diff options
author | Lennart Poettering <lennart@poettering.net> | 2013-05-10 00:14:12 +0200 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2013-05-10 00:17:36 +0200 |
commit | 77b6e19458f37cfde127ec6aa9494c0ac45ad890 (patch) | |
tree | 4262aa17aa9942358fce75c291d1b83035aad57d | |
parent | f49fd1d57a429d4a05ac86352c017a845f8185b3 (diff) |
audit: since audit is apparently never going to be fixed for containers tell the user what's going on
Let's try to be helpful to the user and give him a hint what he can do
to make nspawn work with normal OS containers.
https://bugzilla.redhat.com/show_bug.cgi?id=893751
-rw-r--r-- | README | 7 | ||||
-rw-r--r-- | man/systemd-nspawn.xml | 15 | ||||
-rw-r--r-- | src/nspawn/nspawn.c | 19 |
3 files changed, 35 insertions, 6 deletions
@@ -79,6 +79,13 @@ REQUIREMENTS: CONFIG_EFI_VARS CONFIG_EFI_PARTITION + Note that kernel auditing is broken when used with systemd's + container code. When using systemd in conjunction with + containers please make sure to either turn off auditing at + runtime using the kernel command line option "audit=0", or + turn it off at kernel compile time using: + CONFIG_AUDIT=n + dbus >= 1.4.0 libcap libblkid >= 2.20 (from util-linux) (optional) diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml index d9fb899895..1bc61e83a7 100644 --- a/man/systemd-nspawn.xml +++ b/man/systemd-nspawn.xml @@ -142,16 +142,19 @@ might be necessary to add this file to the container tree manually if the OS of the container is too old to contain this file out-of-the-box.</para> + </refsect1> + + <refsect1> + <title>Incompatibility with Auditing</title> <para>Note that the kernel auditing subsystem is currently broken when used together with containers. We hence recommend turning it off entirely - when using <command>systemd-nspawn</command> by - booting with <literal>audit=0</literal> on the kernel - command line, or by turning it off at kernel build - time. If auditing is enabled in the kernel operating - systems booted in an nspawn container might refuse - log-in attempts.</para> + by booting with <literal>audit=0</literal> on the + kernel command line, or by turning it off at kernel + build time. If auditing is enabled in the kernel + operating systems booted in an nspawn container might + refuse log-in attempts.</para> </refsect1> <refsect1> diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index 09153c87ce..b91b0b8a91 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -1219,6 +1219,18 @@ finish: return r; } +static bool audit_enabled(void) { + int fd; + + fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_AUDIT); + if (fd >= 0) { + close_nointr_nofail(fd); + return true; + } + + return false; +} + int main(int argc, char *argv[]) { pid_t pid = 0; int r = EXIT_FAILURE, k; @@ -1284,6 +1296,13 @@ int main(int argc, char *argv[]) { goto finish; } + if (audit_enabled()) { + log_warning("The kernel auditing subsystem is known to be incompatible with containers.\n" + "Please make sure to turn off auditing with 'audit=0' on the kernel command\n" + "line before using systemd-nspawn. Sleeping for 5s...\n"); + sleep(5); + } + if (path_equal(arg_directory, "/")) { log_error("Spawning container on root directory not supported."); goto finish; |