Re: [systemd-devel] Systemd, cgrupsv2, cgrulesengd, and nftables
On 15/06/2024 4.37 pm, Andrei Borzenkov wrote: Not really. nftables checks the *socket* cgroup, not the *process* cgroup. The socket may have been created while process was in the old cgroup. I do not know whether kernel attempts to also move all process sockets to the new cgroup. I suspect not, but that is most certainly the question to the kernel folks. Hmm, that would make sense. I think I have to look for a place to ask this question, because if it was the case and they changed the behavior, it probably would fix the issue. See my other response about atomically placing a process to some pre-existing cgroup from the very beginning. Yes, I saw it, but to be honest, at the moment I have no idea what to do with it :)
Re: [systemd-devel] Systemd, cgrupsv2, cgrulesengd, and nftables
On 15/06/2024 2.27 pm, Andrei Borzenkov wrote: On 15.06.2024 14:02, Mikhail Morfikov wrote: But there's no curl pids in /sys/fs/cgroup/user.slice/user-1000.slice/user@1000.service/cgroup.procs . To be more specific, there's no pids at all in this cgroup.procs file. The curl pids are under # cat /sys/fs/cgroup/morfikownia/user/curl/pids.current 1 # cat /sys/fs/cgroup/morfikownia/user/curl/cgroup.procs 44907 And this cgroup path (morfikownia/user/curl/) is permitted in nftables, and yet packets sometimes are visible like they had user.slice/user-1000.slice/user@1000.service/ path set. Why? Because curl starts in this hierarchy and attempts network connection before your daemon moves curl into different cgroup. It is just as good stab in the dark as any other. No, it's not like this. When curl attempts to access the internet, it sends SYN packet, which is dropped in nftables because of the wrong cgroup path. If what you say was true, then the next (or any other) SYN packet would be accepted, since the pid is in the right cgroup path now, which is permitted in nftabels. But when I watch the nftables logs, I see something like this: Jun 15 15:30:57 morfikownia kernel: * cgroup * IN= OUT=bond0 SRC=192.168.1.150 DST=212.77.98.9 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=52657 DF PROTO=TCP SPT=41760 DPT=80 SEQ=3391855235 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B40402080A96453BC00103030E) UID=1000 GID=1000 Jun 15 15:30:59 morfikownia kernel: * cgroup * IN= OUT=bond0 SRC=192.168.1.150 DST=212.77.98.9 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=52658 DF PROTO=TCP SPT=41760 DPT=80 SEQ=3391855235 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B40402080A96453FCB0103030E) UID=1000 GID=1000 Jun 15 15:31:00 morfikownia kernel: * cgroup * IN= OUT=bond0 SRC=192.168.1.150 DST=212.77.98.9 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=52659 DF PROTO=TCP SPT=41760 DPT=80 SEQ=3391855235 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B40402080A964543CB0103030E) UID=1000 GID=1000 Jun 15 15:31:01 morfikownia kernel: * cgroup * IN= OUT=bond0 SRC=192.168.1.150 DST=212.77.98.9 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=52660 DF PROTO=TCP SPT=41760 DPT=80 SEQ=3391855235 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B40402080A964547CB0103030E) UID=1000 GID=1000 Jun 15 15:31:02 morfikownia kernel: * cgroup * IN= OUT=bond0 SRC=192.168.1.150 DST=212.77.98.9 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=52661 DF PROTO=TCP SPT=41760 DPT=80 SEQ=3391855235 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B40402080A96454BCB0103030E) UID=1000 GID=1000 Jun 15 15:31:03 morfikownia kernel: * cgroup * IN= OUT=bond0 SRC=192.168.1.150 DST=212.77.98.9 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=52662 DF PROTO=TCP SPT=41760 DPT=80 SEQ=3391855235 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B40402080A96454FCB0103030E) UID=1000 GID=1000 Jun 15 15:31:05 morfikownia kernel: * cgroup * IN= OUT=bond0 SRC=192.168.1.150 DST=212.77.98.9 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=52663 DF PROTO=TCP SPT=41760 DPT=80 SEQ=3391855235 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B40402080A964557CB0103030E) UID=1000 GID=1000 Jun 15 15:31:09 morfikownia kernel: * cgroup * IN= OUT=bond0 SRC=192.168.1.150 DST=212.77.98.9 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=52664 DF PROTO=TCP SPT=41760 DPT=80 SEQ=3391855235 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B40402080A9645678B0103030E) UID=1000 GID=1000 Jun 15 15:31:17 morfikownia kernel: * cgroup * IN= OUT=bond0 SRC=192.168.1.150 DST=212.77.98.9 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=52665 DF PROTO=TCP SPT=41760 DPT=80 SEQ=3391855235 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B40402080A964588CB0103030E) UID=1000 GID=1000 Pay attention to the timestamp. All the packets comes from the same curl connection. So we have beginning at 15:30:57 and end at 15:31:17 (20s window), and then was ctrl+c, because it's not going to work. So the pid is in the right cgroup path for sure before sending the SYN packets. If the very first SYN packet was dropped, that would make sense, I mean the theory with the app accessing net before cgrulesengd moves the pid. But we have 20s, the pid is in the right cgroup and sometimes it works, and sometimes it doesn't, I mean curl is able to access the net or not. And that's weird. It looks like the cgroup path isn't updated for some reason -- that's my blind guess, because the pid is in the right place, the nftables rule works, and yet the cgroup path "internally somewhere" is user.slice/user-1000.slice/user@1000.service/ instead of the right one, where the pid was moved. I bet there's a bug somewhere.
Re: [systemd-devel] Systemd, cgrupsv2, cgrulesengd, and nftables
On 15/06/2024 8.15 am, Andrei Borzenkov wrote: On 14.06.2024 18:49, Mikhail Morfikov wrote: On 14/06/2024 5.26 pm, Demi Marie Obenour wrote: On Fri, Jun 14, 2024 at 10:06:34AM +0200, Mikhail Morfikov wrote: On 13/06/2024 10.27 pm, Lennart Poettering wrote: On Do, 13.06.24 21:38, Mikhail Morfikov (mmorfi...@gmail.com) wrote: I'm trying to make the 4 things (systemd, cgrupsv2, cgrulesengd, and nftables) work together, but I think I'm missing something. Is "cgrulesengd" interfering with the cgroup tree? Sorry, but that's simply not supported. cgroupv2 has a single-writer rule, i.e. every part of the tree has only a single writer, a single manager. And you must delegate a subtree to other managers if a different manager shall also manage cgroups. Hence, if you have something that just takes systemd managed processes and moves them elsewhere, it's simply not supported. Sorry, you voided your warranty. Lennart -- Lennart Poettering, Berlin I don't need any warranty, I need a way to make this work. I don't know anything about cgrulesengd, but from your post it seems that it relies on scanning all processes and moving them to cgroups based on information about them. This isn't compatible with systemd. There are a few options that will work: 1. Change cgrulesengd to use systemd's D-Bus API to manage cgroups. 2. Run everything in a container that doesn't use systemd. 3. Stop using cgrulesengd, and instead use systemd units to define cgroups. Then use other approaches (such as wrapper scripts) to ensure that programs are launched in the correct systemd units. There's no way I'm going to wrap every command in systemd's service/unit file... The question isn't really whether cgrulesengd + systemd is supported or not, but why the terminal apps have issues. GUI apps work well and the network packets of all the GUI apps can be matched in nftables based on the cgroup path. So the setup works well except for the terminal apps. It is still unclear why you are asking this on systemd list. I'm asking because with cgroupsv1 everything was working just fine, i.e. net_cls class + nftables + cgrulesengd + systemd. It was working well for many years, but recently systemd started to bully my system with this 30s boot delay when it detects that cgroupsv1 is used (I was using it only for this net_cls). So where else should I ask the question why does systemd+cgroupsv2+cgrulesengd work only partially? I had pretty decent firewall config that was filtering INPUT/OUTPUT of all individual user (and system too) apps, but now some part of it is broken, and I try to figure out why and how to fix it. From your description it sounds like a race condition between cgrulesengd and netfilter. GUI apps generally are "heavier" and take more time to startup which may explain it. The best place to ask would be cgrulesengd. If you have any evidence that systemd somehow interferes here, you did not present them. The evidence could be the cgroup path. For instance, the curl processes should be added via cgrulesengd to morfikownia/user/curl/ , and they are added each single time I type curl in a terminal, or when curl is called from some script. But when I checked why the network packets are dropped, I found out that the following rule can catch them: socket cgroupv2 level 1 "user.slice/" When I dug deeper: socket cgroupv2 level 3 "user.slice/user-1000.slice/user@1000.service/" But there's no curl pids in /sys/fs/cgroup/user.slice/user-1000.slice/user@1000.service/cgroup.procs . To be more specific, there's no pids at all in this cgroup.procs file. The curl pids are under # cat /sys/fs/cgroup/morfikownia/user/curl/pids.current 1 # cat /sys/fs/cgroup/morfikownia/user/curl/cgroup.procs 44907 And this cgroup path (morfikownia/user/curl/) is permitted in nftables, and yet packets sometimes are visible like they had user.slice/user-1000.slice/user@1000.service/ path set. Why? Would GUI apps vs. terminal apps explain this? Maybe there's some problems with nftables (or nftables+systemd), I don't know, maybe I could ask at nftables ML about this case (I probably will anyway). Otherwise there is such project as https://github.com/mk-fg/systemd-cgroup-nftables-policy-manager which dynamically adds nftables rules to match systemd cgroups (well, in principle it can match anything). It could be combined with "systemd-run --scope" or similar to place commands in specific scopes that will be matched by netfilter. I don't think the project is what I need.
Re: [systemd-devel] Systemd, cgrupsv2, cgrulesengd, and nftables
On 14/06/2024 5.26 pm, Demi Marie Obenour wrote: On Fri, Jun 14, 2024 at 10:06:34AM +0200, Mikhail Morfikov wrote: On 13/06/2024 10.27 pm, Lennart Poettering wrote: On Do, 13.06.24 21:38, Mikhail Morfikov (mmorfi...@gmail.com) wrote: I'm trying to make the 4 things (systemd, cgrupsv2, cgrulesengd, and nftables) work together, but I think I'm missing something. Is "cgrulesengd" interfering with the cgroup tree? Sorry, but that's simply not supported. cgroupv2 has a single-writer rule, i.e. every part of the tree has only a single writer, a single manager. And you must delegate a subtree to other managers if a different manager shall also manage cgroups. Hence, if you have something that just takes systemd managed processes and moves them elsewhere, it's simply not supported. Sorry, you voided your warranty. Lennart -- Lennart Poettering, Berlin I don't need any warranty, I need a way to make this work. I don't know anything about cgrulesengd, but from your post it seems that it relies on scanning all processes and moving them to cgroups based on information about them. This isn't compatible with systemd. There are a few options that will work: 1. Change cgrulesengd to use systemd's D-Bus API to manage cgroups. 2. Run everything in a container that doesn't use systemd. 3. Stop using cgrulesengd, and instead use systemd units to define cgroups. Then use other approaches (such as wrapper scripts) to ensure that programs are launched in the correct systemd units. There's no way I'm going to wrap every command in systemd's service/unit file... The question isn't really whether cgrulesengd + systemd is supported or not, but why the terminal apps have issues. GUI apps work well and the network packets of all the GUI apps can be matched in nftables based on the cgroup path. So the setup works well except for the terminal apps.
Re: [systemd-devel] Systemd, cgrupsv2, cgrulesengd, and nftables
On 13/06/2024 10.27 pm, Lennart Poettering wrote: On Do, 13.06.24 21:38, Mikhail Morfikov (mmorfi...@gmail.com) wrote: I'm trying to make the 4 things (systemd, cgrupsv2, cgrulesengd, and nftables) work together, but I think I'm missing something. Is "cgrulesengd" interfering with the cgroup tree? Sorry, but that's simply not supported. cgroupv2 has a single-writer rule, i.e. every part of the tree has only a single writer, a single manager. And you must delegate a subtree to other managers if a different manager shall also manage cgroups. Hence, if you have something that just takes systemd managed processes and moves them elsewhere, it's simply not supported. Sorry, you voided your warranty. Lennart -- Lennart Poettering, Berlin I don't need any warranty, I need a way to make this work. I'm not sure whether I understand the "single-writer rule", so correct me if I'm wrong. I don't want to write pids to systemd services using cgrulesengd. I just want to create my own cgroup tree, for instance /sys/fs/cgroup/morfikownia/ and I want to place there all the processes managed by cgrulesengd (via the /etc/cgrules.conf file). So systemd won't be touching anything inside /sys/fs/cgroup/morfikownia/ and cgrulesengd won't be touching anything in the rest of the cgroup tree -- is this "single-writer rule" ? And you must delegate a subtree to other managers if a different manager shall also manage cgroups. How can this be done?
[systemd-devel] Systemd, cgrupsv2, cgrulesengd, and nftables
I'm trying to make the 4 things (systemd, cgrupsv2, cgrulesengd, and nftables) work together, but I think I'm missing something. Basically what I want to achieve is the filtering of OUTPUT packets in nftables in the case of all user apps. System services work well either with systemd+cgrupsv2+nftables or cgrulesengd+cgrupsv2+nftables. User GUI apps also work well with cgrulesengd+cgrupsv2+nftables. There's some issue with terminal apps, like ssh, ping, curl, mount, etc -- they sometimes work and sometimes don't. What do I mean by "work"? When I *ssh ...* , the request sometimes is blocked in nftables. Here's the example: # egrep -i ssh /etc/cgrules.conf *:sshfs cpu,memory,pids morfikownia/user/ssh/ *:sshcpu,memory,pids morfikownia/user/ssh/ So when I type *ssh ...* in a terminal, the pid of this command should be visible under /sys/fs/cgroup/morfikownia/user/ssh/ , and I can see it's there: # ps aux | grep ssh morfik 21746 0.0 0.0 18088 8064 pts/11 S+ 21:16 0:00 ssh root@192.168.1.1 # for i in $(cat /sys/fs/cgroup/morfikownia/user/ssh/cgroup.procs); do ls -ald /proc/$i/exe; done lrwxrwxrwx 1 morfik morfik 0 2024-06-13 21:16:42 /proc/21746/exe -> /usr/bin/ssh* When I can connect to the remote SSH server, the packets pass through nftables via the following rule: # nft list table inet filter | grep ssh socket cgroupv2 level 3 "morfikownia/user/ssh" meta l4proto tcp counter packets 5 bytes 300 accept So what's the problem? The problem is that the command *ssh ...* (and other terminal commands) often fail because of I have no idea what. Everything seems to be just fine. The pid is in the right place, but the packets can't be picked up by the nftables rule. So the pid is under: # egrep -ir 21746 /sys/fs/cgroup ... /sys/fs/cgroup/morfikownia/user/ssh/cgroup.procs:21746 /sys/fs/cgroup/morfikownia/user/ssh/cgroup.threads:21746 ... But the ssh network packets are dropped because it seems they have different path set and that's why they can't be matched in nftables, which is weird because the pid is in the right place. So how can it be for a pid to have at the same time the right cgroup path and the wrong cgroup path? So what's going on here and how can this be fixed?
[systemd-devel] How to get rid of audit logs only from the systemd journal?
I'm using AppArmor and it sometimes returns many audit logs. By default there was something like this in the journal: ... audit[1397]: AVC apparmor= ... ... kernel: audit: type=1400 audit(1523275695.613:76): apparmor= ... So there are two entries and they carry the same message. So the message is doubled. The first message disappears when systemd-journald-audit.socket is masked, but what about the second message? Basically I want to remove the AppArmor logs only from the journal and not from the whole system. They could be logged by rsyslog and placed in some file/FIFO device. Is there a way to get rid of the second message from the journal only somehow? -- Morfik signature.asc Description: OpenPGP digital signature ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] How to set primary slave in active-backup mode (bonding)
On Tue, 19 May 2015 18:12:15 +0200 Tom Gundersen wrote: > On Thu, Apr 9, 2015 at 4:29 PM, Mikhail Morfikov > wrote: > > I usually have two network interfaces on my laptops (one eth and one > > wlan), and when I was using sysvinit I also was configuring the bond > > interface via the /etc/network/interfaces file so the two interfaces > > could work in the active-backup mode. But now, they work in > > balance-rr mode which is set via the .netdev file. The problem with > > this mode is that when you have, let's say wifi 30mbit/s and wired > > 100mbit/s, you can get 60mbit/s max, and that's why I wanted to use > > the active-backup mode which switches from wire to wifi and vice > > versa depending on whether the ethernet cable is plugged in. > > Generally speaking, I have to set some additional parameters so > > this could work well, and that would be: > > We don't yet fully support all the bonding options. > > > bond-primary eth1 > > This is not currently supported, I suppose we should add the > possibility of marking a slave as 'primary' to the .network file > (rather than listing the slave in the .netdev file). > > > bond-primary-reselect always > > This is PrimaryReselectPolicy=always in the .netdev file. > > > bond-slaves eth1 wlan0 > > This is achieved by setting Bond= in the .network files applied to > eth1 and wlan0. > > > bond-fail-over-mac none > > This is FailOverMACPolicy=none in the .netdev file, which is also the > default, so is redundant. > > > I'm not sure if all of them are necessary, and the question is how > > to pass these parameters in systemd? I'm asking because in the > > systemd.netdev manual, in the bond section, these options weren't > > specified. > > I hope the above helps, but I suspect you really need the feature to > specify the primary slave for this to work as you intended. Happy to > take a patch! > > Cheers, > > Tom Thank you for the information. pgpa9lyjdGv2A.pgp Description: OpenPGP digital signature ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Automatic user ACL management
On Mon, 18 May 2015 18:18:57 +0200 Lennart Poettering wrote: > On Mon, 18.05.15 18:16, Mikhail Morfikov (mmorfi...@gmail.com) wrote: > > > Something is wrong. I did the following steps: > > > > $ newgrp audio > > > > In the log I have the following message: > > > > May 18 18:02:19 morfikownia newgrp[80543]: user 'morfik' (login > > 'morfik' on pts/7) switched to group 'audio' > > > > Then I started amarok (in the same terminal): > > > > $ amarok > > $ ps -eo user,group,args | grep amarok > > morfik audioamarok > > > > So it says the process has the audio group, but the sound disappears > > when I switch to TTY, so nothing has changed. Should this happen, > > or am I supposed to do something else in order to make it work? > > you need to run PA with those privs, not your media player. it's pa > that needs the access rights to the device nodes, not your media > player. > > Lennart > And now it works as expected! :) pgpb3A_nxsNVK.pgp Description: OpenPGP digital signature ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Automatic user ACL management
On Mon, 18 May 2015 17:38:33 +0200 Lennart Poettering wrote: > On Sun, 17.05.15 12:46, Mikhail Morfikov (mmorfi...@gmail.com) wrote: > > > As you can read, for instance here > > ( > > http://enotty.pipebreaker.pl/2012/05/23/linux-automatic-user-acl-management/ > > ), logind, which is a part of systemd, can set permissions to some > > devices for user sessions. There's also a vid showing how this kind > > of behavior works in practice > > ( https://www.youtube.com/watch?v=qcD4Qr5ldbI ). In short, if you > > start, let's say, amarok, and you play some song, you will hear the > > sound till you switch to another user or TTY where you have only the > > login prompt. That's because the active session became inactive. > > > > I know that you can simply add a user (or users) to a specific > > group, in this case "audio", and that will 'fix' this issue, but > > I'm wondering if there's another solution. What I really want is to > > set some permissions for the process so it could use the sound card > > all the time, even when all users have their sessions locked. > > > > Is that possible? I'm asking because I often listen to the music > > and I don't really need my monitor to be on most of the time, so I > > just lock the screen. But when I lock the screen, the active > > session becomes inactive and amarok stops playing. And yes, the > > screen should be locked, and not just turned off. > > To my knowledge GNOME runs the screen lock from the same session, and > thus does not suffer by the problem... > > Generally, making your process member of the "audio" group is the way > to go, if you want to forego the per-session device access control > logic logind implements. You can use /usr/bin/newgrp to join a group > for some of your processes only. > > Lennart > Something is wrong. I did the following steps: $ newgrp audio In the log I have the following message: May 18 18:02:19 morfikownia newgrp[80543]: user 'morfik' (login 'morfik' on pts/7) switched to group 'audio' Then I started amarok (in the same terminal): $ amarok $ ps -eo user,group,args | grep amarok morfik audioamarok So it says the process has the audio group, but the sound disappears when I switch to TTY, so nothing has changed. Should this happen, or am I supposed to do something else in order to make it work? pgpupLdQkIvtJ.pgp Description: OpenPGP digital signature ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Automatic user ACL management
On Sun, 17 May 2015 15:00:11 +0200 Martin Pitt wrote: > Mikhail Morfikov [2015-05-17 12:46 +0200]: > > As you can read, for instance here > > ( > > http://enotty.pipebreaker.pl/2012/05/23/linux-automatic-user-acl-management/ > > ), logind, which is a part of systemd, can set permissions to some > > devices for user sessions. There's also a vid showing how this kind > > of behavior works in practice > > ( https://www.youtube.com/watch?v=qcD4Qr5ldbI ). In short, if you > > start, let's say, amarok, and you play some song, you will hear the > > sound till you switch to another user or TTY where you have only the > > login prompt. That's because the active session became inactive. > > If you log into the TTY, the sound will continue, as you will again be > in a foreground session, right? Yes, the same behavior as you can observe in the vid on youtube. pgpHL99YTFXyG.pgp Description: OpenPGP digital signature ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Automatic user ACL management
On Sun, 17 May 2015 12:55:18 +0200 Reindl Harald wrote: > > > Am 17.05.2015 um 12:46 schrieb Mikhail Morfikov: > > Is that possible? I'm asking because I often listen to the music > > and I don't really need my monitor to be on most of the time, so I > > just lock the screen. But when I lock the screen, the active > > session becomes inactive and amarok stops playing. And yes, the > > screen should be locked, and not just turned off > > that's a pulseaudio problem and if you run pulsed as system-wide > audio is indepdendent of sessions and you may want to look at MPD > which can even start playing music after power on the machine without > login > I see, I've read this article: http://www.freedesktop.org/wiki/Software/PulseAudio/Documentation/User/SystemWide/ and I've changed the pulseaudio config file a little bit: allow-module-loading = no allow-exit = no system-instance = yes enable-shm = no exit-idle-time = -20 then I started pulseaudio in the system mode and I was able to play sound all the time. But there's another question -- is there any difference between pulseaudio in system mode and pulseaudio in user mode + adding specific users to the "audio" group? I mean in the link I had given in the previous post, you can read something like this: "By the way, you don't want users permanently added to groups like audio or video. Such user would be able to ssh into the machine while you are using it and spy on you using webcam, microphone etc. Access to such critical peripherals should only be granted for active user." Does this concern pulseaudio in the system mode with users added to the pulse-access group? pgpFtCRkmM3xb.pgp Description: OpenPGP digital signature ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] Automatic user ACL management
As you can read, for instance here ( http://enotty.pipebreaker.pl/2012/05/23/linux-automatic-user-acl-management/ ), logind, which is a part of systemd, can set permissions to some devices for user sessions. There's also a vid showing how this kind of behavior works in practice ( https://www.youtube.com/watch?v=qcD4Qr5ldbI ). In short, if you start, let's say, amarok, and you play some song, you will hear the sound till you switch to another user or TTY where you have only the login prompt. That's because the active session became inactive. I know that you can simply add a user (or users) to a specific group, in this case "audio", and that will 'fix' this issue, but I'm wondering if there's another solution. What I really want is to set some permissions for the process so it could use the sound card all the time, even when all users have their sessions locked. Is that possible? I'm asking because I often listen to the music and I don't really need my monitor to be on most of the time, so I just lock the screen. But when I lock the screen, the active session becomes inactive and amarok stops playing. And yes, the screen should be locked, and not just turned off. pgp_Aqvr9dWU4.pgp Description: OpenPGP digital signature ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] KillUserProcesses timeout
This is the log when my system works as usual: (loginctl session-status) 1 - morfik (1000) Since: Sun 2015-04-26 23:19:01 CEST; 18h ago Leader: 1720 (lightdm) Seat: seat0; vc7 Display: :0 Service: lightdm; type x11; class user State: online Unit: session-1.scope ├─ 1720 lightdm --session-child 12 19 ├─ 1764 /usr/bin/gnome-keyring-daemon --daemonize --login ├─ 1766 /usr/bin/openbox --startup /usr/lib/x86_64-linux-gnu/openbox-autostart OPENBOX ├─ 1808 /usr/bin/ssh-agent /usr/bin/gpg-agent --daemon --sh --write-env-file=/home/morfik/.gnupg/gpg-agent-info-morfikownia /usr/bin/dbus-launch --exit-with-session /usr/bin/openbox-session ├─ 1809 /usr/bin/gpg-agent --daemon --sh --write-env-file=/home/morfik/.gnupg/gpg-agent-info-morfikownia /usr/bin/dbus-launch --exit-with-session /usr/bin/openbox-session ├─ 1812 /usr/bin/dbus-launch --exit-with-session /usr/bin/openbox-session ├─ 1813 /usr/bin/dbus-daemon --fork --print-pid 5 --print-address 7 --session ├─ 1829 compton --config /home/morfik/.config/compton.conf -b ├─ 1844 /usr/bin/urxvtd -q -f -o ├─ 1845 /usr/bin/urxvtd -q -f -o ├─ 1848 tint2 -c /home/morfik/.config/tint2/tint2rc_up ├─ 1849 tint2 -c /home/morfik/.config/tint2/tint2rc_down ├─ 1880 sg p2p -c megasync ├─ 1881 claws-mail ├─ 1883 volumeicon ├─ 1887 megasync ├─ 1888 xfce4-volumed ├─ 1890 /usr/lib/x86_64-linux-gnu/gconf/gconfd-2 ├─ 1911 /usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd ├─ 1912 tmux attach-session -t system-logs ├─ 1972 tmux attach-session -t system-logs ├─ 2000 zsh -c journalctl -b --no-pager --since -10m | ccze -m ansi && systemctl --failed --no-pager | ccze -m ansi && journalctl -n 0 -f | ccze -m ansi ├─ 2003 zsh -c cat /dev/log-lxc | ccze -m ansi -p syslog -C ├─ 2004 newsbeuter ├─ 2056 light-locker ├─ 2129 cat /dev/log-lxc ├─ 2131 ccze -m ansi -p syslog -C ├─ 2177 /usr/lib/at-spi2-core/at-spi-bus-launcher ├─ 2180 /usr/lib/dconf/dconf-service ├─ 2184 /usr/bin/dbus-daemon --config-file=/etc/at-spi2/accessibility.conf --nofork --print-address 3 ├─ 2194 /usr/lib/at-spi2-core/at-spi2-registryd --use-gnome-session ├─ 2546 /usr/bin/pulseaudio --start --log-target=syslog ├─ 2637 journalctl -n 0 -f ├─ 2638 ccze -m ansi ├─ 2640 /usr/lib/pulseaudio/pulse/gconf-helper ├─ 2691 tmux attach-session -t tmux ├─ 2794 -zsh ├─ 2881 su - ├─ 2898 -su ├─ 3557 -zsh ├─15023 conky -c /home/morfik/.conky/.conkyrc_fs ├─15060 conky -c /home/morfik/.conky/.conkyrc ├─15899 conky -c /home/morfik/.conky/1c/.conkyrc_1c └─15900 conky -c /home/morfik/.conky/1b1/.conkyrc_1b1_int Apr 27 13:11:51 morfikownia su[68365]: pam_unix(su:session): session closed for user debian-security-support Apr 27 13:11:51 morfikownia su[68388]: Successful su for debian-security-support by root Apr 27 13:11:51 morfikownia su[68388]: + ??? root:debian-security-support Apr 27 13:11:51 morfikownia su[68388]: pam_unix(su:session): session opened for user debian-security-support by (uid=0) Apr 27 13:11:51 morfikownia su[68388]: pam_unix(su:session): session closed for user debian-security-support Apr 27 13:12:10 morfikownia su[69569]: Successful su for morfik by root Apr 27 13:12:10 morfikownia su[69569]: + ??? root:morfik Apr 27 13:12:10 morfikownia su[69569]: pam_unix(su:session): session opened for user morfik by (uid=0) Apr 27 13:12:10 morfikownia org.freedesktop.Notifications[1813]: (xfce4-notifyd:69577): Gtk-WARNING **: Failed to set text from markup due to error parsing markup: Unknown tag 'p' on line 1 char 20 Apr 27 13:12:12 morfikownia su[69569]: pam_unix(su:session): session closed for user morfik 21 - root (0) Since: Mon 2015-04-27 18:00:08 CEST; 6min ago Leader: 41244 (login) Seat: seat0; vc1 TTY: /dev/tty1 Service: login; type tty; class user State: active Unit: session-21.scope ├─12773 -zsh ├─15435 loginctl session-status 1 21 c1 └─41244 /bin/login -- Apr 27 18:00:08 morfikownia systemd[1]: Started Session 21 of user root. Apr 27 18:00:08 morfikownia systemd[1]: Starting Session 21 of user root. Apr 27 18:00:08 morfikownia login[
Re: [systemd-devel] KillUserProcesses timeout
On Fri, 24 Apr 2015 19:04:53 +0200 Lennart Poettering wrote: > On Tue, 27.01.15 04:28, Mikhail Morfikov (mmorfi...@gmail.com) wrote: > > Sorry for the really late reply, still trying to work through piles of > mail. > > > > > Hmm, not sure I follow. > > > > > > > It only happens if I'm logged in as root in tmux. > > > > > The session is shown as closing, that's good. Can you check what > > > "systemctl status" reports on the scope unit if this hang happens? > > > > > > Lennart > > > > > > > I'm not sure if I did the right thing, but there it is. > > > > After logout: > > > > ● user-1000.slice > >Loaded: loaded > >Active: active since Tue 2015-01-27 04:13:31 CET; 8min ago > >CGroup: /user.slice/user-1000.slice > >├─session-7.scope > >│ ├─32562 gpg-agent -s --enable-ssh-support --daemon > > --write-env-file /home/morfik/.gpg-agent-info │ ├─32692 tmux > > attach-session -t logi │ ├─32696 bash -c cat /dev/logi | ccze -m > > ansi -p syslog -C │ ├─32697 -bash > >│ ├─32698 newsbeuter > >│ ├─32702 cat /dev/logi > >│ ├─32703 ccze -m ansi -p syslog -C > >│ ├─34376 su - > >│ └─34393 -su > > This here is probably the issue: you opened a su session from your > session, and that keeps things referenced and open. > > Lennart > Yep, that's the problem, but after 10-20 secs (I don't remember exactly) the session will be closed, and the question was: is there a way to make it faster, I mean without the delay so it would be closed just after the user logged off. pgpeXsbIVxNBY.pgp Description: OpenPGP digital signature ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] journald problems
On Wed, 22 Apr 2015 00:28:12 +0200 Michał Zegan wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Hello. > > I have just removed my journal files and restarted journald. I then > generated sealing keys, saved the verification key. The system worked > for maybe an hour or less, I had to power it off, then it was > restarted. I tried to verify the journal. > This is what happened: > > PASS: /var/log/journal/a523e1ef5ffe4b15b9d2698b85e944cd/system.journal > > > 390398: tag failed verification > > > File corruption detected at > /var/log/journal/a523e1ef5ffe4b15b9d2698b85e944cd/user-1000.journal:3903 > 98 > (of 8388608 bytes, 44%). > FAIL: > /var/log/journal/a523e1ef5ffe4b15b9d2698b85e944cd/user-1000.journal > (Bad message) > > 3987a0: tag failed verification > > > File corruption detected at > /var/log/journal/a523e1ef5ffe4b15b9d2698b85e944cd/user-1002.journal:3987 > a0 > (of 8388608 bytes, 44%). > FAIL: > /var/log/journal/a523e1ef5ffe4b15b9d2698b85e944cd/user-1002.journal > (Bad message) > > 3903a0: tag failed verification > > > File corruption detected at > /var/log/journal/a523e1ef5ffe4b15b9d2698b85e944cd/user-1001.journal:3903 > a0 > (of 8388608 bytes, 44%). > FAIL: > /var/log/journal/a523e1ef5ffe4b15b9d2698b85e944cd/user-1001.journal > (Bad message) > > What is happening here? It always happens after sealing, no matter > what I am doing, all new journal files are corrupted and show this > message. > > Systemd version 219, system is archlinux, kernel 3.19.3-3-ARCH, and > filesystem is btrfs if at all important. > -BEGIN PGP SIGNATURE- > Version: GnuPG v2 > > iQIcBAEBAgAGBQJVNs77AAoJEHb1CzgxXKwYldcP/jGnuCyN1hcQvUHgc4ZS+CkW > gCEf59TteLYO/7yVQnrAs4gHFJ6WJlFw8+2L1Lt9gpts2h41oQxyPjhfa6578kSB > 2ZC+9McpjLqMctn+hBt3GcPyi/vpr7QAm29sBoPpbCl8hCQQeRbGg5dfUnV0q7ot > ueXiO2VMW2wYDz3/0gmqCf7Fh+ChWdBTNAZFrTMqP1hLw0xTukazpNFGm8sStgcp > TC2p3JlLmmdCXHxPTGnxFj4jVWuYIOzDajh5GZUPlhmlBy48TKSzF+T3ri6zkOr5 > +lyDC1fho5P7shdSN07OlGLSeg6JXC193gBB8WEhUwTs29fZzjyChke0dHVq/WSj > 2pYpSr5cncxiUnwR5HTAhBRKHctKP8/5Rqmgu9GCEpy52mtuDsHUQQVbckjMaOYj > 9Bz1y+pLNVi5v9AeD3wv/TnxEKeIYd4lwfs9pSutrF/KDo3XxPzys+jgbQvDrxVn > zbiKW9X8gc0r6P9qQ5p1jcBndW3dstQExNqGSZCgrCckymDxiSzfhjKQe8G/rD/O > 29By4j9vbhHRq/gVpo0MWdnn8I1PCAxpqrftxCLmkEUNCgNAn+xIzwe+G6ppmAv7 > 4ZnbYfvLAz4Fj0g4QmswCXZB+DEqowrHK5N89BWxRSiY19A87l7BeFDzIFytOfkC > LHhedmjVTZXNvgTZXyeE > =VsvH > -END PGP SIGNATURE- > ___ > systemd-devel mailing list > systemd-devel@lists.freedesktop.org > http://lists.freedesktop.org/mailman/listinfo/systemd-devel It seems you have exactly the same issue that I had. I described the problem here: http://lists.freedesktop.org/archives/systemd-devel/2015-February/028119.html , but no one answered it. I was just testing this sealing feature and forgot about it because I couldn't make it work, and there was no info what to do with the problem. It seems I'm not the only one who has the issue, you have it on archlinux, and I had it on debian, different kernels, and different filesystem types. pgp4xXrSZvggC.pgp Description: OpenPGP digital signature ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] How to set primary slave in active-backup mode (bonding)
I usually have two network interfaces on my laptops (one eth and one wlan), and when I was using sysvinit I also was configuring the bond interface via the /etc/network/interfaces file so the two interfaces could work in the active-backup mode. But now, they work in balance-rr mode which is set via the .netdev file. The problem with this mode is that when you have, let's say wifi 30mbit/s and wired 100mbit/s, you can get 60mbit/s max, and that's why I wanted to use the active-backup mode which switches from wire to wifi and vice versa depending on whether the ethernet cable is plugged in. Generally speaking, I have to set some additional parameters so this could work well, and that would be: ... bond-primary eth1 bond-primary-reselect always bond-slaves eth1 wlan0 bond-fail-over-mac none ... I'm not sure if all of them are necessary, and the question is how to pass these parameters in systemd? I'm asking because in the systemd.netdev manual, in the bond section, these options weren't specified. pgpl2qWMR7FIw.pgp Description: OpenPGP digital signature ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] systemd-resolved service ignores UseDNS=false
I think I get it now. I have two interfaces that have different DNS servers set -- bond0 and br_lxc. All of the LXC containers use my router's DNS and everything else uses 127.0.2.1 . The config file for the br_lxc interface looks like this: [Match] Name=br_lxc [Network] Description=LXC bridge configuration DHCP=no LinkLocalAddressing=no Address=192.168.10.100/24 DNS=192.168.1.1 IPForward=true Now the DNS option is empty, and the 192.168.1.1 resolver disappeared from the /etc/resolv.conf file, and this is what I actually wanted, and I've accidentally found the bug. :) I also changed the bond0 interface config file to the following one: [Match] Name=bond0 [Network] Description=Bonded network DHCP=ipv4 LinkLocalAddressing=no DNS= IPForward=true [DHCP] UseDNS=false UseMTU=false SendHostname=true UseHostname=false UseDomains=true UseRoutes=true CriticalConnection=true RequestBroadcast=true And in the /etc/systemd/resolved.conf file I set DNS=127.0.2.1 only, and the two interfaces looks like this: # networkctl status -a ... ● 6: br_lxc Link File: n/a Network File: /etc/systemd/network/30-br_lxc-static.network Type: ether State: no-carrier (configured) Driver: bridge HW Address: 6e:7d:a5:7f:d6:06 MTU: 1500 Address: 192.168.10.100 fe80::6c7d:a5ff:fe7f:d606 ● 7: bond0 Link File: n/a Network File: /etc/systemd/network/50-bond0-dhcp.network Type: ether State: routable (configured) Driver: bonding HW Address: 3c:4a:92:00:4c:5b (Hewlett-Packard Company) MTU: 1500 Address: 192.168.1.150 fe80::3e4a:92ff:fe00:4c5b Gateway: 192.168.1.1 (TP-LINK TECHNOLOGIES CO.,LTD) Domain: mhouse.lh I'm not sure, but shouldn't there be a DNS field pointing to the local 127.0.2.1 address that was set in /etc/systemd/resolved.conf file? It looks like the DNS line in the above log shows only if the DNS= option is set in a corresponding interface config file. pgpywIvfDlXcs.pgp Description: OpenPGP digital signature ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] systemd-resolved service ignores UseDNS=false
In the systemd-resolved manual we can read something like this: The DNS servers contacted are determined from the global settings in resolved.conf(5), the per-link static settings in .network files, and the per-link dynamic settings received over DHCP. 1. Let's say that I have set all the three settings, which one will be applied? 2. If I set the global settings via the /etc/systemd/resolved.conf file, for instance: [Resolve] DNS=127.0.2.1 FallbackDNS=208.67.222.222 208.67.220.220 will this local resolver be used all the time, even when dhcp server sends an ip address of other resolver in the network to the client? I don't know how that is supposed to work, but it looks like it doesn't work in the way I thought it would. So I added some entries to this /etc/systemd/network/50-bond0-dhcp.network file: [Match] Name=bond0 [Network] Description=Bonded network DHCP=ipv4 LinkLocalAddressing=no DNS=127.0.2.1 IPForward=true [DHCP] UseDNS=false UseMTU=false SendHostname=true UseHostname=false UseDomains=true UseRoutes=true CriticalConnection=true RequestBroadcast=true And according to the systemd-networkd manual: DNS -- a DNS server address, which must be in the format described in inet_pton(3). This option may be specified more than once. UseDNS -- when true (the default), the DNS servers received from the DHCP server will be used and take precedence over any statically configured ones. (btw, the link to inet_pton is dead) So UseDNS is set to false, and I thought the system will be using the local resolver, but it sometimes uses the local settings and sometimes not -- it depends on restarting the systemd-resolved service, for example: # ls -al /etc/resolv.conf lrwxrwxrwx 1 root root 32 2015-02-27 23:52:39 /etc/resolv.conf -> /run/systemd/resolve/resolv.conf # cat /etc/resolv.conf nameserver 127.0.2.1 nameserver 192.168.1.1 search mhouse.lh # systemctl restart systemd-resolved.service # cat /etc/resolv.conf nameserver 192.168.1.1 nameserver 127.0.2.1 search mhouse.lh (I've cut the comments for readability) As you can see, the two resolvers just switched, and it seems that my system tries to use the 192.168.1.1 , but I disabled it for testing on my router. After I ping a domain, I have 10s lag, and then ping go there and back, so it falls back to the local resolver. 3. Shouldn't there be just one resolver in the /etc/resolv.conf file? 4. How to force the system to use the one particular resolver no matter what? I know I could probably do that by creating a static file instead of a link (and maybe chattr +i if necessary), but I want to do this using the systemd native tools if that is possible of course. 5. Is the /etc/resolv.conf file necessary when using systemd? pgpkN7WA1Tn2p.pgp Description: OpenPGP digital signature ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] systemd-fsckd: Couldn't connect to plymouth: Connection refused
This is the full log I got when I tried to mount the device: Mar 14 20:46:08 morfikownia polkitd(authority=local)[1266]: Registered Authentication Agent for unix-process:11439:94979 (system bus name :1.41 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) Mar 14 20:46:08 morfikownia systemd[1]: Starting Cryptography Setup for grafi... Mar 14 20:46:08 morfikownia cryptdisks_start[11444]: Starting crypto disk...grafi (starting)... Mar 14 20:46:11 morfikownia cryptdisks_start[11444]: grafi (started)...done. Mar 14 20:46:11 morfikownia systemd[1]: Started Cryptography Setup for grafi. Mar 14 20:46:11 morfikownia systemd[1]: Found device /dev/mapper/grafi. Mar 14 20:46:11 morfikownia systemd[1]: Starting File System Check on /dev/mapper/grafi... Mar 14 20:46:11 morfikownia systemd[1]: Started File System Check Daemon to report status. Mar 14 20:46:11 morfikownia systemd[1]: Starting File System Check Daemon to report status... Mar 14 20:46:12 morfikownia systemd-fsck[11515]: grafi has been mounted 22 times without being checked, check forced. Mar 14 20:46:12 morfikownia systemd-fsckd[11517]: Couldn't connect to plymouth: Connection refused Mar 14 20:46:12 morfikownia systemd-fsckd[11517]: Couldn't connect to plymouth: Connection refused Mar 14 20:46:12 morfikownia systemd-fsckd[11517]: Couldn't connect to plymouth: Connection refused Mar 14 20:46:12 morfikownia systemd-fsckd[11517]: Couldn't connect to plymouth: Connection refused Mar 14 20:46:12 morfikownia systemd-fsckd[11517]: Couldn't connect to plymouth: Connection refused Mar 14 20:46:12 morfikownia systemd-fsckd[11517]: Couldn't connect to plymouth: Connection refused Mar 14 20:46:12 morfikownia systemd-fsckd[11517]: Couldn't connect to plymouth: Connection refused Mar 14 20:46:12 morfikownia systemd-fsckd[11517]: Couldn't connect to plymouth: Connection refused Mar 14 20:46:12 morfikownia systemd-fsckd[11517]: Couldn't connect to plymouth: Connection refused Mar 14 20:46:12 morfikownia systemd-fsckd[11517]: Couldn't connect to plymouth: Connection refused Mar 14 20:46:12 morfikownia systemd-fsckd[11517]: Couldn't connect to plymouth: Connection refused Mar 14 20:46:12 morfikownia systemd-fsckd[11517]: Couldn't connect to plymouth: Connection refused Mar 14 20:46:12 morfikownia systemd-fsckd[11517]: Couldn't connect to plymouth: Connection refused Mar 14 20:46:13 morfikownia systemd-fsckd[11517]: Couldn't connect to plymouth: Connection refused Mar 14 20:46:13 morfikownia systemd-fsck[11515]: grafi: 21194/1966080 files (4.9% non-contiguous), 7743265/7863808 blocks Mar 14 20:46:13 morfikownia systemd-fsckd[11517]: Couldn't connect to plymouth: Connection refused Mar 14 20:46:13 morfikownia systemd[1]: Started File System Check on /dev/mapper/grafi. Mar 14 20:46:13 morfikownia systemd[1]: Mounting /media/Grafi... Mar 14 20:46:13 morfikownia systemd[1]: Mounted /media/Grafi. Mar 14 20:46:13 morfikownia kernel: EXT4-fs (dm-6): mounted filesystem with ordered data mode. Opts: errors=remount-ro,commit=10 Mar 14 20:46:13 morfikownia polkitd(authority=local)[1266]: Unregistered Authentication Agent for unix-process:11439:94979 (system bus name :1.41, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus) That's an encrypted partition, and I open it sometimes after I log into the system because most of the time I don't need it, and I don't want it to be mounted at boot automatically. The device works well after mounting, but what about the systemd-fsckd message? Is there a way to get rid of that? I can't use the systemd-cryptsetup@grafi.service file directly because I use the keyscript=/lib/cryptsetup/scripts/decrypt_derived option in the /etc/crypttab file, and as far as I know, systemd isn't able to use that option, so I had to change the service file a little bit, and it looks like this: [Unit] Description=Cryptography Setup for %I Documentation=man:cryptdisks_start man:cryptdisks_stop man:systemd-cryptsetup-generator(8) man:systemd-cryptsetup@.service(8) SourcePath=/etc/crypttab DefaultDependencies=no IgnoreOnIsolate=true Before=systemd-fsck@dev-mapper-grafi.service media-Grafi.mount umount.target After=dev-disk-by\x2duuid-d314ed20\x2dffaf\x2d4a18\x2d98a7\x2d91538e79d981.device cryptsetup-pre.target systemd-fsck-root.service BindsTo=dev-mapper-%i.device BindsTo=dev-disk-by\x2duuid-d314ed20\x2dffaf\x2d4a18\x2d98a7\x2d91538e79d981.device Conflicts=umount.target [Service] Type=oneshot RemainAfterExit=yes TimeoutSec=30 ExecStart=/usr/sbin/cryptdisks_start %i ExecStop=/usr/sbin/cryptdisks_stop %i [Install] WantedBy=cryptsetup.target It's basically the same file which was generated by systemd-cryptsetup-generator . I only changed Exec lines so it could use the debian tools that can open the device using the keyscript option. I don't know if that is related in any way to this problem, but I inform yo
Re: [systemd-devel] systemd-networkd and bonding config
> You can use "options bonding max_bonds=0" to disable the creation of > bond0. > That's exactly what I needed: # cat /proc/net/bonding/bond0 Ethernet Channel Bonding Driver: v3.7.1 (April 27, 2011) Bonding Mode: load balancing (round-robin) MII Status: up MII Polling Interval (ms): 1000 Up Delay (ms): 5000 Down Delay (ms): 5000 Slave Interface: wlan0 MII Status: up Speed: Unknown Duplex: Unknown Link Failure Count: 0 Permanent HW addr: c0:cb:38:01:f0:f5 Slave queue ID: 0 Slave Interface: eth1 MII Status: going down Speed: 10 Mbps Duplex: half Link Failure Count: 1 Permanent HW addr: 3c:4a:92:00:4c:5b Slave queue ID: 0 There's only one bond interface and also the MAC address is the right one. pgpLXS8DxVp_J.pgp Description: OpenPGP digital signature ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] systemd-networkd and bonding config
> Alternatively, if you're attached to the name bond0, you might be able > to something like this (not tested with systemd-networkd): > > /etc/modprobe.d/rename-bond.conf: > > install bonding /usr/sbin/modprobe --ignore-install bonding \ > $CMDLINE_OPTS; /usr/sbin/ip link set dev bond0 down; \ > /usr/sbin/ifrename -c /dev/null -i bond0 -n FOO > >/dev/null > It doesn't work. It just removed bond interfaces completely (it doesn't matter whether I use bond0 or bond1): root:~# networkctl IDX LINK TYPE OPERATIONAL SETUP 1 lo loopback carrier configured 2 eth1 ether off configuring 3 ifb0 ether off unmanaged 4 ifb1 ether off unmanaged 5 wlan0wlan degradedconfiguring 6 br_lxc ether no-carrier configured 6 links listed. Maybe I just stay with the bond1 interface. pgpU2SChggEgT.pgp Description: OpenPGP digital signature ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] systemd-networkd and bonding config
> The logic here is that when we create a new bond we will create it > with these settings, but we will not change the settings of a > preexisting bond, as that may have been created by somebody else we > don't know about so we figure better leave it alone. > > The confusing part here is that the kernel will create bond0 with > default settings, and we will then not touch that. Ideally there would > be a kernel config switch to make it not create default devices like > that, but for the moment I think the best solution is to simply call > your bond something else. So if you put bond1 everywhere instead > things should JustWork(TM). I performed some tests, and I was able to run my system without bond interfaces. So I think there's nothing that could trigger creation of these kind of interfaces. The next thing I did was to create a .netdev file that set bond0 interface (+ the rest of config files), and here's the log: # journalctl -b | grep -i bond Mar 05 05:04:12 morfikownia kernel: bonding: Ethernet Channel Bonding Driver: v3.7.1 (April 27, 2011) Mar 05 05:04:12 morfikownia systemd-networkd[862]: bond0 : netdev ready Mar 05 05:04:12 morfikownia kernel: IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready Mar 05 05:04:12 morfikownia kernel: bonding: bond0: Enslaving wlan0 as an active interface with an up link Mar 05 05:04:12 morfikownia kernel: IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready Mar 05 05:04:12 morfikownia systemd-networkd[862]: bond0 : bond0 : could not bring up interface: Invalid argument Mar 05 05:04:12 morfikownia kernel: bonding: bond0: Enslaving eth1 as an active interface with an up link Mar 05 05:04:12 morfikownia systemd-networkd[862]: bond0 : gained carrier Mar 05 05:04:19 morfikownia systemd-networkd[862]: bond0 : DHCPv4 address 192.168.1.113/24 via 192.168.1.1 Mar 05 05:04:19 morfikownia systemd-networkd[862]: bond0 : link configured As you can see, there's nothing before it, so I don't understand why the bond0 interface has some problems. Anyway, I changed the files and set bond1 instead of bond0, and here's the log: root:~# journalctl -b | grep -i bond Mar 05 05:09:18 morfikownia kernel: bonding: Ethernet Channel Bonding Driver: v3.7.1 (April 27, 2011) Mar 05 05:09:18 morfikownia kernel: bonding: bond1: Setting MII monitoring interval to 1000 Mar 05 05:09:18 morfikownia kernel: bonding: bond1: Setting up delay to 5000 Mar 05 05:09:18 morfikownia kernel: bonding: bond1: Setting down delay to 5000 Mar 05 05:09:18 morfikownia systemd-networkd[945]: bond1 : netdev ready Mar 05 05:09:19 morfikownia kernel: bonding: bond1: Enslaving wlan0 as an active interface with a down link Mar 05 05:09:19 morfikownia systemd-networkd[945]: bond1 : gained carrier Mar 05 05:09:19 morfikownia systemd-networkd[945]: bond1 : bond1 : could not bring up interface: Invalid argument Mar 05 05:09:19 morfikownia systemd-networkd[945]: bond1 : lost carrier Mar 05 05:09:19 morfikownia systemd-networkd[945]: bond1 : DHCPv4 connection considered system critical, ignoring request to reconfigure it. Mar 05 05:09:19 morfikownia kernel: bonding: bond1: Enslaving eth1 as an active interface with a down link Mar 05 05:09:20 morfikownia kernel: bonding: bond1: link status up for interface wlan0, enabling it in 0 ms Mar 05 05:09:20 morfikownia kernel: bonding: bond1: link status definitely up for interface wlan0, 0 Mbps full duplex Mar 05 05:09:20 morfikownia kernel: bonding: bond1: first active interface up! Mar 05 05:09:20 morfikownia systemd-networkd[945]: bond1 : gained carrier Mar 05 05:09:22 morfikownia systemd-networkd[945]: bond1 : DHCPv4 address 192.168.1.150/24 via 192.168.1.1 Mar 05 05:09:22 morfikownia systemd-networkd[945]: bond1 : link configured It's a little bit longer, and as you can see there's just bond1 info and nothing concerning bond0. Also the MAC address changed in this point -- it looks like the bond0 interface caused that problem. I thougt that the only one interface was created, but there were two of them. The bond0 interface looks like this: root:~# cat /proc/net//bonding/bond0 Ethernet Channel Bonding Driver: v3.7.1 (April 27, 2011) Bonding Mode: load balancing (round-robin) MII Status: down MII Polling Interval (ms): 0 Up Delay (ms): 0 Down Delay (ms): 0 and the other one: root:~# cat /proc/net//bonding/bond1 Ethernet Channel Bonding Driver: v3.7.1 (April 27, 2011) Bonding Mode: load balancing (round-robin) MII Status: up MII Polling Interval (ms): 1000 Up Delay (ms): 5000 Down Delay (ms): 5000 Slave Interface: wlan0 MII Status: up Speed: Unknown Duplex: Unknown Link Failure Count: 0 Permanent HW addr: c0:cb:38:01:f0:f5 Slave queue ID: 0 Slave Interface: eth1 MII Status: down Speed: 10 Mbps Duplex: half Link Failure Count: 0 Permanent HW addr: 3c:4a:92:00:4c:5b Slave queue ID: 0 and the bond1 wor
[systemd-devel] systemd-networkd and bonding config
I've just finished migration from /etc/init.d/networking script to systemd-networkd solution, and I just wanted to ask a couple of things. First, I have two interfaces -- one wire (eth1) and one wifi (wlan0), and I want them to be bonded into one bond0 interface. I had that solution when I was using sysvinit, and, so far, I haven't played with the network settings. After some reading, I managed to set the exact same setup and it works, more or less. Here are the questions: 1. How to set a MAC address to the bond0 interface? So far, I created 05-bond0.link file: # cat /etc/systemd/network/05-bond0.link [Match] Driver=bonding Name=bond0 [Link] MACAddress=3c:4a:92:00:4c:5b The MAC address is the MAC address of the eth1 interface. Is this the right way to do it? 2. I noticed that the bonding information is bugged for some reason, I mean, when you check it under: # cat /proc/net/bonding/bond0 Ethernet Channel Bonding Driver: v3.7.1 (April 27, 2011) Bonding Mode: load balancing (round-robin) MII Status: up MII Polling Interval (ms): 0 Up Delay (ms): 0 Down Delay (ms): 0 Slave Interface: wlan0 MII Status: up Speed: Unknown Duplex: Unknown Link Failure Count: 0 Permanent HW addr: c0:cb:38:01:f0:f5 Slave queue ID: 0 Slave Interface: eth1 MII Status: up Speed: 10 Mbps Duplex: half Link Failure Count: 0 Permanent HW addr: 3c:4a:92:00:4c:5b Slave queue ID: 0 it gives you the proper interfaces, but Up/Down Delay are set to 0 and "Link Failure Count" doesn't count anything. The "Bonding Mode" is also wrong. This is the bonding file for networkd : # cat 20-bond0.netdev [NetDev] Description=Bonding interface Name=bond0 Kind=bond MACAddress=3c:4a:92:00:4c:5b [Bond] Mode=active-backup MIIMonitorSec=200 UpDelaySec=1000 DownDelaySec=1000 Is the information bugged, or should I check some other file in order to see the bonding settings? 3. I don't know why, but sometimes (at boot stage) I get the following error message: # journalctl -b -1 -u systemd-networkd -- Logs begin at Sun 2015-02-22 21:48:12 CET, end at Sat 2015-02-28 12:33:57 CET. -- Feb 28 12:08:26 morfikownia systemd[1]: Starting Network Service... Feb 28 12:08:27 morfikownia systemd-networkd[1165]: bond0 : netdev ready Feb 28 12:08:27 morfikownia systemd-networkd[1165]: br_lxc : netdev ready Feb 28 12:08:27 morfikownia systemd-networkd[1165]: Enumeration completed Feb 28 12:08:27 morfikownia systemd[1]: Started Network Service. Feb 28 12:08:27 morfikownia systemd-networkd[1165]: ifb0: lost carrier Feb 28 12:08:27 morfikownia systemd-networkd[1165]: ifb1: lost carrier Feb 28 12:08:27 morfikownia systemd-networkd[1165]: ifb0: gained carrier Feb 28 12:08:27 morfikownia systemd-networkd[1165]: ifb1: gained carrier Feb 28 12:08:28 morfikownia systemd-networkd[1165]: bond0 : bond0 : could not bring up interface: Invalid argument Feb 28 12:08:28 morfikownia systemd-networkd[1165]: br_lxc : br_lxc : could not bring up interface: Invalid argument Feb 28 12:08:28 morfikownia systemd-networkd[1165]: br_lxc : link configured Feb 28 12:08:28 morfikownia systemd-networkd[1165]: wlan0 : wlan0 : could not join netdev: Operation not permitted Feb 28 12:08:28 morfikownia systemd-networkd[1165]: wlan0 : failed Feb 28 12:08:28 morfikownia systemd-networkd[1165]: eth1: link configured Feb 28 12:08:28 morfikownia systemd-networkd[1165]: lo : link configured Feb 28 12:08:28 morfikownia systemd-networkd[1165]: bond0 : gained carrier Feb 28 12:08:34 morfikownia systemd-networkd[1165]: wlan0 : gained carrier Feb 28 12:11:02 morfikownia systemd-networkd[1165]: wlan0 : lost carrier But after the boot stage, when I restart the systemd-networkd service, everything works just fine. Feb 28 12:14:52 morfikownia systemd[1]: Starting Network Service... Feb 28 12:14:53 morfikownia systemd-networkd[1103]: bond0 : netdev ready Feb 28 12:14:53 morfikownia systemd-networkd[1103]: br_lxc : netdev ready Feb 28 12:14:53 morfikownia systemd-networkd[1103]: Enumeration completed Feb 28 12:14:53 morfikownia systemd-networkd[1103]: ifb0: lost carrier Feb 28 12:14:53 morfikownia systemd-networkd[1103]: ifb1: lost carrier Feb 28 12:14:53 morfikownia systemd-networkd[1103]: ifb0: gained carrier Feb 28 12:14:53 morfikownia systemd[1]: Started Network Service. Feb 28 12:14:53 morfikownia systemd-networkd[1103]: ifb1: gained carrier Feb 28 12:14:54 morfikownia systemd-networkd[1103]: bond0 : bond0 : could not bring up interface: Invalid argument Feb 28 12:14:54 morfikownia systemd-networkd[1103]: br_lxc : br_lxc : could not bring up interface: Invalid argument Feb 28 12:14:54 morfikownia systemd-networkd[1103]: br_lxc : link configured Feb 28 12:14:54 morfikownia sy
[systemd-devel] Cgroup limits for user processes
What is the best way to set cgroup limits for user processes? I mean the individual processes. I know that you can set limits for user.slice, but how to set limits for, let's say, firefox? I tried to make a service file for firefox, it looks like this: [Unit] Description=Firefox Web Browser Documentation=https://www.mozilla.org/ After=graphical.target Before=shutdown.target [Service] Environment="DISPLAY=:0" User=morfik Type=simple ExecStart=/opt/firefox/firefox -new-instance -ProfileManager Restart=no RemainAfterExit=no Nice=5 IOSchedulingClass=best-effort IOSchedulingPriority=3 OOMScoreAdjust=500 CPUShares=512 MemoryLimit=300M BlockIOWeight=256 The parameters are just for testing purposes, and of course the unit is a system unit. I tested it with: morfik:~$ systemctl start firefox.service AUTHENTICATING FOR org.freedesktop.systemd1.manage-units === Authentication is required to manage system services or units. Authenticating as: morfik Password: AUTHENTICATION COMPLETE === and the service starts. The "nice" parameters are set, so are the cgroups: morfik:~$ systemctl status firefox ● firefox.service - Firefox Web Browser Loaded: loaded (/etc/systemd/system/firefox.service; static; vendor preset: enabled) Active: active (running) since Wed 2015-02-18 12:11:49 CET; 1min 46s ago Docs: https://www.mozilla.org/ Main PID: 60773 (firefox) Memory: 259.2M (limit: 300.0M) CGroup: /system.slice/firefox.service └─60773 /opt/firefox/firefox -new-instance -ProfileManager I didn't really like the way I stared the firefox, so I tried to move the service from the system to the user dir. I also changed a little bit the unit file -- the user and env lines were removed. After the change, I started the service in order to test whether it works or not: morfik:~$ systemctl --user daemon-reload morfik:~$ systemctl --user start firefox.service morfik:~$ systemctl --user status firefox.service ● firefox.service - Firefox Web Browser Loaded: loaded (/etc/systemd/user/firefox.service; static; vendor preset: enabled) Active: active (running) since Wed 2015-02-18 12:20:56 CET; 19s ago Docs: https://www.mozilla.org/ Main PID: 64082 (firefox) CGroup: /user.slice/user-1000.slice/user@1000.service/firefox.service └─64082 /opt/firefox/firefox -new-instance -ProfileManager It works, but as you can see, there's no cgroup limits. The "nice" parameters are set correctly, but it looks like the cgroup ones are ignored for some reason. Here are some additional commands: # cat /proc/`pidof firefox`/cgroup 9:blkio:/ 8:cpuset:/ 7:freezer:/ 6:cpu,cpuacct:/ 5:perf_event:/ 4:devices:/user.slice 3:memory:/ 2:net_cls,net_prio:/ 1:name=systemd:/user.slice/user-1000.slice/user@1000.service/firefox.service root:~# systemd-cgls ├─1 /sbin/init splash ├─system.slice │ ├─dbus.service │ │ └─1529 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation ... └─user.slice ├─user-1000.slice │ ├─session-1.scope │ │ ├─ 2027 lightdm --session-child 12 19 ... │ └─user@1000.service │ ├─2031 /lib/systemd/systemd --user │ ├─2032 (sd-pam) │ └─firefox.service │ └─64082 /opt/firefox/firefox -new-instance -ProfileManager └─user-108.slice ├─session-c1.scope │ ├─2013 /usr/bin/dbus-launch --autolaunch 159815709bbc46c29ef786cfc497afd4 --binary-syntax --close-stderr │ ├─2014 /usr/bin/dbus-daemon --fork --print-pid 5 --print-address 7 --session │ ├─2016 /usr/lib/at-spi2-core/at-spi-bus-launcher │ ├─2020 /usr/bin/dbus-daemon --config-file=/etc/at-spi2/accessibility.conf --nofork --print-address 3 │ └─2023 /usr/lib/at-spi2-core/at-spi2-registryd --use-gnome-session └─user@108.service ├─1992 /lib/systemd/systemd --user └─1993 (sd-pam) root:~# ls -al /sys/fs/cgroup/systemd/user.slice/user-1000.slice/user@1000.service/firefox.service/ total 0 drwxr-xr-x 2 morfik morfik 0 2015-02-18 12:20:56 ./ drwxr-xr-x 24 morfik morfik 0 2015-02-18 12:20:56 ../ -rw-r--r-- 1 morfik morfik 0 2015-02-18 12:20:56 cgroup.clone_children -rw-r--r-- 1 morfik morfik 0 2015-02-18 12:20:56 cgroup.procs -rw-r--r-- 1 morfik morfik 0 2015-02-18 12:20:56 notify_on_release -rw-r--r-- 1 morfik morfik 0 2015-02-18 12:20:56 tasks BTW, one more thing. Is there a way to set a mark for network packets using unit services? I really need this feature, but I couldn't find any useful information on this subject. pgpEAfAZxmQeG.pgp Description: OpenPGP digital signature ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] Filtering and remote logs
I'm playing with the journal to see what useful things it can do, and I have two questions: 1. Rsyslog has the ability of filtering logs, for instance: if $syslogtag contains "something" and ($msg contains "something-else" or $msg contains "something-different") then -/var/log/trash.log or something similar. The thing is that some apps produce certain logs, and I don't want them to be logged. Let's say I type journalctl -f in a terminal, and I want to be capable of seeing all the things except the logs I mentioned. I'm aware of the two options (StandardOutput and StandardError) in the [Service] block of a unit file, but even if I used StandardOutput=null I would lose all the logs that ultimately go to the standard output, and I don't want that too. So there's a question -- is there a way to do some filtering with journald ? 2. I'm using rsyslog for two things, one of which I've already mentioned, and the second one is for remote logging using the TLS channel. Is journald able to send logs through network using TLS? 2.1. The bonus questions. Let's say journald is able to send logs via encrypted channel -- what about requests from rsyslog or syslog-ng? Can journald handle them too? pgpdPcHKOGnjP.pgp Description: OpenPGP digital signature ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] File corruption detected (journalctl --verify --verify-key)
Hello there! I just wanted to ask about the sealing log feature because I can't make it work. I tried to set it up in the following way: I stopped the journald service: root:/var/log/journal/159815709bbc46c29ef786cfc497afd4# systemctl stop systemd-journald-dev-log.socket root:/var/log/journal/159815709bbc46c29ef786cfc497afd4# systemctl stop systemd-journald-audit.socket root:/var/log/journal/159815709bbc46c29ef786cfc497afd4# systemctl stop systemd-journald.socket root:/var/log/journal/159815709bbc46c29ef786cfc497afd4# systemctl stop systemd-journald.service Then I removed all files from the journal directory: root:/var/log/journal/159815709bbc46c29ef786cfc497afd4# rm -R * Then next thing was to change the config file: # egrep -v "^#" /etc/systemd/journald.conf [Journal] Storage=persistent Compress=yes Seal=yes SplitMode=login SyncIntervalSec=10m RateLimitInterval=10s RateLimitBurst=500 SystemMaxUse=300M SystemMaxFileSize=16M RuntimeMaxUse=16M RuntimeMaxFileSize=8M MaxFileSec=2week ForwardToSyslog=no ForwardToKMsg=no ForwardToConsole=no Then I generated the keys: root:/var/log/journal/159815709bbc46c29ef786cfc497afd4# journalctl --setup-keys --interval=60s Generating seed... Generating key pair... Generating sealing key... The new key pair has been generated. The secret sealing key has been written to the following local file. This key file is automatically updated when the sealing key is advanced. It should not be used on multiple hosts. /var/log/journal/159815709bbc46c29ef786cfc497afd4/fss Please write down the following secret verification key. It should be stored at a safe location and should not be saved locally on disk. 4d1177-5d7b1f-c524c8-36150a/16a05bc-3938700 The sealing key is automatically changed every 1min. The keys have been generated for host morfikownia/159815709bbc46c29ef786cfc497afd4. root:/var/log/journal/159815709bbc46c29ef786cfc497afd4# ls -al total 12K drwxr-sr-x+ 2 root systemd-journal 4.0K 2015-02-10 02:00:52 ./ drwxr-sr-x+ 3 root systemd-journal 4.0K 2015-02-03 01:25:36 ../ -rw---+ 1 root systemd-journal 482 2015-02-10 02:00:52 fss Then I started the service: root:/var/log/journal/159815709bbc46c29ef786cfc497afd4# systemctl start systemd-journald.socket root:/var/log/journal/159815709bbc46c29ef786cfc497afd4# systemctl start systemd-journald-dev-log.socket root:/var/log/journal/159815709bbc46c29ef786cfc497afd4# systemctl start systemd-journald-audit.socket root:/var/log/journal/159815709bbc46c29ef786cfc497afd4# systemctl start systemd-journald.service root:/var/log/journal/159815709bbc46c29ef786cfc497afd4# systemctl status systemd-journald.service ● systemd-journald.service - Journal Service Loaded: loaded (/lib/systemd/system/systemd-journald.service; static; vendor preset: enabled) Active: active (running) since Tue 2015-02-10 02:03:14 CET; 6s ago Docs: man:systemd-journald.service(8) man:journald.conf(5) Main PID: 15359 (systemd-journal) Status: "Processing requests..." CGroup: /system.slice/systemd-journald.service └─15359 /lib/systemd/systemd-journald Feb 10 02:03:14 morfikownia systemd-journal[15359]: Permanent journal is using 8.0M (max allowed 300.0M, trying to leave 1…00.0M). Feb 10 02:03:14 morfikownia systemd-journal[15359]: Journal started Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable. Hint: Some lines were ellipsized, use -l to show in full. root:/var/log/journal/159815709bbc46c29ef786cfc497afd4# ls -al total 8.1M drwxr-sr-x+ 2 root systemd-journal 4.0K 2015-02-10 02:03:14 ./ drwxr-sr-x+ 3 root systemd-journal 4.0K 2015-02-03 01:25:36 ../ -rw---+ 1 root systemd-journal 482 2015-02-10 02:03:14 fss -rw-r-+ 1 root systemd-journal 8.0M 2015-02-10 02:03:14 system.journal And here's the thing -- before sealing, there's no problem with the log file: root:/var/log/journal/159815709bbc46c29ef786cfc497afd4# journalctl --verify --verify-key 4d1177-5d7b1f-c524c8-36150a/16a05bc-3938700 PASS: /var/log/journal/159815709bbc46c29ef786cfc497afd4/system.journal => No sealing yet, 1.794ms of entries not sealed. But after the sealing: root:/var/log/journal/159815709bbc46c29ef786cfc497afd4# journalctl --verify --verify-key 4d1177-5d7b1f-c524c8-36150a/16a05bc-3938700 0747c0: tag failed verification File corruption detected at /var/log/journal/159815709bbc46c29ef786cfc497afd4/system.journal:0747c0 (of 8388608 bytes, 5%). FAIL: /var/log/journal/159815709bbc46c29ef786cfc497afd4/system.journal (Bad message) I checked the journal in order to see what's in there: root:/var/log/journal/159815709bbc46c29ef786cfc497afd4# journalctl -- Logs begin at Tue 2015-02-10 02:03:14 CET, end at Tue 2015-02-10 02:03:14 CET. -- Feb 10 02:03:14 morfikownia systemd-journal[15359]: Permanent journal is using 8.0M (max allowed 300.0M, trying to leave 1.7G f Feb 10 02:03:14 morfikownia systemd-journald[259]: Received SIGTERM from PID 1 (systemd). Fe
Re: [systemd-devel] Container, private network and socket activation
> That indicates that the systemd or apache inside the container do not > correctly make use of the the socket passed into them. You need to > make sure that inside the container you have pretty much the same > .socket unit running as on the host. The ListStream lines must be > identical, so that systemd inside the container recognizes the sockets > passed in from the host as the ones to use for apache. The only > difference for the socket units is that on the host they should > activate the container, in the container they should activate apache. > ... > Well, because the socket wasn't passed on right the connection on it > will still be queued after the container exits again. systemd will > thus immediately spawn the container again. > > Basically, if you fix your issue #1, your issue #3 will be magically > fixed too. Now I understand the mechanizm, at least I think so. Unfortunately I have apache 2.4.x . I tried to apply the patches Christian Seiler mentioned, but I was unable to build the package. I think I have to wait a little bit longer in order to make it work. Anyway, I tried to reproduce the ssh example (it can be found here: http://0pointer.net/blog/projects/socket-activated-containers.html) just for testing purposes, and I dont't experience the rebooting issue anymore, but there's another thing: morfik:~$ ssh -p 23 192.168.10.10 ^C morfik:~$ ssh -p 23 192.168.10.10 ssh: connect to host 192.168.10.10 port 23: Connection refused The container started when I had tried to connect for the first time, but I couldn't connect to this port after that, and I have no idea why. I tried to figure out what went wrong, but I failed. # machinectl status debian-tree -l --no-pager debian-tree Since: Thu 2015-02-05 00:21:41 CET; 1min 16s ago Leader: 103953 (systemd) Service: nspawn; class container Root: /media/Kabi/debian-tree Address: 192.168.10.10 fe80::1474:8dff:fe79:6b44 OS: Debian GNU/Linux 8 (jessie) Unit: machine-debian\x2dtree.scope ├─103953 /lib/systemd/systemd 3 └─system.slice ├─dbus.service │ └─104069 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation ├─cron.service │ └─104043 /usr/sbin/cron -f ├─apache2.service │ ├─104481 /usr/sbin/apache2 -k start │ ├─104485 /usr/sbin/apache2 -k start │ ├─104511 /usr/sbin/apache2 -k start │ ├─104512 /usr/sbin/apache2 -k start │ ├─104513 /usr/sbin/apache2 -k start │ ├─104515 /usr/sbin/apache2 -k start │ └─104516 /usr/sbin/apache2 -k start ├─system-sshd.slice │ └─sshd@0-192.168.10.10:23-192.168.10.10:51767.service │ ├─104041 sshd: [accepted] │ └─104042 sshd: [net] ├─systemd-journald.service │ └─103975 /lib/systemd/systemd-journald ├─systemd-logind.service │ └─104046 /lib/systemd/systemd-logind ├─mysql.service │ ├─104090 /bin/sh /usr/bin/mysqld_safe │ └─104453 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib/mysql/plugin --user=mysql --log-error=/var/log/mysql/error.log --pid-file=/var/run/mysqld/mysqld.pid --socket=/var/run/mysqld/mysqld.sock --port= ├─console-getty.service │ └─104208 /sbin/agetty --noclear --keep-baud console 115200 38400 9600 vt102 └─rsyslog.service └─104088 /usr/sbin/rsyslogd -n Then I logged into the container: root:~# machinectl login debian-tree ... root@www:/home/morfik# netstat -tupan Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp0 0 192.168.10.10: 0.0.0.0:* LISTEN 483/mysqld tcp6 0 0 :::80 :::*LISTEN 511/apache2 tcp6 0 0 :::22 :::*LISTEN 1/systemd tcp6 0 0 :::443 :::*LISTEN 511/apache2 Nothing listens on the port 23, why? Still inside of the container: root@www:/home/morfik# tree /etc/systemd/system /etc/systemd/system |-- getty.target.wants | `-- getty@tty1.service -> /lib/systemd/system/getty@.service |-- multi-user.target.wants | |-- cron.service -> /lib/systemd/system/cron.service | |-- remote-fs.target -> /lib/systemd/system/remote-fs.target | `-- rsyslog.service -> /lib/systemd/syste
Re: [systemd-devel] Container, private network and socket activation
> Hmm, to implement something like this I think the best option would be > to set up the interface to later pass to the container first on the > host, then listen on the container's IP address on the host. When a > connection comes in the container would have to be started via socket > activation, and would then have to take over the container interface > (with --network-interface=), so that all further connections are > delivered directly to the container and the host is not involved > anymore. I managed to set this up. In short: # ip link add type veth # ip addr add 192.168.10.10/24 brd + dev veth1 # ip addr add 192.168.10.20/24 brd + dev veth0 # ip link set veth1 up # ip link set veth0 up # brctl addif br_lxc veth0 This sets two interfaces, one of which (veth1) goes to the container via the following service file: [Unit] Description=My little container [Service] Type=simple KillMode=process ExecStart=/usr/bin/systemd-nspawn -jbD /media/Kabi/debian-tree/ \ --network-interface=veth1 \ --bind /media/Kabi/apache/:/apache/ \ --bind /media/Kabi/backup_packages/apt/archives/:/var/cache/apt/archives/ \ --bind /media/Kabi/repozytorium:/repozytorium \ 3 In addition, I have my bridge interface set: auto br_lxc iface br_lxc inet static address 192.168.10.100 netmask 255.255.255.0 broadcast 192.168.10.255 bridge_ports none bridge_waitport 0 bridge_fd 0 The next thing is to socket activate the container through this file: [Unit] Description=The HTTP/HTTPS socket of my little container [Socket] ListenStream=192.168.10.10:80 ListenStream=192.168.10.10:443 When I start the socket, I get: root:~# systemctl start mycontainer.socket root:~# systemctl status mycontainer.socket ● mycontainer.socket - The HTTP/HTTPS socket of my little container Loaded: loaded (/etc/systemd/system/mycontainer.socket; static; vendor preset: enabled) Active: active (listening) since Wed 2015-02-04 04:00:51 CET; 1s ago Listen: 192.168.10.10:80 (Stream) 192.168.10.10:443 (Stream) Feb 04 04:00:51 morfikownia systemd[1]: Listening on The HTTP/HTTPS socket of my little container. That's all for the host. In the container I had to configure the passed interface via /etc/network/interface : auto veth1 iface veth1 inet static address 192.168.10.10 netmask 255.255.255.0 broadcast 192.168.10.255 gateway 192.168.10.100 And that's it. This setup works. I mean, when I type in my firefox http://192.168.10.10, the container boots and I'm able to browse the page. Now I have some questions: 1. When I try to connect for the very first time, I get a timeout, even though the container is working. I can cancel the connection immediately, and reconnect after 2-3 sec and then the page shows up. All subsequent connections work without a problem, just the first one gets a timeout. Is there a way to fix this, so the first connection that boots the system could be somehow delayed, so after a while the page would show up? 2. Is there a way to shut down the container automatically after some period of inactivity? Let's say there's no traffic for 30min, and after this time the container goes down. 3. How to stop the container manually? I'm asking because when I try via "systemctl stop mycontainer.service" , it stops, but: ... Feb 04 04:15:58 morfikownia systemd-nspawn[14346]: Halting system. Feb 04 04:15:58 morfikownia systemd-machined[14353]: Machine debian-tree terminated. Feb 04 04:15:58 morfikownia systemd-nspawn[14346]: Container debian-tree has been shut down. Feb 04 04:15:58 morfikownia systemd[1]: Starting My little container... Feb 04 04:15:58 morfikownia systemd[1]: Stopping Container debian-tree. Feb 04 04:15:58 morfikownia systemd[1]: Stopped Container debian-tree. Feb 04 04:15:58 morfikownia kernel: br_lxc: port 1(veth0) entered disabled state Feb 04 04:15:58 morfikownia kernel: device veth0 left promiscuous mode Feb 04 04:15:58 morfikownia kernel: br_lxc: port 1(veth0) entered disabled state Feb 04 04:15:58 morfikownia systemd-nspawn[15325]: Spawning container debian-tree on /media/Kabi/debian-tree. Feb 04 04:15:58 morfikownia systemd-nspawn[15325]: Press ^] three times within 1s to kill container. Feb 04 04:15:58 morfikownia systemd[1]: mycontainer.service: main process exited, code=exited, status=237/n/a Feb 04 04:15:58 morfikownia systemd[1]: Failed to start My little container. Feb 04 04:15:58 morfikownia systemd[1]: Unit mycontainer.service entered failed state. Feb 04 04:15:58 morfikownia systemd[1]: mycontainer.service failed. Feb 04 04:15:58 morfikownia systemd[1]: Starting My little container... Feb 04 04:15:58 morfikownia systemd[1]: mycontainer.service: main process exited, code=exited, status=237/n/a Feb 04 04:15:58 morfikownia systemd[1]: Failed to start My little container. Feb 04 04:15:58 morfikownia systemd[1]: Unit mycontainer.service entered failed state. Feb 04 04:
Re: [systemd-devel] Container, private network and socket activation
> Also note that using socket activation for cotnainers means that > systemd instance inside the container also needs to have configuration > for the socket, to pass it on to the service that ultimately shall > answer for it. Are you sure that apache2 has support for that, and > that you set it up? Actually, I just want to start the container when someone else tries to connect to the port 80 of the host, just using the container's IP address. So, for instance, my host has IP 192.168.1.150, the container has IP 192.168.10.10 , and I want to type the second address in a web browser so the system in the container could boot and start apache. Then I could browse the page that is hosted by the apache server inside of the container. I'm not sure if that's even possible, but apache inside of the container starts at boot automatically, so I think there's no need for setting anything in the container -- please correct me if I'm wrong. pgpZjLYp3PFB1.pgp Description: OpenPGP digital signature ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] Container, private network and socket activation
I've set up a container via systemd-nspawn tool, and I wanted to use the private network feature. The line that launches the container includes --network-bridge= and --network-veth options. The whole systemd .service file looks like this: [Unit] Description=My little container [Service] Type=simple KillMode=process ExecStart=/usr/bin/systemd-nspawn -jbD /media/Kabi/debian-tree/ \ --network-bridge=br_lxc \ --network-veth \ --bind /media/Kabi/apache/:/apache/ \ --bind /media/Kabi/backup_packages/apt/archives/:/var/cache/apt/archives/ \ --bind /media/Kabi/repozytorium:/repozytorium \ 3 The bridge interface was created through the /etc/network/interface file, and it looks as follows: auto br_lxc iface br_lxc inet static address 192.168.10.100 netmask 255.255.255.0 broadcast 192.168.10.255 bridge_ports none bridge_waitport 0 bridge_fd 0 The container is able to boot: # systemctl status mycontainer.service ● mycontainer.service - My little container Loaded: loaded (/etc/systemd/system/mycontainer.service; static; vendor preset: enabled) Active: active (running) since Tue 2015-02-03 01:57:24 CET; 12s ago Main PID: 84905 (systemd-nspawn) CGroup: /system.slice/mycontainer.service └─84905 /usr/bin/systemd-nspawn -jbD /media/Kabi/debian-tree/ --network-bridge=br_lxc --network-veth --bind /media/Kabi/apache/:/apache/ --bind /media/Kabi/backup_packages/apt/arch... Feb 03 01:57:25 morfikownia systemd-nspawn[84905]: [ OK ] Started Console Getty. Feb 03 01:57:25 morfikownia systemd-nspawn[84905]: [ OK ] Reached target Login Prompts. Feb 03 01:57:25 morfikownia systemd-nspawn[84905]: [ OK ] Started System Logging Service. Feb 03 01:57:25 morfikownia systemd-nspawn[84905]: [ OK ] Started Cleanup of Temporary Directories. Feb 03 01:57:27 morfikownia systemd-nspawn[84905]: [ OK ] Started LSB: Start and stop the mysql database server daemon. Feb 03 01:57:28 morfikownia systemd-nspawn[84905]: [ OK ] Started LSB: Apache2 web server. Feb 03 01:57:28 morfikownia systemd-nspawn[84905]: [ OK ] Reached target Multi-User System. Feb 03 01:57:28 morfikownia systemd-nspawn[84905]: Starting Update UTMP about System Runlevel Changes... Feb 03 01:57:28 morfikownia systemd-nspawn[84905]: [ OK ] Started Update UTMP about System Runlevel Changes. Feb 03 01:57:29 morfikownia systemd-nspawn[84905]: Debian GNU/Linux 8 www console # machinectl MACHINE CONTAINER SERVICE debian-tree container nspawn 1 machines listed. # machinectl status debian-tree debian-tree Since: Tue 2015-02-03 01:57:24 CET; 2min 54s ago Leader: 84906 (systemd) Service: nspawn; class container Root: /media/Kabi/debian-tree Iface: br_lxc Address: 192.168.10.10 fe80::541b:d0ff:febc:c38c%7 OS: Debian GNU/Linux 8 (jessie) Unit: machine-debian\x2dtree.scope ├─84906 /lib/systemd/systemd 3 └─system.slice ├─dbus.service │ └─85024 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation ├─cron.service │ └─85003 /usr/sbin/cron -f ├─apache2.service │ ├─85427 /usr/sbin/apache2 -k start │ ├─85454 /usr/sbin/apache2 -k start │ ├─85485 /usr/sbin/apache2 -k start │ ├─85486 /usr/sbin/apache2 -k start │ ├─85488 /usr/sbin/apache2 -k start │ ├─85489 /usr/sbin/apache2 -k start │ └─85491 /usr/sbin/apache2 -k start ├─systemd-journald.service │ └─84941 /lib/systemd/systemd-journald ├─systemd-logind.service │ └─85006 /lib/systemd/systemd-logind ├─mysql.service │ ├─85057 /bin/sh /usr/bin/mysqld_safe │ └─85415 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib/mysql/plugin --user=mysql --log-error=/var/log/mysql/error.log --pid-file=/var/run... ├─console-getty.service │ └─85055 /sbin/agetty --noclear --keep-baud console 115200 38400 9600 vt102 └─rsyslog.service └─85051 /usr/sbin/rsyslogd -n Inside of the container I added the following configuration to its network interface: auto host0 iface host0 inet static address 192.168.10.10 network 192.168.10.0/24 netmask 255.255.255.0 broadcast 192.168.10.255 gateway 192.168.10.100 Communication works (ping from the container): root@www:~# ping 8.8.8.8 PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. 64 bytes from 8.8.8.8: icmp_seq=1 ttl=52 time=3
Re: [systemd-devel] KillUserProcesses timeout
> Hmm, not sure I follow. > It only happens if I'm logged in as root in tmux. > The session is shown as closing, that's good. Can you check what > "systemctl status" reports on the scope unit if this hang happens? > > Lennart > I'm not sure if I did the right thing, but there it is. After logout: ● user-1000.slice Loaded: loaded Active: active since Tue 2015-01-27 04:13:31 CET; 8min ago CGroup: /user.slice/user-1000.slice ├─session-7.scope │ ├─32562 gpg-agent -s --enable-ssh-support --daemon --write-env-file /home/morfik/.gpg-agent-info │ ├─32692 tmux attach-session -t logi │ ├─32696 bash -c cat /dev/logi | ccze -m ansi -p syslog -C │ ├─32697 -bash │ ├─32698 newsbeuter │ ├─32702 cat /dev/logi │ ├─32703 ccze -m ansi -p syslog -C │ ├─34376 su - │ └─34393 -su └─user@1000.service ├─32466 /lib/systemd/systemd --user └─32467 (sd-pam) Jan 27 04:13:31 morfikownia systemd[1]: Starting user-1000.slice. Jan 27 04:13:31 morfikownia systemd[1]: Created slice user-1000.slice. Jan 27 04:13:31 morfikownia systemd[32466]: pam_unix(systemd-user:session): session opened for user morfik by (uid=0) Jan 27 04:22:07 morfikownia login[32428]: pam_unix(login:session): session closed for user morfik And here's when the processes are dead: ● user-1000.slice Loaded: loaded Active: inactive (dead) Jan 27 04:12:40 morfikownia systemd[31361]: pam_unix(systemd-user:session): session opened for user morfik by (uid=0) Jan 27 04:12:58 morfikownia login[31352]: pam_unix(login:session): session closed for user morfik Jan 27 04:13:18 morfikownia systemd[1]: Stopping user-1000.slice. Jan 27 04:13:18 morfikownia systemd[1]: Removed slice user-1000.slice. Jan 27 04:13:31 morfikownia systemd[1]: Starting user-1000.slice. Jan 27 04:13:31 morfikownia systemd[1]: Created slice user-1000.slice. Jan 27 04:13:31 morfikownia systemd[32466]: pam_unix(systemd-user:session): session opened for user morfik by (uid=0) Jan 27 04:22:07 morfikownia login[32428]: pam_unix(login:session): session closed for user morfik Jan 27 04:22:27 morfikownia systemd[1]: Stopping user-1000.slice. Jan 27 04:22:27 morfikownia systemd[1]: Removed slice user-1000.slice. As you can see, there's 20secs period. pgpvSTe_PrvWP.pgp Description: OpenPGP digital signature ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] KillUserProcesses timeout
> Normally, the SIGTERM should be delivered instantly on logout from > logind. Unless the PAM session end hook wasn't called or so. > > If you log in as root, and then reproduce the 20s wait for another > user what does "loginctl session-status" and "loginctl user-status" > say about the session/user that is hanging? > > Lennart > I know where the problem is. I'm using tmux, and when I try to log out and at the same time I'm logged on root in tmux, I get the lag. Here's the situation after logout: morfik (1000) Since: Tue 2015-01-27 01:59:56 CET; 1min 59s ago State: closing Sessions: *3 Unit: user-1000.slice ├─user@1000.service │ ├─3861 /lib/systemd/systemd --user │ └─3863 (sd-pam) └─session-3.scope ├─3957 gpg-agent -s --enable-ssh-support --daemon --write... ├─4082 tmux attach-session -t logi ├─4084 bash -c cat /dev/logi | ccze -m ansi -p syslog -C ├─4085 -bash ├─4086 newsbeuter ├─4088 cat /dev/logi ├─4089 ccze -m ansi -p syslog -C ├─5212 -bash ├─5232 su - ├─5250 -su ├─5269 -bash ├─5289 su - └─5306 -su And that's all of the remaining processes. After ~20s they will be also killed. So, is there a way to kill them without logging out from the root account? pgpShK3TJ6rnJ.pgp Description: OpenPGP digital signature ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] KillUserProcesses timeout
> Sorry, but I cannot parse this. Do you want a delay because when > logging out and back in you want to be able to reuse your old > gpg-agent? Or what precisely is the current behaviour and what do you > want it to be instead? > > Lennart > No, I just want to speed it up. Now I have to wait about 20s for KillUserProcesses so it can kill the remaining processes, and I want it to do that, let's say, in 1-2s max, that's it. pgplNvbHIe1FZ.pgp Description: OpenPGP digital signature ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] KillUserProcesses timeout
I'm using standalone Openbox and when I log out by killing Xserver (ctrl+alt+backspace), some processes stay alive even though the user logged out completely. I know there's a KillUserProcesses option in the /etc/systemd/logind.conf file, and it works just fine, but with a little lag. I mean, those processes in question will never exit, and when I'm logging again almost instantly to my box, all those processes will be killed shortly after I log -- because of KillUserProcesses . This concerns, for instance, tmux or gpg-agent -- I want them in my session, but I also want to kill them on logout. The question is how to set a timeout option for this KillUserProcesses ? For now I just have to wait 15-20sec to be sure all process exited and that I can log without worrying some processes will be killed after login. pgpPe75IHyPNc.pgp Description: OpenPGP digital signature ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel