Re: [systemd-devel] learning how to run systemd in a container, journal shows errors I would like to understand what they mean and why

2022-03-25 Thread Michal Koutný 
Hello Masber.

On Fri, Mar 25, 2022 at 11:52:33AM +, masber masber  
wrote:
> I have a k8s cluster with docker as container runtime and am I trying
> to make systemd to work.
> I read this doc 
> https://developers.redhat.com/blog/2016/09/13/running-systemd-in-a-non-privileged-container#enter_oci_hooks
>  and I have systemd running in a container.

Note the article is almost six years old. Plenty things were implemented
and configs changed since then.

> Mar 25 11:24:31 nid001002-cluster-1 systemd[1]: Failed to reset devices.list 
> on 
> /kubepods/burstable/podcd69d169-d610-4af7-895a-eb86ee74ed49/4caa4403b8b6d263012e95ca51357ab0bb46fb3bc7a23221115d22efb757cc9c/system.slice/etc-resolv.conf.mount:
>  Operation not permitted
> 
> I would like to ask the meaning of this message and how to solve it (if 
> possible)

This message says that the containerized systemd attempts to set some
cgroup attributes (in this case regarding device access rules via
devices controller, DeviceAllow= directive) but it fails.
Effectively it could mean your container failed to made itself more
secure but it should not affect functionality (from what you provided
here).

You say you run this in an unprivileged container, a responsible runtime
would not set up access to v1 controllers (devices is v1 only), so EPERM
is sort of expected. For the unprivileged containers, I'd suggest you
switch the host into unified cgroup mode (and consequently the container
too). That should resolve the reported problem but there may still
something else that breaks your containerized systemd.

HTH,
Michal

Re: [systemd-devel] learning how to run systemd in a container, journal shows errors I would like to understand what they mean and why

2022-03-25 Thread masber masber 
More details,

Docker runs in Centos7.9.2009 (Core)
Docker is installed through yum and managed by systemd
Docker version is 19.03.15, build 99e3ed8

I get the `systemd[1]: Failed to reset devices.list` message when I run 
`systemctl start slurmd` inside the container.

thank you

From: masber masber
Sent: Friday, 25 March 2022 12:52
To: systemd-devel@lists.freedesktop.org 
Subject: learning how to run systemd in a container, journal shows errors I 
would like to understand what they mean and why

Dear Systemd community,

this is the devel list so I am not sure whether I should be emailing here for 
community support/advice, please forgive mr otherwise and point me to the right 
direction.

I am not an expert by any means in container technology or systemd but trying 
to learn.

I have a k8s cluster with docker as container runtime and am I trying to make 
systemd to work. I read this doc 
https://developers.redhat.com/blog/2016/09/13/running-systemd-in-a-non-privileged-container#enter_oci_hooks
 and I have systemd running in a container.

[root@nid001002-cluster-1 tmp]# ps aux
USER   PID %CPU %MEMVSZ   RSS TTY  STAT START   TIME COMMAND
root 1  0.0  0.0  43204  3340 ?Ss   11:11   0:00 
/usr/lib/systemd/systemd --system
root17  0.0  0.0  39060  5224 ?Ss   11:11   0:00 
/usr/lib/systemd/systemd-journald
dbus23  0.0  0.0  58088  2112 ?Ss   11:11   0:00 
/usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile 
--systemd-activation
root25  0.0  0.0 112984  4312 ?Ss   11:11   0:00 /usr/sbin/sshd 
-D
root78  0.0  0.0  11828  1968 pts/0Ss   11:24   0:00 bash
root   104  0.0  0.0 147676  3684 ?Ss   11:24   0:00 
/usr/sbin/slurmd -D
root   118  0.0  0.0  51732  1732 pts/0R+   11:46   0:00 ps aux

My question is that journalctl shows he following:

Mar 25 11:24:31 nid001002-cluster-1 systemd[1]: Failed to reset devices.list on 
/kubepods/burstable/podcd69d169-d610-4af7-895a-eb86ee74ed49/4caa4403b8b6d263012e95ca51357ab0bb46fb3bc7a23221115d22efb757cc9c/system.slice/etc-resolv.conf.mount:
 Operation not permitted

I would like to ask the meaning of this message and how to solve it (if 
possible)

thank you very much
[https://www.bing.com/th?id=OVP.i-V6fU-v85nu2V3RMuNY-AD6D6=Api]
Running systemd in a non-privileged container | Red Hat 
Developer
UPDATE: Read the new article "How to run systemd in a container" for the latest 
information.
developers.redhat.com

Container Interface - systemd
The Container Interface. Also consult Writing Virtual Machine or Container 
Managers.. systemd has a number of interfaces for interacting with container 
managers, when systemd is used inside of an OS container.
systemd.io

[systemd-devel] learning how to run systemd in a container, journal shows errors I would like to understand what they mean and why

2022-03-25 Thread masber masber 
Dear Systemd community,

this is the devel list so I am not sure whether I should be emailing here for 
community support/advice, please forgive mr otherwise and point me to the right 
direction.

I am not an expert by any means in container technology or systemd but trying 
to learn.

I have a k8s cluster with docker as container runtime and am I trying to make 
systemd to work. I read this doc 
https://developers.redhat.com/blog/2016/09/13/running-systemd-in-a-non-privileged-container#enter_oci_hooks
 and I have systemd running in a container.

[root@nid001002-cluster-1 tmp]# ps aux
USER   PID %CPU %MEMVSZ   RSS TTY  STAT START   TIME COMMAND
root 1  0.0  0.0  43204  3340 ?Ss   11:11   0:00 
/usr/lib/systemd/systemd --system
root17  0.0  0.0  39060  5224 ?Ss   11:11   0:00 
/usr/lib/systemd/systemd-journald
dbus23  0.0  0.0  58088  2112 ?Ss   11:11   0:00 
/usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile 
--systemd-activation
root25  0.0  0.0 112984  4312 ?Ss   11:11   0:00 /usr/sbin/sshd 
-D
root78  0.0  0.0  11828  1968 pts/0Ss   11:24   0:00 bash
root   104  0.0  0.0 147676  3684 ?Ss   11:24   0:00 
/usr/sbin/slurmd -D
root   118  0.0  0.0  51732  1732 pts/0R+   11:46   0:00 ps aux

My question is that journalctl shows he following:

Mar 25 11:24:31 nid001002-cluster-1 systemd[1]: Failed to reset devices.list on 
/kubepods/burstable/podcd69d169-d610-4af7-895a-eb86ee74ed49/4caa4403b8b6d263012e95ca51357ab0bb46fb3bc7a23221115d22efb757cc9c/system.slice/etc-resolv.conf.mount:
 Operation not permitted

I would like to ask the meaning of this message and how to solve it (if 
possible)

thank you very much
[https://www.bing.com/th?id=OVP.i-V6fU-v85nu2V3RMuNY-AD6D6=Api]
Running systemd in a non-privileged container | Red Hat 
Developer
UPDATE: Read the new article "How to run systemd in a container" for the latest 
information.
developers.redhat.com

Container Interface - systemd
The Container Interface. Also consult Writing Virtual Machine or Container 
Managers.. systemd has a number of interfaces for interacting with container 
managers, when systemd is used inside of an OS container.
systemd.io