** Description changed: Test case ------------- - Under Ubuntu 15.04 (or 15.10), set up an unprivileged container as in https://www.stgraber.org/2014/01/17/lxc-1-0-unprivileged-containers/ - Boot it. You'll get a lot of errors like [FAILED] Failed to start Journal Service. systemd-journald-audit.socket failed to listen on sockets: Operation not permitted [FAILED] Failed to listen on Journal Audit Socket. - The same happens with systemd-nspawn -b. As a result, the journal isn't working at all, and you have a bunch of failed journal related units. With a fixed systemd package, systemd in the container should realize that it cannot listen to the audit socket (as the kernel doesn't allow that -- the audit subsystem isn't fit for namespaces right now), and "sudo journalctl" should show the journal and systemd-journald.service should be running. These systemd fixes are sufficient for nspawn, but not completely for unprivileged LXC containers -- there the journal will start working, but systemd-journald-audit.socket will still keep failing (this is less important) + + REGRESSION POTENTIAL: Very low. This only affects the fallback error + code path if binding to the audit socket failed. In that case the + journal is currently not working at all. This usually doesn't happen on + real iron/VMs, so there is no practical change there.
** Description changed: Test case ------------- - Under Ubuntu 15.04 (or 15.10), set up an unprivileged container as in https://www.stgraber.org/2014/01/17/lxc-1-0-unprivileged-containers/ - Boot it. You'll get a lot of errors like [FAILED] Failed to start Journal Service. systemd-journald-audit.socket failed to listen on sockets: Operation not permitted [FAILED] Failed to listen on Journal Audit Socket. - The same happens with systemd-nspawn -b. As a result, the journal isn't working at all, and you have a bunch of failed journal related units. With a fixed systemd package, systemd in the container should realize that it cannot listen to the audit socket (as the kernel doesn't allow that -- the audit subsystem isn't fit for namespaces right now), and "sudo journalctl" should show the journal and systemd-journald.service should be running. These systemd fixes are sufficient for nspawn, but not completely for unprivileged LXC containers -- there the journal will start working, but systemd-journald-audit.socket will still keep failing (this is less important) REGRESSION POTENTIAL: Very low. This only affects the fallback error code path if binding to the audit socket failed. In that case the journal is currently not working at all. This usually doesn't happen on - real iron/VMs, so there is no practical change there. + real iron/VMs (they also always CAP_AUDIT_READ), so there is no + practical change there. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1457054 Title: journal is broken in unprivileged LXC and nspawn containers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1457054/+subscriptions -- Ubuntu-server-bugs mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
