audit: since audit is apparently never going to be fixed for containers tell the user what's going on

Let's try to be helpful to the user and give him a hint what he can do
to make nspawn work with normal OS containers.

https://bugzilla.redhat.com/show_bug.cgi?id=893751

1 files changed, 19 insertions, 0 deletions

diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index 09153c87ce..b91b0b8a91 100644
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -1219,6 +1219,18 @@ finish:
         return r;
 }
 
+static bool audit_enabled(void) {
+        int fd;
+
+        fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_AUDIT);
+        if (fd >= 0) {
+                close_nointr_nofail(fd);
+                return true;
+        }
+
+        return false;
+}
+
 int main(int argc, char *argv[]) {
         pid_t pid = 0;
         int r = EXIT_FAILURE, k;
@@ -1284,6 +1296,13 @@ int main(int argc, char *argv[]) {
                 goto finish;
         }
 
+        if (audit_enabled()) {
+                log_warning("The kernel auditing subsystem is known to be incompatible with containers.\n"
+                            "Please make sure to turn off auditing with 'audit=0' on the kernel command\n"
+                            "line before using systemd-nspawn. Sleeping for 5s...\n");
+                sleep(5);
+        }
+
         if (path_equal(arg_directory, "/")) {
                 log_error("Spawning container on root directory not supported.");
                 goto finish;