On Do, 14.09.17 00:55, Luke Shumaker (luke...@lukeshu.com) wrote: > Hi all, > > I have another question about `systemd-nspawn` internals. > > When sanity-checking argv, it does: > > if (arg_keep_unit && arg_register && cg_pid_get_owner_uid(0, NULL) >= > 0) { > log_error("--keep-unit --register=yes may not be used when > invoked from a user session."); > return -EINVAL; > } > > (the `&& arg_register` bit was added in 234) > > Why does nspawn care if it is in a user session? > > My best guess is that it doesn't want to share its cgroup with any > other processes, and it is using user session membership as a sloppy > proxy for that. If that's the case, wouldn't it be more correct and > robust to check for other processes in > "/sys/fs/cgroup/.../cgroup.procs"?
It's simply a check that people don't call the tool from a regular shell login, and thus make the session scope unit the shell login is running in the container unit. Because when nspawn then exits it might continue to be registered with machined as container unit even though it really doesn't apply anymore. I think using some kind of wrapper tool around nspawn that stays running while nspawn is running is an OK thing and shouldn't prohibit nspawn from registering the unit in machined as container unit, hence I don't think it would be right to check the PID list as you suggest. Lennart -- Lennart Poettering, Red Hat _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel