[systemd-devel] rkt container engine fetch user/perm patterns
Hello Everyone- The rkt container engine wants to run with different permissions pre-start and start. In pre-start it needs to fetch/download the container image which is an unprivileged operation. In start it needs admin level permissions to start the container stage1 (e.g. systemd-nspawn) and mount the root overlayfs. One way of accomplishing this is: ExecStartPre=/usr/bin/su rktfetchuser -c /usr/bin/rkt fetch quay.io/coreos/etcd blah blah ExecStart=/usr/bin/rkt run $(COREOS_VERSIONS_ETCD_FULL) blah blah The other way would be to create a fetch service and a run service but that is sort of clunky for users to configure. Are there other mechanisms to not require the use of wrappers like su? Thank You, Brandon ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] systemctl as non-root
Access to the system dbus is controlled by dbus policies. You will need to write a policy for giving this user access to the systemd1 object. On May 28, 2015 2:28 PM, wrote: > I'm working on an embedded system, and I ran into a situation where a > non-root user needs to runs systemctl, but when I try I get: > > ~ $ systemctl status > Failed to get D-Bus connection: No such file or directory > > So, I try with the suid bit on systemctl set, but then I get: > > ~ $ systemctl status > Failed to read server status: Operation not permitted > > My question is, is something broken, or is this expected behavior? > > ___ > systemd-devel mailing list > systemd-devel@lists.freedesktop.org > http://lists.freedesktop.org/mailman/listinfo/systemd-devel > > ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] DefaultDependencies=false on scopes
Hey Lennart- On Tue, Feb 3, 2015 at 10:32 AM, Brandon Philips wrote: > On Tue, Feb 3, 2015 at 10:20 AM, Lennart Poettering > wrote: >> I have added DefaultDependencies= for you now: >> >> http://cgit.freedesktop.org/systemd/systemd/commit/?id=261420ba2a20305ad271b6f5f380aa74c5c9dd50 > > Thank you. I will work on getting Docker fixed up to fix this annoying > behavior. So, is this the best way to tell if the systemd I am working with supports setting this property on a scope? https://github.com/philips/libcontainer/blob/systemd-default-dependencies-false/cgroups/systemd/apply_systemd.go#L74 Essentially I am trying to create a scope and seeing if I get a PropertyReadOnly, if I do I don't set it. For reference the PR is: https://github.com/docker/libcontainer/pull/359 Thanks, Brandon ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH] Make seccomp protections in systemd-nspawn optional
For context this puts a toggle on this feature added to nspawn: http://cgit.freedesktop.org/systemd/systemd/commit/?id=28650077f36466d9c5ee27ef2006fae3171a2430 I encouraged Jay to make it an opt-in flag so as to not break other people who had working setups when using nspawn as a minimal ns wrapper. Brandon On Tue, Feb 3, 2015 at 3:22 PM, Jay Faulkner wrote: > Hi all, > > As I posted last week, a change merged a while ago to systemd-nspawn adding > seccomp protections with no ability to enable/disable broke the Ironic Python > Agent ramdisk which utilizes CoreOS and systemd. The attached patch makes the > behavior optional, with it defaulting to disabled. I did this for two > reasons; the first being that my (and other consumers of OpenStack Ironic) > use case was broken, as would anyone else using spawn in this manner. > Additionally, seccomp filters can be configured specifically as desired in > the unit file. > > I appreciate your time and effort in getting this patch merged, so I’ll be > able to upgrade and consume a newer systemd. > > Thanks, > Jay Faulkner > > > > > ___ > systemd-devel mailing list > systemd-devel@lists.freedesktop.org > http://lists.freedesktop.org/mailman/listinfo/systemd-devel > ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] DefaultDependencies=false on scopes
On Tue, Feb 3, 2015 at 10:20 AM, Lennart Poettering wrote: > I have added DefaultDependencies= for you now: > > http://cgit.freedesktop.org/systemd/systemd/commit/?id=261420ba2a20305ad271b6f5f380aa74c5c9dd50 Thank you. I will work on getting Docker fixed up to fix this annoying behavior. Brandon ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] DefaultDependencies=false on scopes
Hello- How is a user supposed to disable DefaultDependencies on a scope? From the docs it seems like it should work: "Unless DefaultDependencies=false is used, scope units will implicitly have dependencies of type Conflicts= and Before= on shutdown.target." But, in practice: systemd-run --scope --property="DefaultDependencies=false" /usr/bin/sleep 5 Unknown assignment DefaultDependencies=false. Failed to create message: Invalid argument The root problem I am trying to fix is that it seems the docker daemon uses DefaulDependencies for all of its scopes which means that the containers get killed by systemd before the docker daemon is notified to shutdown. AFAICS, this would need to be added here: http://cgit.freedesktop.org/systemd/systemd/tree/src/libsystemd/sd-bus/bus-util.c#n1319 Thanks, Brandon ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Soliciting feedback for golang bindings to the systemd journal C API
Hey Dan- On Thu, Jun 19, 2014 at 12:37 PM, Dan Mace wrote: > This is on my backburner at the moment while I work on some other things. Did you ever try things out with Go 1.3? Thanks! Brandon ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Soliciting feedback for golang bindings to the systemd journal C API
On Thu, Jun 19, 2014 at 12:37 PM, Dan Mace wrote: > This is on my backburner at the moment while I work on some other things. > Hitting the segfault while testing our primary use case and being unable to > reproduce the error made me nervous enough that I don't feel comfortable > promoting any of the current work yet. I was hoping something obvious would > jump out, or somebody else running the test from my branch would be able to > observe the segfault and have a better ability to debug. My branch[1] is > still in the same state as before. I don't think a PR makes sense quite yet > until there's increased confidence in the stability. Without knowing the > cause, I can't predict the impact to the design that might come with the > solution. Maybe it is some random bug with Go 1.2? Go 1.3 is out now. ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Soliciting feedback for golang bindings to the systemd journal C API
On Sat, Jun 14, 2014 at 8:13 AM, Zbigniew Jędrzejewski-Szmek wrote: > I think that designing the api in steps like this will make it harder > to get a consistent design. The journal api is rather small, so I don't > think it is hard to cover most of it in the initial design. In my > experience, getting sd_journal_print, sd_journal_send, sd_journal_sendv > wrappers consistent requires some care. I agree, I would rather do this all at once. > About the proposed go api: > > I think the reader and writer apis should be totally separate. > Different files/modules/whatever. They don't share implementation, > and usually are not used together. Yes, I agree. Actually, is there a reason to bind to the C sd_journal_print if we already have a pure Go version of sd_journal_send? https://github.com/coreos/go-systemd/blob/master/journal/send.go > In some places in the go code '%s' is used with numerical 'err'. > Does this work at all? Yes it works, Go's print is typesafe but it will look strange: %!s(int=42). We should probably turn them into syscall.Errno() type. > It's hard to say with the scant backtrace. But I don't recall > ever seeing any crashes related to sd_journal_wait. Dan, how do you want me to help out with this? I am happy to dig in if you want to share a branch or something. Or you can send a PR and we can start from there. Brandon [1] http://play.golang.org/p/zTOuMj-sg7 [2] http://play.golang.org/p/NDnJF8Zocf ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Soliciting feedback for golang bindings to the systemd journal C API
On Tue, Jun 10, 2014 at 6:07 AM, Dan Mace wrote: >> Subject: Re: [systemd-devel] Soliciting feedback for golang bindings to the >> systemd journal C API >> >> The CoreOS crew has already done most of this work by writing a native >> Go implementation (rather than wrapping the C APIs). >> > > Can you please point me to the implementation? All I've seen is this: > > https://github.com/coreos/go-systemd/blob/master/journal/send.go > > Which only handles writes via the Unix socket. The implementation we're > prototyping supports journal queries in ways that (to my knowledge) aren't > possible without either forking to external tools (e.g. journalctl) or > linking to sd-journal. The reason I didn't implement the sd-journal binding originally was because I thought that the journal DBus API would be coming sooner. I think adding this is great as-is and would happily merge it back upstream. We just have to be aware that eventually this API will need to expose a KDBus API too. Brandon ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Soliciting feedback for golang bindings to the systemd journal C API
On Mon, Jun 9, 2014 at 11:56 AM, Dan Mace wrote: > http://fpaste.org/107299/14019224/ Hrm, odd. Was it with the given tests? I will try it out and see if I can reproduce. I don't see anything immediately wrong in the code. Thanks, Brandon ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH] unit: add waiting jobs to run queue in unit_coldplug
On Wed, Apr 23, 2014 at 2:36 PM, Lennart Poettering wrote: > This looks correct, but could you move this into job_coldplug()? I rewrote the patch to be in job_coldplug() and tested. Patch attached. 0001-job-add-waiting-jobs-to-run-queue-in-unit_coldplug.patch Description: Binary data ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] [PATCH] network: dhcp: create explicit host route to gateway
This is a better approach that was suggested by Mike and ack'd by Tom. Some DHCP servers gives you a netmask of 255.255.255.255 so the gateway is not routable. Other DHCP client implementations look through the existing routes to figure out if they should add an explicit host route. See below for a link. However, it makes sense to just create the route explicitly whether it is needed or not since it is explicit, makes the dhcp route entries independent of other entries and saves us from knowing the state of the kernel tables. After patch route table on a machine with a network (common case): default via 10.0.2.2 dev ens3 10.0.2.0/24 dev ens3 proto kernel scope link src 10.0.2.15 10.0.2.2 dev ens3 scope link After patch route table on a machine without a network (this case): default via 10.240.0.1 dev ens4v1 10.240.0.1 dev ens4v1 scope link The code from dhcpcd that works around this issue is on line 637. https://android.googlesource.com/platform/external/dhcpcd/+/master/configure.c 0001-network-dhcp-create-explicit-host-route-to-gateway.patch Description: Binary data ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] [PATCH] network: dhcp: create host route if dhcp subnet is 255.255.255.255
Some DHCP servers gives you a netmask of 255.255.255.255 so gateway is not routable. Make a host route instead. This fixes the issue but the implementation is very specific. It would probably be better to check the route table first. What do you think? The code from dhcpcd that works around this issue is on line 637. https://android.googlesource.com/platform/external/dhcpcd/+/master/configure.c 211-0001-network-dhcp-create-host-route-if-dhcp-subnet-is-255.patch Description: Binary data ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH] nspawn: allow -EEXIST on mkdir_safe /home/${uid}
Also, in commit aca07 my Debian Wheezy container broke because /usr/bin/getent doesn't understand initgroups. Is there a way to workaround this? On Thu, Mar 13, 2014 at 3:31 PM, Brandon Philips wrote: > With systemd 211 nspawn attempts to create the home directory for the > given uid. However, if the home directory already exists then it will > fail. Don't error out on -EEXIST. ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] [PATCH] nspawn: allow -EEXIST on mkdir_safe /home/${uid}
With systemd 211 nspawn attempts to create the home directory for the given uid. However, if the home directory already exists then it will fail. Don't error out on -EEXIST. 0001-nspawn-allow-EEXIST-on-mkdir_safe-home-uid.patch Description: Binary data ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] dbus API for unit state change?
On Sun, Oct 6, 2013 at 3:10 PM, Lennart Poettering wrote: > So, yeah, if you respond to each UnitNew signal you get with a property > Get/GetAll call, then this will result in endless ping pong, which is > certainly not a good idea. > > What are you trying to do? Write some tool that tracks all units that > are loaded? Yes, I want to register services into a networked service registry. An example use case would be an HTTP load balancer that is service registry aware and adds machines to the load balancer based on certain unit files appearing/leaving. An alternative solution is making a user explicitly add a service-registry-notifier@.service to my-application.service.wants but I wanted to avoid making registration a special case. For example: https://gist.github.com/philips/6710008 Maybe there is a middle ground solution? Does it makes sense to send LoadState with UnitNew? I will have to look tomorrow because I think without that trying to do other things gets racy with transient units. Thanks, Brandon ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] dbus API for unit state change?
Another dbus question: Is it expected that a UnitNew and UnitRemove are sent when I use org.freedesktop.DBus.Properties.Get or GetAll? This also happens with `systemctl status doesnt-exist.service` Here is an example of what I am seeing: https://gist.github.com/philips/6834913/raw/5bd36998829ca44c25c3798afd3c77c147b1ba27/gistfile1.txt This isn't very nice because I need to explicitly guard against getting into an infinite loop of looking up properties on non-existent units. Thanks, Brandon On Thu, Oct 3, 2013 at 6:04 AM, Brandon Philips wrote: > On Thu, Oct 3, 2013 at 5:54 AM, Mantas Mikulėnas wrote: >> They do, but the state might have changed again between receiving >> PropertiesChanged and retrieving the new value. > > This is OK for my current use case. I will program against > PropertiesChanged and wait for Lennart's changes that include the > changed property. > > Thanks, > > Brandon ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] dbus API for unit state change?
On Thu, Oct 3, 2013 at 5:54 AM, Mantas Mikulėnas wrote: > They do, but the state might have changed again between receiving > PropertiesChanged and retrieving the new value. This is OK for my current use case. I will program against PropertiesChanged and wait for Lennart's changes that include the changed property. Thanks, Brandon ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] dbus API for unit state change?
Hello- While writing against the dbus bindings I found one missing feature: signals from org.freedesktop.systemd1.Manager on unit "ActiveState" changes. I can do this today by polling ListUnits but I would rather not have my process doing this. There are two possible APIs: 1. Distinct signal per type UnitActive() UnitInactive() UnitReloading() UnitFailed() UnitActivating() UnitDeactivating() 2. One signal type for all changes: UnitActiveStateChanged() This would encode the ActiveState and SubState in that signals properties. That seems a much simpler. Before writing the patch I wanted to get some feedback on the API and make sure this hadn't been implemented for some other reason either. Thanks, Brandon ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH] systemd-nspawn@: drop ControlGroup=
I mispoke. It isn't broken I just got a warning and my container was broken in another way. :-/ [/run/systemd/system/nspawn@.service:14] Unknown lvalue 'ControlGroup' in section 'Service' In any case it would be nice to remove the warning. On Mon, Sep 16, 2013 at 7:38 AM, Brandon Philips wrote: > ControlGroup= is deprecated now drop this from > systemd-nspawn@.service. Without this 206 has a broken systemd-nspawn@ > unit. ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] [PATCH] systemd-nspawn@: drop ControlGroup=
ControlGroup= is deprecated now drop this from systemd-nspawn@.service. Without this 206 has a broken systemd-nspawn@ unit. 0001-systemd-nspawn-drop-ControlGroup.patch Description: Binary data ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] [PATCH] cgtop: fixup the online help
The online help shows the keys as uppercase but the code and manpage say lower case. Make the online help follow reality. 0001-cgtop-fixup-the-online-help.patch Description: Binary data ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH] man: systemd.unit: fix volatile path
Attaching the patch since I don't have a mail client at the moment that can keep itself from breaking patches. On Sat, Jul 27, 2013 at 9:55 AM, Brandon Philips wrote: > The volatile path was '/run/systemd/systemd' when it should be > '/run/systemd/system'. Fix. > --- > man/systemd.unit.xml | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/man/systemd.unit.xml b/man/systemd.unit.xml > index f6a0791..2f65ec6 100644 > --- a/man/systemd.unit.xml > +++ b/man/systemd.unit.xml > @@ -285,7 +285,7 @@ > Local configuration > > > - > /run/systemd/systemd > + > /run/systemd/system > Volatile units > > > -- > 1.7.12.4 0001-man-systemd.unit-fix-volatile-path.patch Description: Binary data ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] [PATCH] man: systemd.unit: fix volatile path
The volatile path was '/run/systemd/systemd' when it should be '/run/systemd/system'. Fix. --- man/systemd.unit.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/man/systemd.unit.xml b/man/systemd.unit.xml index f6a0791..2f65ec6 100644 --- a/man/systemd.unit.xml +++ b/man/systemd.unit.xml @@ -285,7 +285,7 @@ Local configuration - /run/systemd/systemd +/run/systemd/system Volatile units -- 1.7.12.4 ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] [PATCH] shared: logs-show: fflush after each output type
journalctl -f redirected to a pipe or file wasn't working for some output formats but was working for json. It turns out only json was doing an fflush. Make all output formats flush. --- src/shared/logs-show.c | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/shared/logs-show.c b/src/shared/logs-show.c index 60eb896..cafddf7 100644 --- a/src/shared/logs-show.c +++ b/src/shared/logs-show.c @@ -521,7 +521,6 @@ static int output_json(sd_journal *j, unsigned line, } fputs("\n}", stdout); -fflush(stdout); return 0; } @@ -560,13 +559,16 @@ static int (*output_funcs[_OUTPUT_MODE_MAX])(sd_journal*j, unsigned line, int output_journal(sd_journal *j, OutputMode mode, unsigned line, unsigned n_columns, OutputFlags flags) { +int ret; assert(mode >= 0); assert(mode < _OUTPUT_MODE_MAX); if (n_columns <= 0) n_columns = columns(); -return output_funcs[mode](j, line, n_columns, flags); +ret = output_funcs[mode](j, line, n_columns, flags); +fflush(stdout); +return ret; } int show_journal_by_unit( -- 1.7.11.4 ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] [PATCH] man/tmpfiles.d.xml: add a manpage for tmpfiles.d
Initial commit of a tmpfiles.d manpage. I ran it through xmllint but I don't know how to make it look pretty like the rest of the xml files. :-P Signed-off-by: Brandon Philips --- Makefile.am|3 +- man/tmpfiles.d.xml | 149 2 files changed, 151 insertions(+), 1 deletions(-) create mode 100644 man/tmpfiles.d.xml diff --git a/Makefile.am b/Makefile.am index 03a6a4e..456553f 100644 --- a/Makefile.am +++ b/Makefile.am @@ -486,7 +486,8 @@ MANPAGES = \ man/halt.8 \ man/shutdown.8 \ man/pam_systemd.8 \ - man/systemd.conf.5 + man/systemd.conf.5 \ + man/tmpfiles.d.5 MANPAGES_ALIAS = \ man/reboot.8 \ diff --git a/man/tmpfiles.d.xml b/man/tmpfiles.d.xml new file mode 100644 index 000..5ff53ef --- /dev/null +++ b/man/tmpfiles.d.xml @@ -0,0 +1,149 @@ + + +http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd";> + + + + +tmpfiles.d +systemd + + + +Documentation + Brandon + Philips +bran...@ifup.org + + + + + +tmpfiles.d +5 + + + +tmpfiles.d +configuration for creation, deletion and cleaning of tmpfiles + + + +Description + + systemd uses /etc/tmpfiles.d/ to describe the creation, cleaning and removal of temporary files and directories +which usually reside in /var/run or /tmp). +Each configuration file is named in the style of +/etc/tmpfiles.d/<program>.conf + + + + + Configuration Format + + The configuration format is one line per path containing +action, mode, ownership and age fields: + + type path mode uid gid age +d/var/run/user 0755 root root 10d + + + + type + + +f +create a file + + + +F +truncate a file + + + +d +create a directory + + + +D +truncate a directory + + + +x +ignore the path + + + +r +remove the path + + + +R +recursively remove the path + + + + + + age + The date field, when set, is used to decide what files to delete when cleaning. If a file or directory is older than the current time minus the age field it is deleted. The field format is an integer followed by one of the following postfixes: + + sec + s + min + hr + h + d + w + msec + ms + m + usec + us + + + + + + + +Example + +/etc/tmpfiles.d/screen.conf example +screen needs two directories created at boot with specific modes and ownership. + +d /var/run/screens 1777 root root 10d +d /var/run/uscreens 0755 root root 10d + + + + + +See Also + + systemd1 + + + + -- 1.7.2.2 ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel