diff options
| author | Lennart Poettering <lennart@poettering.net> | 2013-05-10 00:14:12 +0200 | 
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2013-05-10 00:17:36 +0200 | 
| commit | 77b6e19458f37cfde127ec6aa9494c0ac45ad890 (patch) | |
| tree | 4262aa17aa9942358fce75c291d1b83035aad57d | |
| parent | f49fd1d57a429d4a05ac86352c017a845f8185b3 (diff) | |
audit: since audit is apparently never going to be fixed for containers tell the user what's going on
Let's try to be helpful to the user and give him a hint what he can do
to make nspawn work with normal OS containers.
https://bugzilla.redhat.com/show_bug.cgi?id=893751
| -rw-r--r-- | README | 7 | ||||
| -rw-r--r-- | man/systemd-nspawn.xml | 15 | ||||
| -rw-r--r-- | src/nspawn/nspawn.c | 19 | 
3 files changed, 35 insertions, 6 deletions
| @@ -79,6 +79,13 @@ REQUIREMENTS:            CONFIG_EFI_VARS            CONFIG_EFI_PARTITION +        Note that kernel auditing is broken when used with systemd's +        container code. When using systemd in conjunction with +        containers please make sure to either turn off auditing at +        runtime using the kernel command line option "audit=0", or +        turn it off at kernel compile time using: +          CONFIG_AUDIT=n +          dbus >= 1.4.0          libcap          libblkid >= 2.20 (from util-linux) (optional) diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml index d9fb899895..1bc61e83a7 100644 --- a/man/systemd-nspawn.xml +++ b/man/systemd-nspawn.xml @@ -142,16 +142,19 @@                  might be necessary to add this file to the container                  tree manually if the OS of the container is too old to                  contain this file out-of-the-box.</para> +        </refsect1> + +        <refsect1> +                <title>Incompatibility with Auditing</title>                  <para>Note that the kernel auditing subsystem is                  currently broken when used together with                  containers. We hence recommend turning it off entirely -                when using <command>systemd-nspawn</command> by -                booting with <literal>audit=0</literal> on the kernel -                command line, or by turning it off at kernel build -                time. If auditing is enabled in the kernel operating -                systems booted in an nspawn container might refuse -                log-in attempts.</para> +                by booting with <literal>audit=0</literal> on the +                kernel command line, or by turning it off at kernel +                build time. If auditing is enabled in the kernel +                operating systems booted in an nspawn container might +                refuse log-in attempts.</para>          </refsect1>          <refsect1> diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index 09153c87ce..b91b0b8a91 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -1219,6 +1219,18 @@ finish:          return r;  } +static bool audit_enabled(void) { +        int fd; + +        fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_AUDIT); +        if (fd >= 0) { +                close_nointr_nofail(fd); +                return true; +        } + +        return false; +} +  int main(int argc, char *argv[]) {          pid_t pid = 0;          int r = EXIT_FAILURE, k; @@ -1284,6 +1296,13 @@ int main(int argc, char *argv[]) {                  goto finish;          } +        if (audit_enabled()) { +                log_warning("The kernel auditing subsystem is known to be incompatible with containers.\n" +                            "Please make sure to turn off auditing with 'audit=0' on the kernel command\n" +                            "line before using systemd-nspawn. Sleeping for 5s...\n"); +                sleep(5); +        } +          if (path_equal(arg_directory, "/")) {                  log_error("Spawning container on root directory not supported.");                  goto finish; | 
