Re: [systemd-devel] how to debug failures when trying to lock down services

2017-12-01 Thread Michael Biebl
2017-11-30 18:24 GMT+01:00 Lennart Poettering : > On Do, 30.11.17 10:35, Mantas Mikul─Śnas (graw...@gmail.com) wrote: > >> Then I'm guessing ProtectSystem=strict overrides ReadWritePaths and makes >> /var/log read-only... > > Hmm, it does? It really shouldn't. > > I thought

Re: [systemd-devel] Systemd Journald and audit logging causing journal issues

2017-12-01 Thread Lennart Poettering
On Fr, 01.12.17 12:19, Brad Zynda (bradley.v.zy...@nasa.gov) wrote: > > > On 12/01/2017 12:11 PM, Lennart Poettering wrote: > > On Fr, 01.12.17 09:05, Brad Zynda (bradley.v.zy...@nasa.gov) wrote: > > > >> Hey Lennart, > > > > Heya, > > > >> Just wanted to get your thoughts on this before we

Re: [systemd-devel] Systemd Journald and audit logging causing journal issues

2017-12-01 Thread Brad Zynda
On 12/01/2017 12:31 PM, Lennart Poettering wrote: > On Fr, 01.12.17 12:19, Brad Zynda (bradley.v.zy...@nasa.gov) wrote: > >> >> >> On 12/01/2017 12:11 PM, Lennart Poettering wrote: >>> On Fr, 01.12.17 09:05, Brad Zynda (bradley.v.zy...@nasa.gov) wrote: >>> Hey Lennart, >>> >>> Heya, >>>

Re: [systemd-devel] Systemd Journald and audit logging causing journal issues

2017-12-01 Thread Brad Zynda
On 12/01/2017 12:11 PM, Lennart Poettering wrote: > On Fr, 01.12.17 09:05, Brad Zynda (bradley.v.zy...@nasa.gov) wrote: > >> Hey Lennart, > > Heya, > >> Just wanted to get your thoughts on this before we break the link.. > > On what precisely? I am not sure what the original issue is, can

Re: [systemd-devel] [PATCH weston] doc/systemd: system service example

2017-12-01 Thread Lennart Poettering
On Fr, 01.12.17 13:42, Pekka Paalanen (ppaala...@gmail.com) wrote: > > > > This is racy, as the session ID is not really reliably predictable, > > > > and is synthesized in different contexts in different ways, for > > > > example depnding on whether audit is enabled in the kernel it might be > >

Re: [systemd-devel] Systemd Journald and audit logging causing journal issues

2017-12-01 Thread Lennart Poettering
On Fr, 01.12.17 09:05, Brad Zynda (bradley.v.zy...@nasa.gov) wrote: > Hey Lennart, Heya, > Just wanted to get your thoughts on this before we break the link.. On what precisely? I am not sure what the original issue is, can you summarize this briefly here? > also can you provide proper

Re: [systemd-devel] [Xen-devel] [PATCH v1] core: mount xenfs, ignore proc-xen.mount (#6442, #6662)

2017-12-01 Thread Lennart Poettering
On Fr, 01.12.17 12:04, Olaf Hering (o...@aepfle.de) wrote: > Am Fri, 1 Dec 2017 10:21:46 + > schrieb Wei Liu : > > > In Olaf's case, he cares about knowing whether the domain runs the > > controlling toolstack, he doesn't care about if it is the hardware > > domain or

Re: [systemd-devel] [Xen-devel] [PATCH v1] core: mount xenfs, ignore proc-xen.mount (#6442, #6662)

2017-12-01 Thread Jan Beulich
>>> Wei Liu 12/01/17 1:30 PM >>> >On Fri, Dec 01, 2017 at 05:23:16AM -0700, Jan Beulich wrote: >> >>> On 01.12.17 at 13:15, wrote: >> > On Fri, Dec 01, 2017 at 05:11:45AM -0700, Jan Beulich wrote: >> >> >>> On 01.12.17 at 12:48,

Re: [systemd-devel] [Xen-devel] [PATCH v1] core: mount xenfs, ignore proc-xen.mount (#6442, #6662)

2017-12-01 Thread Olaf Hering
On Fri, Dec 01, Wei Liu wrote: > What information do you need? For a moment let's skip using the fuzzy > "Dom0" term and try to be precise. Like "I would like to know if that > domain has access to all hardware" or something else. That depends on the .service files. This is the list of openSUSE

Re: [systemd-devel] Systemd Journald and audit logging causing journal issues

2017-12-01 Thread Brad Zynda
Hey Lennart, Just wanted to get your thoughts on this before we break the link.. also can you provide proper direction or a howto for breaking the link between auditd and journald? Thanks, Brad On Friday, December 1, 2017 8:17:58 AM EST Brad Zynda wrote: > Hey Steve, > > Just wanted to follow

Re: [systemd-devel] [Xen-devel] [PATCH v1] core: mount xenfs, ignore proc-xen.mount (#6442, #6662)

2017-12-01 Thread Olaf Hering
Am Fri, 1 Dec 2017 12:29:24 + schrieb Wei Liu : > But Olaf needs to know if some of the services like xenconsoled or > xenstored should be started, and if some of the special file systems > should be mounted, right? Those aren't tied to hardware in anyway. In my > view

Re: [systemd-devel] [Xen-devel] [PATCH v1] core: mount xenfs, ignore proc-xen.mount (#6442, #6662)

2017-12-01 Thread Jan Beulich
>>> On 01.12.17 at 13:15, wrote: > On Fri, Dec 01, 2017 at 05:11:45AM -0700, Jan Beulich wrote: >> >>> On 01.12.17 at 12:48, wrote: >> > Suppose at one point we split hardware domain and control domain, which >> > one will you call Dom0? Which one will

Re: [systemd-devel] [Xen-devel] [PATCH v1] core: mount xenfs, ignore proc-xen.mount (#6442, #6662)

2017-12-01 Thread Jan Beulich
>>> On 01.12.17 at 12:48, wrote: > Suppose at one point we split hardware domain and control domain, which > one will you call Dom0? Which one will get the flag? There can only be one hardware domain, which will continue to be the one getting XENFEAT_dom0. There could be any

Re: [systemd-devel] [PATCH weston] doc/systemd: system service example

2017-12-01 Thread Pekka Paalanen
On Thu, 30 Nov 2017 11:16:19 + Martyn Welch wrote: > On Thu, 2017-11-30 at 12:09 +0200, Pekka Paalanen wrote: > > On Wed, 29 Nov 2017 19:05:07 +0100 > > Lennart Poettering wrote: > > > > > On Di, 28.11.17 12:14, Pekka Paalanen

Re: [systemd-devel] [Xen-devel] [PATCH v1] core: mount xenfs, ignore proc-xen.mount (#6442, #6662)

2017-12-01 Thread Jan Beulich
>>> On 01.12.17 at 11:21, wrote: > On Thu, Nov 30, 2017 at 01:35:45AM -0700, Jan Beulich wrote: >> >>> On 30.11.17 at 09:23, wrote: >> > On Wed, Nov 29, Jan Beulich wrote: >> > >> >> Ah, I see. But then still I don't see why at least on half way >> >> recent

Re: [systemd-devel] [Xen-devel] [PATCH v1] core: mount xenfs, ignore proc-xen.mount (#6442, #6662)

2017-12-01 Thread Olaf Hering
Am Fri, 1 Dec 2017 10:21:46 + schrieb Wei Liu : > In Olaf's case, he cares about knowing whether the domain runs the > controlling toolstack, he doesn't care about if it is the hardware > domain or not, so my conclusion was using that flag was wrong. I think this is not