MKMNOD, and as udev originally was in the business of creating device nodes we hence bound it to this capability. Now, since very recently udev doesn'#t create a single device node anymore (it's all done by the kernel in devtmpfs/container manager and tmpfiles now), so it probably would make sense to change the capability check, but certainly not remove it. (I'd vote by replacing it by ConditionPathIsReadWrite=/sys since sane container managers mount that read-only.) Anyway, I don't get what you are trying to achieve by your patch please elaborate. Signed-off-by: Gerardo Exequiel Pozzi vmlinuz...@yahoo.com.ar --- units/systemd-udev-settle.service.in | 1 - units/systemd-udev-trigger.service.in | 1 - units/systemd-udevd-control.socket| 1 - units/systemd-udevd-kernel.socket | 1 - 4 files changed, 4 deletions(-) diff --git a/units/systemd-udev-settle.service.in b/units/systemd-udev-settle.service.in index 037dd9a..148aa9d 100644 --- a/units/systemd-udev-settle.service.in +++ b/units/systemd-udev-settle.service.in @@ -16,7 +16,6 @@ DefaultDependencies=no Wants=systemd-udevd.service After=systemd-udev-trigger.service Before=sysinit.target -ConditionCapability=CAP_MKNOD [Service] Type=oneshot diff --git a/units/systemd-udev-trigger.service.in b/units/systemd-udev-trigger.service.in index 604c369..ea3cb62 100644 --- a/units/systemd-udev-trigger.service.in +++ b/units/systemd-udev-trigger.service.in @@ -12,7 +12,6 @@ DefaultDependencies=no Wants=systemd-udevd.service After=systemd-udevd-kernel.socket systemd-udevd-control.socket Before=sysinit.target -ConditionCapability=CAP_MKNOD [Service] Type=oneshot diff --git a/units/systemd-udevd-control.socket b/units/systemd-udevd-control.socket index ca17102..12a66d2 100644 --- a/units/systemd-udevd-control.socket +++ b/units/systemd-udevd-control.socket @@ -10,7 +10,6 @@ Description=udev Control Socket Documentation=man:systemd-udevd.service(8) man:udev(7) DefaultDependencies=no Before=sockets.target -ConditionCapability=CAP_MKNOD [Socket] Service=systemd-udevd.service diff --git a/units/systemd-udevd-kernel.socket b/units/systemd-udevd-kernel.socket index 4b8a5b0..64e6f63 100644 --- a/units/systemd-udevd-kernel.socket +++ b/units/systemd-udevd-kernel.socket @@ -10,7 +10,6 @@ Description=udev Kernel Socket Documentation=man:systemd-udevd.service(8) man:udev(7) DefaultDependencies=no Before=sockets.target -ConditionCapability=CAP_MKNOD [Socket] Service=systemd-udevd.service Lennart -- Lennart Poettering - Red Hat, Inc. ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH] Drop ConditionCapability=CAP_MKNOD from *udev* units
On Thu, 25.07.13 10:45, Thomas Bächler (tho...@archlinux.org) wrote: Am 25.07.2013 10:18, schrieb Frederic Crozat: Le mercredi 24 juillet 2013 à 18:41 -0300, Gerardo Exequiel Pozzi a écrit : Signed-off-by: Gerardo Exequiel Pozzi vmlinuz...@yahoo.com.ar --- units/systemd-udev-settle.service.in | 1 - units/systemd-udev-trigger.service.in | 1 - units/systemd-udevd-control.socket| 1 - units/systemd-udevd-kernel.socket | 1 - 4 files changed, 4 deletions(-) What do you expect to fix with this patch ? This will just break distro containers (nspawn / lxc) since it will cause udev to be started there. If these units should not be started in containers, this should be reflected with ConditionVirtualization. ConditionCapability is not related to containers at all. CAP_MKNOD certainly is related to containers. It's generally available on hosts but not in containers. Lennart -- Lennart Poettering - Red Hat, Inc. ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH] Drop ConditionCapability=CAP_MKNOD from *udev* units
On Thu, Jul 25, 2013 at 7:00 PM, Lennart Poettering lenn...@poettering.net wrote: I'd vote by replacing it by ConditionPathIsReadWrite=/sys since sane container managers mount that read-only.) A change like that sounds great to me. Keying-off access to /sys is probably more appropriate for today's udev than the ability creating device nodes. Kay ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH] Drop ConditionCapability=CAP_MKNOD from *udev* units
On 07/25/2013 02:00 PM, Lennart Poettering wrote: On Wed, 24.07.13 18:41, Gerardo Exequiel Pozzi (vmlinuz...@yahoo.com.ar) wrote: We generally try to make conditions specific to a feature rather than an execution environment. Containers should run without CAP_MKMNOD, and as udev originally was in the business of creating device nodes we hence bound it to this capability. OK Now, since very recently udev doesn'#t create a single device node anymore (it's all done by the kernel in devtmpfs/container manager and tmpfiles now), so it probably would make sense to change the capability check, but certainly not remove it. (I'd vote by replacing it by ConditionPathIsReadWrite=/sys since sane container managers mount that read-only.) Exactly. Anyway, I don't get what you are trying to achieve by your patch please elaborate. My thought was simple: Hey! what is doing CAP_MKNOD here since is not needed anymore for udev, remove them!. Ok course, I did not think in containers, my bad. Anyway, this should be changed to something more obvious thing for testing about running environment. Q: If udev should not run in container why not udevd itself check about this? Thanks for your feedback. Signed-off-by: Gerardo Exequiel Pozzi vmlinuz...@yahoo.com.ar --- units/systemd-udev-settle.service.in | 1 - units/systemd-udev-trigger.service.in | 1 - units/systemd-udevd-control.socket| 1 - units/systemd-udevd-kernel.socket | 1 - 4 files changed, 4 deletions(-) diff --git a/units/systemd-udev-settle.service.in b/units/systemd-udev-settle.service.in index 037dd9a..148aa9d 100644 --- a/units/systemd-udev-settle.service.in +++ b/units/systemd-udev-settle.service.in @@ -16,7 +16,6 @@ DefaultDependencies=no Wants=systemd-udevd.service After=systemd-udev-trigger.service Before=sysinit.target -ConditionCapability=CAP_MKNOD [Service] Type=oneshot diff --git a/units/systemd-udev-trigger.service.in b/units/systemd-udev-trigger.service.in index 604c369..ea3cb62 100644 --- a/units/systemd-udev-trigger.service.in +++ b/units/systemd-udev-trigger.service.in @@ -12,7 +12,6 @@ DefaultDependencies=no Wants=systemd-udevd.service After=systemd-udevd-kernel.socket systemd-udevd-control.socket Before=sysinit.target -ConditionCapability=CAP_MKNOD [Service] Type=oneshot diff --git a/units/systemd-udevd-control.socket b/units/systemd-udevd-control.socket index ca17102..12a66d2 100644 --- a/units/systemd-udevd-control.socket +++ b/units/systemd-udevd-control.socket @@ -10,7 +10,6 @@ Description=udev Control Socket Documentation=man:systemd-udevd.service(8) man:udev(7) DefaultDependencies=no Before=sockets.target -ConditionCapability=CAP_MKNOD [Socket] Service=systemd-udevd.service diff --git a/units/systemd-udevd-kernel.socket b/units/systemd-udevd-kernel.socket index 4b8a5b0..64e6f63 100644 --- a/units/systemd-udevd-kernel.socket +++ b/units/systemd-udevd-kernel.socket @@ -10,7 +10,6 @@ Description=udev Kernel Socket Documentation=man:systemd-udevd.service(8) man:udev(7) DefaultDependencies=no Before=sockets.target -ConditionCapability=CAP_MKNOD [Socket] Service=systemd-udevd.service Lennart -- Gerardo Exequiel Pozzi \cos^2\alpha + \sin^2\alpha = 1 signature.asc Description: OpenPGP digital signature ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH] Drop ConditionCapability=CAP_MKNOD from *udev* units
On Fri, Jul 26, 2013 at 12:19 AM, Gerardo Exequiel Pozzi vmlinuz...@yahoo.com.ar wrote: Anyway, I don't get what you are trying to achieve by your patch please elaborate. My thought was simple: Hey! what is doing CAP_MKNOD here since is not needed anymore for udev, remove them!. Ok course, I did not think in containers, my bad. Note, that you did not remove/dropped the given CAP, you removed the *match* on the existence of it. It's not needed, but after removing the match, it will still have the CAP. :) Anyway, this should be changed to something more obvious thing for testing about running environment. Q: If udev should not run in container why not udevd itself check about this? It does exactly that, I think. Kay ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH] Drop ConditionCapability=CAP_MKNOD from *udev* units
On Thu, 25.07.13 19:19, Gerardo Exequiel Pozzi (vmlinuz...@yahoo.com.ar) wrote: Anyway, I don't get what you are trying to achieve by your patch please elaborate. My thought was simple: Hey! what is doing CAP_MKNOD here since is not needed anymore for udev, remove them!. Ok course, I did not think in containers, my bad. Anyway, this should be changed to something more obvious thing for testing about running environment. Q: If udev should not run in container why not udevd itself check about this? It's an optimization. ConditionCapability= means we don't even bother with forking off the udev process when running in a container. Lennart -- Lennart Poettering - Red Hat, Inc. ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
