On Tue, Jun 9, 2015 at 11:37 PM, Lennart Poettering
lenn...@poettering.net wrote:
On Tue, 09.06.15 13:04, Filipe Brandenburger (filbran...@google.com) wrote:
On Tue, Jun 9, 2015 at 12:59 PM, Lennart Poettering
lenn...@poettering.net wrote:
[...] so we comment and ask for a new PR, and close
On Tue, May 19, 2015 at 1:26 AM, Lennart Poettering
lenn...@poettering.net wrote:
On Tue, 19.05.15 00:55, Lennart Poettering (lenn...@poettering.net) wrote:
On Thu, 14.05.15 21:23, Evert (evert.gen...@planet.nl) wrote:
Hi,
According to the systemd documentation, Requisite disallows
On Tue, May 19, 2015 at 3:44 PM, Lennart Poettering
lenn...@poettering.net wrote:
On Tue, 19.05.15 13:08, Alban Crequy (al...@endocode.com) wrote:
The commit be7d9ff730cb88d7c6a869dd5c47754c78ceaef2 (core: introduce
seperate reverse dependencies for Requires= and Requisite=)
introduced
On Mon, May 18, 2015 at 2:00 PM, Lennart Poettering
lenn...@poettering.net wrote:
On Mon, 18.05.15 10:34, Alban Crequy (al...@endocode.com) wrote:
On Wed, May 13, 2015 at 6:14 PM, Lennart Poettering
lenn...@poettering.net wrote:
On Mon, 11.05.15 16:41, Alban Crequy (alban.cre...@gmail.com
From: Alban Crequy al...@endocode.com
When systemd-nspawn gets exec*()ed, it inherits the followings file
descriptors:
- 0, 1, 2: stdin, stdout, stderr
- SD_LISTEN_FDS_START, ... SD_LISTEN_FDS_START+LISTEN_FDS: file
descriptors passed by the system manager (useful for socket
activation
On Wed, May 13, 2015 at 6:14 PM, Lennart Poettering
lenn...@poettering.net wrote:
On Mon, 11.05.15 16:41, Alban Crequy (alban.cre...@gmail.com) wrote:
src/nspawn/nspawn.c | 9 -
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
From: Alban Crequy al...@endocode.com
When a service is chrooted with the option RootDirectory=/opt/..., then
the options PrivateDevices, PrivateTmp, ProtectHome, ProtectSystem must
mount the directories under $RootDirectory/{dev,tmp,home,usr,boot}.
The test-ns tool can test setup_namespace
From: Alban Crequy al...@endocode.com
When a service is chrooted with the option RootDirectory=/opt/..., then
the options PrivateDevices, PrivateTmp, ProtectHome, ProtectSystem must
mount the directories under $RootDirectory/{dev,tmp,home,usr,boot}.
This can be tested with test-ns as root
From: Alban Crequy al...@endocode.com
When a process starts systemd-nspawn with exec*() without fork(),
systemd-nspawn can be the parent process of children processes unknown
to systemd-nspawn. It can then receive the signal SIGCHLD for both the
container leader process and the previously started
From: Alban Crequy al...@endocode.com
When systemd-nspawn gets exec*()ed, it inherits the followings file
descriptors:
- 0, 1, 2: stdin, stdout, stderr
- SD_LISTEN_FDS_START, ... SD_LISTEN_FDS_START+LISTEN_FDS: file
descriptors passed by the system manager (useful for socket
activation
From: Alban Crequy al...@endocode.com
When a process starts systemd-nspawn with exec*() without fork(),
systemd-nspawn can be the parent process of children processes unknown
to systemd-nspawn. It can then receive the signal SIGCHLD for both the
container leader process and the previously started
On Wed, Feb 25, 2015 at 6:48 PM, Lennart Poettering
lenn...@poettering.net wrote:
On Wed, 25.02.15 00:05, Cyrill Gorcunov (gorcu...@gmail.com) wrote:
Hi all! I would really appreciate if someone enlighten me if there is some
simple
solution for the problem we met in OpenVZ: modern containers
On Fri, Apr 24, 2015 at 12:45 PM, Lennart Poettering
lenn...@poettering.net wrote:
On Wed, 22.04.15 16:55, Alban Crequy (al...@endocode.com) wrote:
Thanks for the commits. They don't seem related to containers.
I can reproduce my issue on git-master:
sudo ~/git/systemd/systemd-nspawn
On Fri, Apr 24, 2015 at 5:34 PM, Lennart Poettering
lenn...@poettering.net wrote:
On Fri, 24.04.15 17:10, Alban Crequy (al...@endocode.com) wrote:
On Fri, Apr 24, 2015 at 12:45 PM, Lennart Poettering
lenn...@poettering.net wrote:
On Wed, 22.04.15 16:55, Alban Crequy (al...@endocode.com
On Tue, Apr 21, 2015 at 10:35 PM, Zbigniew Jędrzejewski-Szmek
zbys...@in.waw.pl wrote:
On Tue, Apr 21, 2015 at 03:54:35PM +0200, Alban Crequy wrote:
On Sat, Feb 28, 2015 at 5:40 PM, Lennart Poettering
lenn...@poettering.net wrote:
On Fri, 27.02.15 17:13, Lennart Poettering (lenn
On Sat, Feb 28, 2015 at 5:40 PM, Lennart Poettering
lenn...@poettering.net wrote:
On Fri, 27.02.15 17:13, Lennart Poettering (lenn...@poettering.net) wrote:
On Thu, 26.02.15 16:50, Martin Pitt (martin.p...@ubuntu.com) wrote:
IMHO it would be prudent to skip adding the BindsTo= if at the time
From: Alban Crequy al...@endocode.com
When a systemd-nspawn container terminates, systemd umounts all bind
mounts that were mounted in the container and generates a log for each
umount.
This additional log_info was added by
bce93b7ac7642426039863493694d8c12812e2a7 for debugging shutdown
From: Alban Crequy al...@endocode.com
Some systems abusively restrict mknod, even when the device node already
exists in /dev. This is unfortunate because it prevents systemd-nspawn
from creating the basic devices in /dev in the container.
This patch implements a workaround: when mknod fails
On Tue, Mar 31, 2015 at 5:35 PM, Dave Reisner d...@falconindy.com wrote:
On Tue, Mar 31, 2015 at 05:14:48PM +0200, Alban Crequy wrote:
From: Alban Crequy al...@endocode.com
Some systems abusively restrict mknod, even when the device node already
exists in /dev. This is unfortunate because
From: Alban Crequy al...@endocode.com
Some systems abusively restrict mknod, even when the device node already
exists in /dev. This is unfortunate because it prevents systemd-nspawn
from creating the basic devices in /dev in the container.
This patch implements a workaround: when mknod fails
On Sun, Mar 29, 2015 at 5:24 PM, Tom Gundersen t...@jklm.no wrote:
On Mar 29, 2015 5:18 PM, Alban Crequy alban.cre...@gmail.com wrote:
From: Alban Crequy al...@endocode.com
Some systems abusively restrict mknod, even when the device node already
exists in /dev. This is unfortunate because
On Tue, Mar 17, 2015 at 6:12 PM, Vincent Batts vba...@redhat.com wrote:
On 11/03/15 15:24 +0100, Iago L?pez Galeiras wrote:
Hi,
We're looking into adding appc[1] support in systemd-importd. An appc
image (ACI) is just a tar with a rootfs directory and a json manifest.
We would have to
From: Alban Crequy al...@endocode.com
renameat2() exists since Linux 3.15 but btrfs support for the flag
RENAME_NOREPLACE was added later.
This patch implements a fallback when renameat2() returns EINVAL.
EINVAL is the error returned when the filesystem does not support one of
the flags
From: Alban Crequy al...@endocode.com
renameat2() exists since Linux 3.15 but btrfs support for the flag
RENAME_NOREPLACE was added later.
This patch implements a fallback when renameat2() returns EINVAL.
EINVAL is the error returned when the filesystem does not support one of
the flags
From: Alban Crequy al...@endocode.com
renameat2() exists since Linux 3.15 but btrfs support for the flag
RENAME_NOREPLACE was added later.
This patch implements a fallback when renameat2() returns EINVAL.
EINVAL is the error returned when the filesystem does not support one of
the flags
On 9 December 2014 at 17:28, Lennart Poettering lenn...@poettering.net wrote:
On Tue, 09.12.14 16:24, Krzysztof Kotlenga (k.kotle...@sims.pl) wrote:
Hi.
Currently notify socket is unavailable in chrooted services (again)
unless you bind mount it there. Is there perhaps another, less
On 9 December 2014 at 17:28, Lennart Poettering lenn...@poettering.net wrote:
On Tue, 09.12.14 16:24, Krzysztof Kotlenga (k.kotle...@sims.pl) wrote:
Hi.
Currently notify socket is unavailable in chrooted services (again)
unless you bind mount it there. Is there perhaps another, less
From: Alban Crequy al...@endocode.com
Manpage systemd.mount(5) says: If the mount point does not exist at the
time of mounting, it is created. However, it was not working for bind
mounts of non-directory files (regular, device, socket, etc).
This patch checks the type of the resource to bind
When a service uses both RootDirectory=/opt/... and PrivateDevices=true,
the private /dev must not be mounted in /dev but in /opt/.../dev.
---
src/core/execute.c | 6 +-
src/core/namespace.c | 10 +-
src/core/namespace.h | 2 +-
src/test/test-ns.c | 2 +-
4 files changed, 12
On 5 February 2015 at 12:48, Vasiliy Tolstov v.tols...@selfip.ru wrote:
2015-02-05 12:44 GMT+03:00 Alban Crequy alban.cre...@gmail.com:
Manual page namespaces(7):
Creation of new namespaces using clone(2) and unshare(2) in most
cases
requires the CAP_SYS_ADMIN capability
[reposting - sorry I forgot to Cc the mailing list]
On 4 February 2015 at 23:03, Vasiliy Tolstov v.tols...@selfip.ru wrote:
Hello!
Does it possible to create container as regular user? Oh what capabilities i
need to add to create container not using root?
Hello,
Manual page namespaces(7):
From: Alban Crequy al...@endocode.com
---
src/nspawn/nspawn.c | 7 +--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index 3fce3ad..db57b24 100644
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -911,8 +911,7 @@ static int
From: Alban Crequy al...@endocode.com
v2:
- simplify the patch: any non-directory file can be mounted on any
non-directory file.
- allow bind mount of files of different types
---
src/nspawn/nspawn.c | 27 +++
1 file changed, 11 insertions(+), 16 deletions(-)
diff
On 22 January 2015 at 13:51, Lennart Poettering lenn...@poettering.net wrote:
On Thu, 22.01.15 13:25, Alban Crequy (mua...@gmail.com) wrote:
From: Alban Crequy al...@endocode.com
Hmm, I wonder if we can actually simplify this. IIRC the rules for
over-mounting are simpler than I thought
Symptoms:
kdbus/bus.h:56:14: error: field ‘kref’ has incomplete type
struct kref kref;
Signed-off-by: Alban Crequy alban.cre...@collabora.co.uk
---
bus.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/bus.h b/bus.h
index a5832b8..c7ce2fa 100644
--- a/bus.h
+++ b/bus.h
@@ -16,6 +16,7
Before Linux commit 25888e (from 2.6.37-rc4, Nov 2010), fd-passing on Unix
sockets could recursively be stacked, allowing a process to exhaust the open
files limit (/proc/sys/fs/file-max) on the system without restriction from
ulimit -n.
This DoS on Unix sockets was fixed by commit:
commit
On Wed, 13 Aug 2014 16:37:17 +0200
Lennart Poettering lenn...@poettering.net wrote:
On Thu, 07.08.14 15:19, Alban Crequy (alban.cre...@collabora.co.uk)
wrote:
Hi,
Should unprivileged processes be allowed to change cgroup?
Well, they shouldn#t do it. But I think it's OK as long
Hi,
Should unprivileged processes be allowed to change cgroup?
As I understand it, it is not possible to block processes to
leave a cgroup, but only to block processes to enter a cgroup.
In the following example, session-c4.scope/tasks belongs to root:root
with -rw-r--r-- and
38 matches
Mail list logo