mirror of
https://github.com/systemd/systemd.git
synced 2024-12-22 17:35:35 +03:00
audit: since audit is apparently never going to be fixed for containers tell the user what's going on
Let's try to be helpful to the user and give him a hint what he can do to make nspawn work with normal OS containers. https://bugzilla.redhat.com/show_bug.cgi?id=893751
This commit is contained in:
parent
f49fd1d57a
commit
77b6e19458
7
README
7
README
@ -79,6 +79,13 @@ REQUIREMENTS:
|
||||
CONFIG_EFI_VARS
|
||||
CONFIG_EFI_PARTITION
|
||||
|
||||
Note that kernel auditing is broken when used with systemd's
|
||||
container code. When using systemd in conjunction with
|
||||
containers please make sure to either turn off auditing at
|
||||
runtime using the kernel command line option "audit=0", or
|
||||
turn it off at kernel compile time using:
|
||||
CONFIG_AUDIT=n
|
||||
|
||||
dbus >= 1.4.0
|
||||
libcap
|
||||
libblkid >= 2.20 (from util-linux) (optional)
|
||||
|
@ -142,16 +142,19 @@
|
||||
might be necessary to add this file to the container
|
||||
tree manually if the OS of the container is too old to
|
||||
contain this file out-of-the-box.</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>Incompatibility with Auditing</title>
|
||||
|
||||
<para>Note that the kernel auditing subsystem is
|
||||
currently broken when used together with
|
||||
containers. We hence recommend turning it off entirely
|
||||
when using <command>systemd-nspawn</command> by
|
||||
booting with <literal>audit=0</literal> on the kernel
|
||||
command line, or by turning it off at kernel build
|
||||
time. If auditing is enabled in the kernel operating
|
||||
systems booted in an nspawn container might refuse
|
||||
log-in attempts.</para>
|
||||
by booting with <literal>audit=0</literal> on the
|
||||
kernel command line, or by turning it off at kernel
|
||||
build time. If auditing is enabled in the kernel
|
||||
operating systems booted in an nspawn container might
|
||||
refuse log-in attempts.</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
|
@ -1219,6 +1219,18 @@ finish:
|
||||
return r;
|
||||
}
|
||||
|
||||
static bool audit_enabled(void) {
|
||||
int fd;
|
||||
|
||||
fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_AUDIT);
|
||||
if (fd >= 0) {
|
||||
close_nointr_nofail(fd);
|
||||
return true;
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
int main(int argc, char *argv[]) {
|
||||
pid_t pid = 0;
|
||||
int r = EXIT_FAILURE, k;
|
||||
@ -1284,6 +1296,13 @@ int main(int argc, char *argv[]) {
|
||||
goto finish;
|
||||
}
|
||||
|
||||
if (audit_enabled()) {
|
||||
log_warning("The kernel auditing subsystem is known to be incompatible with containers.\n"
|
||||
"Please make sure to turn off auditing with 'audit=0' on the kernel command\n"
|
||||
"line before using systemd-nspawn. Sleeping for 5s...\n");
|
||||
sleep(5);
|
||||
}
|
||||
|
||||
if (path_equal(arg_directory, "/")) {
|
||||
log_error("Spawning container on root directory not supported.");
|
||||
goto finish;
|
||||
|
Loading…
Reference in New Issue
Block a user