Re: [systemd-devel] Unprivileged containers and co-ordinating user namespaces
James Bottomley writes: > On Thu, 2016-04-28 at 16:00 -0700, W. Trevor King wrote: >> On Thu, Apr 28, 2016 at 03:02:08PM -0700, James Bottomley wrote: >> > /etc/usernamespaces >> > >> > and the format be ::: >> > >> > … >> > >> > If this sounds OK to people, I can code up a utility that does this, >> > which should probably belong in util-linux. >> >> This sounds a lot like shadow's newuidmap and newgidmap [1,2,3]. >> >> Cheers, >> Trevor >> >> [1]: >> https://github.com/shadow-maint/shadow/commit/673c2a6f9aa6c69588f4c1be08589b8d3475a520 >> [2]: http://man7.org/linux/man-pages/man1/newuidmap.1.html >> [3]: http://man7.org/linux/man-pages/man5/subuid.5.html > > I think that mostly works. No-one's packaging it yet, which is why I > didn't notice. It also looks like the build dependencies have vastly > expanded, so I can't get it to build in the build service yet. Both Fedora and Ubuntu should be packaging it. Further Docker should already be using these files. > It looks like the only addition it needs is the setgroups flag for > newgidmap, which the security people will need, so I can patch that. > Plus it's trying to install newgidmap/newuidmap as setuid root rather > than cap_setuid/cap_setgid, but that's fixable in the spec file. I read the rest of this thread and I don't understand the setgroups flag that you desire. It sounds like someone with an incomplete grasp on the situtation being cautious. As far as I can tell the use cases for containers not supporting setgroups is very limited. Basically just using user namespaces to drop privileges, and mapping the existing uids and gids to 0. I don't think it actually makes sense to have a knob. From a practical standpoint entering any subordinate ids into the subgid file for a user is a permission to use groups in such a way that can not use them as a negative acl (because we allow them to be dropped). Certainly it has been that way for quite a while now. Except for the negative acl aspect there are no issues with dropping groups, as setgroups will limit you to the groups allowed in your user namespace. Eric ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Callback isn't called when using sd_bus_add_match
On Wed, 04.05.16 12:56, Ben-melech, Shiran (shiran.ben-mel...@intel.com) wrote:
> Hi,
>
> I'm currently developing a little library using sd-bus to work with bluez.
> I'm trying to catch signals sent over the bus using sd_bus_add_match (see
> code below)
> But the callback does not seem to be triggered.
>
> I'm opening the bus using:
> /* Connect to the system bus */
> r = sd_bus_open_system(&new_context->bus);
> if(r < 0) {
> syslog(LOG_ERR, "Failed to connect to system bus: %s\n",
> strerror(-r));
> }
>
> Could anyone please help?
>
> static int test_callback(sd_bus_message *message, void *userdata,
> sd_bus_error *error)
> {
> printf("callback called\n");
> return EXIT_SUCCESS;
> }
>
> int
> lb_register_for_device_data(lb_context *lb_ctx, sd_bus_message_handler_t
> callback, void *userdata)
> {
> if (DEBUG > 0) printf("Method Called: %s\n", __FUNCTION__);
> int r;
> r = sd_bus_add_match(lb_ctx->bus, NULL, "type=signal", test_callback,
> userdata);
> if (r < 0) {
> syslog(LOG_ERR, "Failed on sd_bus_add_object\n");
> return EXIT_FAILURE;
> }
> return EXIT_SUCCESS;
> }
>
> I've tried various option in the "type" parameter but none succeeded.
Note that you have to run an event loop for the library to do
anything.
You can either use sd-event for that (which has a full set of man
pages), and then connect sd-bus to sd-event with
sd_bus_attach_event(), or you can connect sd-bus to any other event
loop of your choice, by using sd_bus_get_fd(), sd_bus_get_events() and
sd_bus_get_timeout(). A third option is to do without a proper event
loop, and just call sd_bus_wait() and sd_bus_process() in a loop. The
latter two options are a not particularly well documented.
Lennart
--
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] Callback isn't called when using sd_bus_add_match
Hi,
I'm currently developing a little library using sd-bus to work with bluez.
I'm trying to catch signals sent over the bus using sd_bus_add_match (see code
below)
But the callback does not seem to be triggered.
I'm opening the bus using:
/* Connect to the system bus */
r = sd_bus_open_system(&new_context->bus);
if(r < 0) {
syslog(LOG_ERR, "Failed to connect to system bus: %s\n",
strerror(-r));
}
Could anyone please help?
static int test_callback(sd_bus_message *message, void *userdata, sd_bus_error
*error)
{
printf("callback called\n");
return EXIT_SUCCESS;
}
int
lb_register_for_device_data(lb_context *lb_ctx, sd_bus_message_handler_t
callback, void *userdata)
{
if (DEBUG > 0) printf("Method Called: %s\n", __FUNCTION__);
int r;
r = sd_bus_add_match(lb_ctx->bus, NULL, "type=signal", test_callback,
userdata);
if (r < 0) {
syslog(LOG_ERR, "Failed on sd_bus_add_object\n");
return EXIT_FAILURE;
}
return EXIT_SUCCESS;
}
I've tried various option in the "type" parameter but none succeeded.
Regards,
Shiran
-
Intel Electronics Ltd.
This e-mail and any attachments may contain confidential material for
the sole use of the intended recipient(s). Any review or distribution
by others is strictly prohibited. If you are not the intended
recipient, please contact the sender and delete all copies.
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] dhcpd (via systemd) @boottime which does not wait for the interface..
On Wed, 04.05.16 13:09, lejeczek (pelj...@yahoo.co.uk) wrote: > hi devels > > I have my dhcpd to serve nothing but virbr0 (libvirt), OS is Centos 7.2 > Dhcpd would not start, complaining like this: > > No subnet declaration for virbr0 (no IPv4 addresses). > ** Ignoring requests on virbr0. If this is not what > you want, please write a subnet declaration > in your dhcpd.conf file for the network segment > to which interface virbr0 is attached. ** > > and systemctl -l shows: > ... > systemd[1]: start request repeated too quickly for dhcpd.service > ... > > but suffices to restart dhcpd and all works! > I've ##SELECTION_END##customized systemd's service conf, I've put: > > After=libvirtd.service > Requisite=libvirtd.service > > but this did not help. > Would you share your thoughts? > many thanks. > L. Well, this is really a question to ask the libvirt folks. It really depends on when libvirt creats that interface. Alternatively you can also pull in the service from a udev rule (use SYSTEMD_WANTS), to run it as soon as the interface shows up. Lennart -- Lennart Poettering, Red Hat ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] dhcpd (via systemd) @boottime which does not wait for the interface..
hi devels I have my dhcpd to serve nothing but virbr0 (libvirt), OS is Centos 7.2 Dhcpd would not start, complaining like this: No subnet declaration for virbr0 (no IPv4 addresses). ** Ignoring requests on virbr0. If this is not what you want, please write a subnet declaration in your dhcpd.conf file for the network segment to which interface virbr0 is attached. ** and systemctl -l shows: ... systemd[1]: start request repeated too quickly for dhcpd.service ... but suffices to restart dhcpd and all works! I've ##SELECTION_END##customized systemd's service conf, I've put: After=libvirtd.service Requisite=libvirtd.service but this did not help. Would you share your thoughts? many thanks. L. ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] automount nested nfs share
On 2016-05-04 11:41, Lennart Poettering wrote: So yeah, systemd doesn't cover this fully currently, and I am not sure it really should in this case. Sorry! don't worry, I know it is a specific case; I'll try to use your solution or to use 'autofs', like before. Thank you very much, Marco -- Marco Giunta - ITCS SysAdmin Via Bonomea, 265 34136 - Trieste, Italy Tel: +39-040-3787-503 Fax: +39-040-3787-244 ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] automount nested nfs share
On Wed, 04.05.16 10:40, Marco Giunta (giu...@sissa.it) wrote: > Hi at all, > I've a problem with automount features of systemd. I need to mount two nfs > share in this way: > > > /srv/nfs nfs-server.example.com:/share1 > /srv/nfs/nested nfs-server.example.com:/share2 > > > On my old RHEL6 workstation, I used autofs, but now, with a RHEL7 > workstation, I'd like to use systemd. > > I've configure two mount units, and they work like a charm: the nfs export > are mounted like I guess. Then, I've configured an automount unit for > '/srv/nfs', and it works, BUT when I 've created an unit to automount > '/srv/nfs/nested', and started it, immediately '/srv/nfs' has been mounted, > and I cannot unmount it (device is busy). > > If I stop '/srv/nfs/nested' automount service, I can unmount '/srv/nfs'. I'm > trying to figure out the problem, and I think the reason is 'automatic > dependencies': > > """ > If an automount unit is beneath another mount unit in the file system > hierarchy, both a requirement and an ordering dependency between both units > are created automatically. > """ > > in fact: > > # systemctl list-dependencies srv-nfs-nested.automount > srv-nfs-nested.automount > -.mount > srv-nfs.mount > > > 'srv-nfs-nested.automount' depends on 'srv-nfs.mount'. I don't want this, I > want the 'srv-nfs-nested.automount' depends on 'srv-nfs.automount', because > I don't want to have '/srv/nfs' always mounted, I need to mount it on > request, I have more then 300 workstations to configure. > > I've tried to change these settings: > > DefaultDependencies = false > Requires=srv-nfs.automount -.mount > > but it doesn't works, because 'DefaultDependencies' doesn't disable all > dependencies: > > ''' > If set to false, this option does not disable all implicit dependencies, > just non-essential ones. > ''' > > So, my question is: is there a way to disable implicit dependencies ?? Or is > there another way to automount nested nfs share with systemd ?? Well, we don't cover this without races right now, and I am not sure we ever will. But you can make something like this work, that will be racy, however, by marking your inner mount in fstab as "noauto". Then, pull in the inner automount from the outer mount unit, via Wants=. Specifically, add a drop-in /etc/systemd/system/srv-nfs.mount.d/50-foobar.conf that contains this: [Unit] Wants=srv-nfs-nested.automount This will make sure that the inner automount unit is only established when the outer mount is actually delivered. This will be racy however, as systemd will report back to the client that the outer mount is established as soon as it activated the outer mount, and won't wait for the establishing of the inner automount, so that there's a short time-window were clients could access the inner mount point without the automount being in place already. So yeah, systemd doesn't cover this fully currently, and I am not sure it really should in this case. Sorry! Lennart -- Lennart Poettering, Red Hat ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] automount nested nfs share
Open up a support case with Red Hat since that's what you are paying for. On 05/04/2016 08:40 AM, Marco Giunta wrote: Hi at all, I've a problem with automount features of systemd. I need to mount two nfs share in this way: /srv/nfsnfs-server.example.com:/share1 /srv/nfs/nestednfs-server.example.com:/share2 On my old RHEL6 workstation, I used autofs, but now, with a RHEL7 workstation, I'd like to use systemd. I've configure two mount units, and they work like a charm: the nfs export are mounted like I guess. Then, I've configured an automount unit for '/srv/nfs', and it works, BUT when I 've created an unit to automount '/srv/nfs/nested', and started it, immediately '/srv/nfs' has been mounted, and I cannot unmount it (device is busy). If I stop '/srv/nfs/nested' automount service, I can unmount '/srv/nfs'. I'm trying to figure out the problem, and I think the reason is 'automatic dependencies': """ If an automount unit is beneath another mount unit in the file system hierarchy, both a requirement and an ordering dependency between both units are created automatically. """ in fact: # systemctl list-dependencies srv-nfs-nested.automount srv-nfs-nested.automount -.mount srv-nfs.mount 'srv-nfs-nested.automount' depends on 'srv-nfs.mount'. I don't want this, I want the 'srv-nfs-nested.automount' depends on 'srv-nfs.automount', because I don't want to have '/srv/nfs' always mounted, I need to mount it on request, I have more then 300 workstations to configure. I've tried to change these settings: DefaultDependencies = false Requires=srv-nfs.automount -.mount but it doesn't works, because 'DefaultDependencies' doesn't disable all dependencies: ''' If set to false, this option does not disable all implicit dependencies, just non-essential ones. ''' So, my question is: is there a way to disable implicit dependencies ?? Or is there another way to automount nested nfs share with systemd ?? With autofs, I used a configuration like this: /srv/nfs-fstype=nfs4,rw \ /nfs-server.example.com:/share1 \ /nestednfs-server.example.com:/share2 \ /nested2nfs-server.example.com:/share3 and it works as I guess. Cheers, Marco ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] automount nested nfs share
Hi at all, I've a problem with automount features of systemd. I need to mount two nfs share in this way: /srv/nfsnfs-server.example.com:/share1 /srv/nfs/nested nfs-server.example.com:/share2 On my old RHEL6 workstation, I used autofs, but now, with a RHEL7 workstation, I'd like to use systemd. I've configure two mount units, and they work like a charm: the nfs export are mounted like I guess. Then, I've configured an automount unit for '/srv/nfs', and it works, BUT when I 've created an unit to automount '/srv/nfs/nested', and started it, immediately '/srv/nfs' has been mounted, and I cannot unmount it (device is busy). If I stop '/srv/nfs/nested' automount service, I can unmount '/srv/nfs'. I'm trying to figure out the problem, and I think the reason is 'automatic dependencies': """ If an automount unit is beneath another mount unit in the file system hierarchy, both a requirement and an ordering dependency between both units are created automatically. """ in fact: # systemctl list-dependencies srv-nfs-nested.automount srv-nfs-nested.automount -.mount srv-nfs.mount 'srv-nfs-nested.automount' depends on 'srv-nfs.mount'. I don't want this, I want the 'srv-nfs-nested.automount' depends on 'srv-nfs.automount', because I don't want to have '/srv/nfs' always mounted, I need to mount it on request, I have more then 300 workstations to configure. I've tried to change these settings: DefaultDependencies = false Requires=srv-nfs.automount -.mount but it doesn't works, because 'DefaultDependencies' doesn't disable all dependencies: ''' If set to false, this option does not disable all implicit dependencies, just non-essential ones. ''' So, my question is: is there a way to disable implicit dependencies ?? Or is there another way to automount nested nfs share with systemd ?? With autofs, I used a configuration like this: /srv/nfs-fstype=nfs4,rw \ / nfs-server.example.com:/share1 \ /nested nfs-server.example.com:/share2 \ /nested2nfs-server.example.com:/share3 and it works as I guess. Cheers, Marco ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
