shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2025-01-10 05:18:17 +03:00
Code

audit: since audit is apparently never going to be fixed for containers tell the user what's going on

Browse Source 
Let's try to be helpful to the user and give him a hint what he can do
to make nspawn work with normal OS containers.

https://bugzilla.redhat.com/show_bug.cgi?id=893751
This commit is contained in:
Lennart Poettering 2013-05-10 00:14:12 +02:00
parent f49fd1d57a
commit 77b6e19458
3 changed files with 35 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
README
View File

@ -79,6 +79,13 @@ REQUIREMENTS:
CONFIG_EFI_VARS CONFIG_EFI_VARS
CONFIG_EFI_PARTITION CONFIG_EFI_PARTITION
Note that kernel auditing is broken when used with systemd's
container code. When using systemd in conjunction with
containers please make sure to either turn off auditing at
runtime using the kernel command line option "audit=0", or
turn it off at kernel compile time using:
CONFIG_AUDIT=n
dbus >= 1.4.0 dbus >= 1.4.0
libcap libcap
libblkid >= 2.20 (from util-linux) (optional) libblkid >= 2.20 (from util-linux) (optional)

15
man/systemd-nspawn.xml
View File

@ -142,16 +142,19 @@
might be necessary to add this file to the container might be necessary to add this file to the container
tree manually if the OS of the container is too old to tree manually if the OS of the container is too old to
contain this file out-of-the-box.</para> contain this file out-of-the-box.</para>
</refsect1>
<refsect1>
<title>Incompatibility with Auditing</title>
<para>Note that the kernel auditing subsystem is <para>Note that the kernel auditing subsystem is
currently broken when used together with currently broken when used together with
containers. We hence recommend turning it off entirely containers. We hence recommend turning it off entirely
when using <command>systemd-nspawn</command> by by booting with <literal>audit=0</literal> on the
booting with <literal>audit=0</literal> on the kernel kernel command line, or by turning it off at kernel
command line, or by turning it off at kernel build build time. If auditing is enabled in the kernel
time. If auditing is enabled in the kernel operating operating systems booted in an nspawn container might
systems booted in an nspawn container might refuse refuse log-in attempts.</para>
log-in attempts.</para>
</refsect1> </refsect1>
<refsect1> <refsect1>

19
src/nspawn/nspawn.c
View File

@ -1219,6 +1219,18 @@ finish:
return r; return r;
} }
static bool audit_enabled(void) {
int fd;
fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_AUDIT);
if (fd >= 0) {
close_nointr_nofail(fd);
return true;
}
return false;
}
int main(int argc, char *argv[]) { int main(int argc, char *argv[]) {
pid_t pid = 0; pid_t pid = 0;
int r = EXIT_FAILURE, k; int r = EXIT_FAILURE, k;
@ -1284,6 +1296,13 @@ int main(int argc, char *argv[]) {
goto finish; goto finish;
} }
if (audit_enabled()) {
log_warning("The kernel auditing subsystem is known to be incompatible with containers.\n"
"Please make sure to turn off auditing with 'audit=0' on the kernel command\n"
"line before using systemd-nspawn. Sleeping for 5s...\n");
sleep(5);
}
if (path_equal(arg_directory, "/")) { if (path_equal(arg_directory, "/")) {
log_error("Spawning container on root directory not supported."); log_error("Spawning container on root directory not supported.");
goto finish; goto finish;