[systemd-devel] How to use machinectl to get a running centos container?

2017-03-02 Thread Daurnimator
I'm trying to set up a centos 7 container with machinectl.
I've tried to run:

machinectl pull-raw --verify=no
http://cloud.centos.org/centos/7/images/CentOS-7-x86_64-GenericCloud-1701.raw.tar.gz

This downloads the image, but then dies with:

File overly large, refusing
Failed to retrieve image file. (Wrong URL?)
Exiting.


Is there some other way I should be doing this?

$ machinectl --version
systemd 232
+PAM -AUDIT -SELINUX -IMA -APPARMOR +SMACK -SYSVINIT +UTMP
+LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS
+KMOD +IDN
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel


Re: [systemd-devel] Adding controllers

2017-03-02 Thread Lennart Poettering
On Thu, 02.03.17 15:28, Bhasker C V (bhas...@unixindia.com) wrote:
> [Manager]
> JoinControllers=

JoinControllers= is not what you think it is. It's a system-wide
setting for mount multiple cgroupsv1 controllers into the same
hierarchy. You almost never need that in real-life.

> 
> ---
> 
> From what I can read from the man page, The joincontrollers is a list
> of controllers the systemd unit will "not" join.. Please correct me if
> my understanding is wrong.
> I am however not able to make this systemd-nspawn join freezer controller.
> 
> The only way I am able to achieve this is
> 
> 
> ExecStart=/usr/bin/cgexec -g freezer:/ubuntu /usr/bin/systemd-nspawn
> --keep-unit -jbD /machines/ubuntu
> 
> (of course I use ExecStartPre to create the freezer:/ubuntu)
> 
> 
> But I feel there must be more systemd-native elegant way to do this.
> Please can someone guide me ?

systemd does not support the freezer controller, as it's interface to
userspace is simply broken.

Delegation of controllers to less privileges containers is not safe,
and we don't support that right now either. Sorry.

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel


Re: [systemd-devel] SELinux type transition rule not working

2017-03-02 Thread Simon Sekidde


- Original Message -
> From: "Lennart Poettering" 
> To: "Ian Pilcher" 
> Cc: "Systemd" , seli...@tycho.nsa.gov
> Sent: Wednesday, March 1, 2017 5:25:11 PM
> Subject: Re: [systemd-devel] SELinux type transition rule not working
> 
> On Wed, 01.03.17 15:40, Ian Pilcher (arequip...@gmail.com) wrote:
> 
> > I am using systemd's RuntimeDirectory to create a directory for a
> > service.
> > 
> >RuntimeDirectory=squoxy
> > 
> > This causes systemd to create /run/squoxy before starting my service,
> > but I haven't been able to get the SELinux context set correctly on the
> > directory.
> > 
> > I've set file context rules for both /run/squoxy and /var/run/squoxy:
> > 
> > ^/var/run/squoxy(/.*)?  all files  system_u:object_r:squoxy_var_run_t:s0
> > ^/run/squoxy(/.*)?  all files  system_u:object_r:squoxy_var_run_t:s0
> > 
> > And, indeed, restorecon will set the context of the directory to
> > squoxy_var_run_t.
> > 
> > I've also added a type transition rule, attempting to get the correct
> > context applied automatically when systemd creates the directory:
> > 
> > type_transition init_t var_run_t : dir squoxy_var_run_t "squoxy";
> > 
> > But the directory is still being created as var_run_t:
> > 
> > drwxr-xr-x. nobody nobody system_u:object_r:var_run_t:s0   /run/squoxy
> > 
> > What am I doing wrong?
> 

Ian, 

I assume this would be a pid file?

If so then what you are probably looking for is a filename_trans rule and will 
require a new interface in squid.if for this. 

Try something like

interface(`squid_filetrans_named_content',`
gen_require(`
 type_squid_var_run_t; 
')

files_pid_filetrans($1, squid_var_run_t, dir, "squozy")
')

> Hmm, so the relevant code in systemd actually labels the dir after
> creating it after an selinux database lookup, so from our side all
> should be good:
> 
> https://github.com/systemd/systemd/blob/master/src/core/execute.c#L1857
> 
> (specifically, we all mkdir_p_label() instead of plain mkdir_p() there)
> 
> My own understanding of SELinux is finite however. I'd recommend
> pinging the SELinux folks for help on this,
> 

We got you covered! 

> Lennart
> 
> --
> Lennart Poettering, Red Hat
> ___
> Selinux mailing list
> seli...@tycho.nsa.gov
> To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
> To get help, send an email containing "help" to
> selinux-requ...@tycho.nsa.gov.
> 

-- 
Simon Sekidde * Red Hat, Inc. * Tyson's Corner, VA
Solution Architect, NA Public Sector
sseki...@redhat.com | (w) 978-392-1074 | (m) 571-551-9366 | @ssekidde
gpg: 5848 958E 73BA 04D3 7C06 F096 1BA1 2DBF 94BC 377E


___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel


[systemd-devel] Adding controllers

2017-03-02 Thread Bhasker C V
Hi,

 I tried to look for information but could not get any.
 I have created a systemd unit which runs systemd-nspawn of my local
ubuntu rootfs.
 The unit has values to restrict cpu, memory etc.,


[Unit]
Description=ubuntu
After=network.target

[Service]
Type=simple
ExecStart=/usr/bin/systemd-nspawn --keep-unit -jbD /machines/ubuntu
CPUAcounting=yes
MemoryAccouting=yes
CPUShares=200
MemorySwapMax=1M
MemoryMax=1073741824
MemoryLimit=1073741824
CPUQuota=50%
TasksMax=100

[Install]
WantedBy=multi-user.target


[Manager]
JoinControllers=

---

From what I can read from the man page, The joincontrollers is a list
of controllers the systemd unit will "not" join.. Please correct me if
my understanding is wrong.
I am however not able to make this systemd-nspawn join freezer controller.

The only way I am able to achieve this is


ExecStart=/usr/bin/cgexec -g freezer:/ubuntu /usr/bin/systemd-nspawn
--keep-unit -jbD /machines/ubuntu

(of course I use ExecStartPre to create the freezer:/ubuntu)


But I feel there must be more systemd-native elegant way to do this.
Please can someone guide me ?

thanks
Bhasker
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel