Bug#840529: systemd-sysctl.service does not run in LXC containers

2016-10-13 Thread Felipe Sateler 
On 13 October 2016 at 13:14, Christian Hofstaedtler  wrote:
> * Felipe Sateler  [161013 17:39]:
>> > systemd-sysctl.service does not start in LXC containters, as they
>> > have /proc/sys R/O. *BUT* /proc/sys/net is R/W.
>
>> 1. Have systemd-sysctl lose the ConditionPathIsReadWrite, and
>> systemd-sysctl itself should check which prefixes are writable.
>
> Or, for now, it could just fail for sysctls that are not writable.
> Benefits: Similar to what the old sysctl tool would be doing. Also
> very clear failure mode for these. (Ignoring them would be silent
> failure...)

So, warning messages would appear.

>
>> 2. Have lxc (or the template) ship a new systemd-sysctl-net.service,
>> that includes the new ExecStart and an updated
>> ConditionPathIsReadWrite
>>
>> Option 2 looks like something that has a chance of being fixed in
>> jessie, although by the LXC folks. Option 1 may be addressed upstream,
>> but I don't think this fits backporting material.
>
> I don't massively care about this in jessie; we already have a
> workaround for it. But it'd be nice to get this fixed for stretch.
>
> Having a fix in LXC sounds wrong to me - everything that depends on
> template creations scripts has a high chance of failing. (A ton of
> users do not run those creation scripts in the first place, but get
> their templates from elsewhere, sometimes plain debootstrap.)

OK, I have looked it up, and the Condition is introduced in commit
f2a46f8da5, with message:

units: run sysctl stuff only when /proc/sys is actually writable, to
quieten container boots a little

Could you file this upstream? I'm not sure we want to deviate from
upstream here...

-- 

Saludos,
Felipe Sateler

Bug#840529: systemd-sysctl.service does not run in LXC containers

2016-10-13 Thread Christian Hofstaedtler 
* Felipe Sateler  [161013 17:39]:
> > systemd-sysctl.service does not start in LXC containters, as they
> > have /proc/sys R/O. *BUT* /proc/sys/net is R/W.

> 1. Have systemd-sysctl lose the ConditionPathIsReadWrite, and
> systemd-sysctl itself should check which prefixes are writable.

Or, for now, it could just fail for sysctls that are not writable.
Benefits: Similar to what the old sysctl tool would be doing. Also
very clear failure mode for these. (Ignoring them would be silent
failure...)

> 2. Have lxc (or the template) ship a new systemd-sysctl-net.service,
> that includes the new ExecStart and an updated
> ConditionPathIsReadWrite
> 
> Option 2 looks like something that has a chance of being fixed in
> jessie, although by the LXC folks. Option 1 may be addressed upstream,
> but I don't think this fits backporting material.

I don't massively care about this in jessie; we already have a
workaround for it. But it'd be nice to get this fixed for stretch.

Having a fix in LXC sounds wrong to me - everything that depends on
template creations scripts has a high chance of failing. (A ton of
users do not run those creation scripts in the first place, but get
their templates from elsewhere, sometimes plain debootstrap.)

C.

-- 
 ,''`.  Christian Hofstaedtler 
: :' :  Debian Developer
`. `'   7D1A CFFA D9E0 806C 9C4C  D392 5C13 D6DB 9305 2E03
  `-

Bug#840529: systemd-sysctl.service does not run in LXC containers

2016-10-13 Thread Felipe Sateler 
On 12 October 2016 at 10:26, Christian Hofstaedtler  wrote:
> Package: systemd
> Version: 215-17+deb8u5
> Severity: normal
> Tags: upstream
>
> Hi,
>
> systemd-sysctl.service does not start in LXC containters, as they
> have /proc/sys R/O. *BUT* /proc/sys/net is R/W.
>
> It'd be useful if the net-specific settings would still be applied at
> boot.
>
> Arch has "fixed" this in their lxc package by modifying
> systemd-sysctl.service when creating a new container, but this can
> not be the correct solution.
> See 
> https://github.com/lxc/lxc/pull/683/commits/427d42930d99f93bf78c61ec9f555dd883c5039e

So the solutions AFAICS are:

1. Have systemd-sysctl lose the ConditionPathIsReadWrite, and
systemd-sysctl itself should check which prefixes are writable.
2. Have lxc (or the template) ship a new systemd-sysctl-net.service,
that includes the new ExecStart and an updated
ConditionPathIsReadWrite

Option 2 looks like something that has a chance of being fixed in
jessie, although by the LXC folks. Option 1 may be addressed upstream,
but I don't think this fits backporting material.


-- 

Saludos,
Felipe Sateler

Bug#840529: systemd-sysctl.service does not run in LXC containers

2016-10-12 Thread Christian Hofstaedtler 
Package: systemd
Version: 215-17+deb8u5
Severity: normal
Tags: upstream

Hi,

systemd-sysctl.service does not start in LXC containters, as they
have /proc/sys R/O. *BUT* /proc/sys/net is R/W.

It'd be useful if the net-specific settings would still be applied at
boot.

Arch has "fixed" this in their lxc package by modifying
systemd-sysctl.service when creating a new container, but this can
not be the correct solution.
See 
https://github.com/lxc/lxc/pull/683/commits/427d42930d99f93bf78c61ec9f555dd883c5039e

Thanks,
C.


-- Package-specific info:

-- System Information:
Debian Release: 8.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)