Hello all,
we just got a bug report [1] about the systemd-nspawn@.service not
working very well by default:
First, /var/lib/containers/ does not exist by default. To guard
against information leaks or hard link attacks by users, this
directory should be 0700 by default. LXC does the same (/var/lib/lxc
is 0700 for these reasons). What do you think about adding
d /var/lib/containers 0700 - - -
to tmpfiles.d/var.conf? I can also add this to the Debian tmpfiles.d
file, but it's not really Debian specific.
Second, systemd-nspawn@.service uses --link-journal=guest. If you
don't have a persistant journal, and /var/log/journal/ does not exist,
then containers fail to start in a rather unfriendly way:
Spawning container c on /tmp/c.
Press ^] three times within 1s to kill container.
Container c failed with error code 1.
I. e. they don't tell you what's wrong. (SYSTEMD_LOG_LEVEL=debug
doesn't help at all). But --link-journal=auto isn't right either as
this then won't create the /var/log/journal/<machineid> symlink if you
do have a persistant journal.
I don't quite like creating /var/log/journal by default in the
package, as that would create persistant journals on the host (for the
guests) even though the admin disabled/didn't enable persistant
journalling.
- Option 1: Change the unit to use "guest" if /var/log/journal
exists, and not use --link-journal at all if it doesn't. (This
can't be directly expressed on the nspawn CLI, thus would need some
Exec=/bin/sh -c 'if [ -d ... ]' shell commands)
- Option 2: Make --link-journal=guest nonfatal and just print out a
warning if /var/log/journal/ does not exist.
- Any others?
I'm happy to work on either solution.
Thanks,
Martin
[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770275
--
Martin Pitt | http://www.piware.de
Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org)
_______________________________________________
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel
