Re: [systemd-devel] [PATCH 3/4] shutdown: don't do final unmounting when inside the container and running without CAP_SYS_ADMIN
On Wed, Oct 08, 2014 at 04:54:59PM +0200, Lennart Poettering wrote: On Wed, 08.10.14 16:49, Michal Sekletar (msekl...@redhat.com) wrote: Hmm, I think we should just do need_umount = !in_container, like we do for the other things like loopback detaching, dm detaching or swapoff. After all, if we run in a container we run in a mount namespace anyway, so unmounting things is done by the kernel implicitly if the namespace dies. At least in theory this means we can simply skip the unmounting in all containers, but I must admit that I am not entirely clear on this one, so this needs to be tested in the common container managers really, I figure... Do you mind if I push just need_umount = !in_container then? Well, yes. I'd be thankful if you'd test this a bit first, so that this doesn't break anything. Testing nspawn and on bare-metal should be enough. Works just fine on F21 KVM guest and in rawhide nspawn container. THen please, go ahead, commit with a good commit msg explaining things, maybe even referencing this discussion. Pushed with better explanation. Hope that commit message makes sense. Michal Thanks, Lennart -- Lennart Poettering, Red Hat ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH 3/4] shutdown: don't do final unmounting when inside the container and running without CAP_SYS_ADMIN
On Tue, 07.10.14 14:17, Michal Sekletar (msekl...@redhat.com) wrote: On Thu, Oct 02, 2014 at 12:04:02PM +0200, Lennart Poettering wrote: On Thu, 02.10.14 09:57, Michal Sekletar (msekl...@redhat.com) wrote: #define FINALIZE_ATTEMPTS 50 @@ -207,7 +208,11 @@ int main(int argc, char *argv[]) { in_container = detect_container(NULL) 0; -need_umount = true; +if (in_container !have_effective_cap(CAP_SYS_ADMIN)) +need_umount = false; +else +need_umount = true; + need_swapoff = !in_container; need_loop_detach = !in_container; need_dm_detach = !in_container; Hmm, I think we should just do need_umount = !in_container, like we do for the other things like loopback detaching, dm detaching or swapoff. After all, if we run in a container we run in a mount namespace anyway, so unmounting things is done by the kernel implicitly if the namespace dies. At least in theory this means we can simply skip the unmounting in all containers, but I must admit that I am not entirely clear on this one, so this needs to be tested in the common container managers really, I figure... Do you mind if I push just need_umount = !in_container then? Well, yes. I'd be thankful if you'd test this a bit first, so that this doesn't break anything. Testing nspawn and on bare-metal should be enough. Lennart -- Lennart Poettering, Red Hat ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH 3/4] shutdown: don't do final unmounting when inside the container and running without CAP_SYS_ADMIN
On Wed, Oct 08, 2014 at 01:41:16PM +0200, Lennart Poettering wrote: On Tue, 07.10.14 14:17, Michal Sekletar (msekl...@redhat.com) wrote: On Thu, Oct 02, 2014 at 12:04:02PM +0200, Lennart Poettering wrote: On Thu, 02.10.14 09:57, Michal Sekletar (msekl...@redhat.com) wrote: #define FINALIZE_ATTEMPTS 50 @@ -207,7 +208,11 @@ int main(int argc, char *argv[]) { in_container = detect_container(NULL) 0; -need_umount = true; +if (in_container !have_effective_cap(CAP_SYS_ADMIN)) +need_umount = false; +else +need_umount = true; + need_swapoff = !in_container; need_loop_detach = !in_container; need_dm_detach = !in_container; Hmm, I think we should just do need_umount = !in_container, like we do for the other things like loopback detaching, dm detaching or swapoff. After all, if we run in a container we run in a mount namespace anyway, so unmounting things is done by the kernel implicitly if the namespace dies. At least in theory this means we can simply skip the unmounting in all containers, but I must admit that I am not entirely clear on this one, so this needs to be tested in the common container managers really, I figure... Do you mind if I push just need_umount = !in_container then? Well, yes. I'd be thankful if you'd test this a bit first, so that this doesn't break anything. Testing nspawn and on bare-metal should be enough. Works just fine on F21 KVM guest and in rawhide nspawn container. Michal Lennart -- Lennart Poettering, Red Hat ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH 3/4] shutdown: don't do final unmounting when inside the container and running without CAP_SYS_ADMIN
On Wed, 08.10.14 16:49, Michal Sekletar (msekl...@redhat.com) wrote: Hmm, I think we should just do need_umount = !in_container, like we do for the other things like loopback detaching, dm detaching or swapoff. After all, if we run in a container we run in a mount namespace anyway, so unmounting things is done by the kernel implicitly if the namespace dies. At least in theory this means we can simply skip the unmounting in all containers, but I must admit that I am not entirely clear on this one, so this needs to be tested in the common container managers really, I figure... Do you mind if I push just need_umount = !in_container then? Well, yes. I'd be thankful if you'd test this a bit first, so that this doesn't break anything. Testing nspawn and on bare-metal should be enough. Works just fine on F21 KVM guest and in rawhide nspawn container. THen please, go ahead, commit with a good commit msg explaining things, maybe even referencing this discussion. Thanks, Lennart -- Lennart Poettering, Red Hat ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH 3/4] shutdown: don't do final unmounting when inside the container and running without CAP_SYS_ADMIN
On Thu, Oct 02, 2014 at 12:04:02PM +0200, Lennart Poettering wrote: On Thu, 02.10.14 09:57, Michal Sekletar (msekl...@redhat.com) wrote: #define FINALIZE_ATTEMPTS 50 @@ -207,7 +208,11 @@ int main(int argc, char *argv[]) { in_container = detect_container(NULL) 0; -need_umount = true; +if (in_container !have_effective_cap(CAP_SYS_ADMIN)) +need_umount = false; +else +need_umount = true; + need_swapoff = !in_container; need_loop_detach = !in_container; need_dm_detach = !in_container; Hmm, I think we should just do need_umount = !in_container, like we do for the other things like loopback detaching, dm detaching or swapoff. After all, if we run in a container we run in a mount namespace anyway, so unmounting things is done by the kernel implicitly if the namespace dies. At least in theory this means we can simply skip the unmounting in all containers, but I must admit that I am not entirely clear on this one, so this needs to be tested in the common container managers really, I figure... Do you mind if I push just need_umount = !in_container then? Michal Lennart -- Lennart Poettering, Red Hat ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] [PATCH 3/4] shutdown: don't do final unmounting when inside the container and running without CAP_SYS_ADMIN
--- Makefile.am | 3 ++- src/core/shutdown.c | 7 ++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/Makefile.am b/Makefile.am index 5033028..f8104bc 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1925,7 +1925,8 @@ systemd_shutdown_SOURCES = \ systemd_shutdown_LDADD = \ libsystemd-label.la \ libudev-internal.la \ - libsystemd-shared.la + libsystemd-shared.la \ + libsystemd-capability.la # -- if HAVE_KMOD diff --git a/src/core/shutdown.c b/src/core/shutdown.c index 1e88b05..5b539f0 100644 --- a/src/core/shutdown.c +++ b/src/core/shutdown.c @@ -49,6 +49,7 @@ #include cgroup-util.h #include def.h #include switch-root.h +#include capability.h #define FINALIZE_ATTEMPTS 50 @@ -207,7 +208,11 @@ int main(int argc, char *argv[]) { in_container = detect_container(NULL) 0; -need_umount = true; +if (in_container !have_effective_cap(CAP_SYS_ADMIN)) +need_umount = false; +else +need_umount = true; + need_swapoff = !in_container; need_loop_detach = !in_container; need_dm_detach = !in_container; -- 2.0.1 ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH 3/4] shutdown: don't do final unmounting when inside the container and running without CAP_SYS_ADMIN
On Thu, 02.10.14 09:57, Michal Sekletar (msekl...@redhat.com) wrote: #define FINALIZE_ATTEMPTS 50 @@ -207,7 +208,11 @@ int main(int argc, char *argv[]) { in_container = detect_container(NULL) 0; -need_umount = true; +if (in_container !have_effective_cap(CAP_SYS_ADMIN)) +need_umount = false; +else +need_umount = true; + need_swapoff = !in_container; need_loop_detach = !in_container; need_dm_detach = !in_container; Hmm, I think we should just do need_umount = !in_container, like we do for the other things like loopback detaching, dm detaching or swapoff. After all, if we run in a container we run in a mount namespace anyway, so unmounting things is done by the kernel implicitly if the namespace dies. At least in theory this means we can simply skip the unmounting in all containers, but I must admit that I am not entirely clear on this one, so this needs to be tested in the common container managers really, I figure... Lennart -- Lennart Poettering, Red Hat ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel