audit: since audit is apparently never going to be fixed for containers tell the user what's going on

Let's try to be helpful to the user and give him a hint what he can do to make nspawn work with normal OS containers. https://bugzilla.redhat.com/show_bug.cgi?id=893751
2013-05-10 00:14:12 +02:00 · 2013-05-10 00:14:12 +02:00 · 77b6e19458
parent f49fd1d57a
commit 77b6e19458
3 changed files with 35 additions and 6 deletions
--- a/7
+++ b/7
@ -79,6 +79,13 @@ REQUIREMENTS:
          CONFIG_EFI_VARS
          CONFIG_EFI_PARTITION

+        Note that kernel auditing is broken when used with systemd's
+        container code. When using systemd in conjunction with
+        containers please make sure to either turn off auditing at
+        runtime using the kernel command line option "audit=0", or
+        turn it off at kernel compile time using:
+          CONFIG_AUDIT=n
+
        dbus >= 1.4.0
        libcap
        libblkid >= 2.20 (from util-linux) (optional)
--- a/man/systemd-nspawn.xml
+++ b/man/systemd-nspawn.xml
@ -142,16 +142,19 @@
                might be necessary to add this file to the container
                tree manually if the OS of the container is too old to
                contain this file out-of-the-box.</para>
+        </refsect1>
+
+        <refsect1>
+                <title>Incompatibility with Auditing</title>

                <para>Note that the kernel auditing subsystem is
                currently broken when used together with
                containers. We hence recommend turning it off entirely
-                when using <command>systemd-nspawn</command> by
-                booting with <literal>audit=0</literal> on the kernel
-                command line, or by turning it off at kernel build
-                time. If auditing is enabled in the kernel operating
-                systems booted in an nspawn container might refuse
-                log-in attempts.</para>
+                by booting with <literal>audit=0</literal> on the
+                kernel command line, or by turning it off at kernel
+                build time. If auditing is enabled in the kernel
+                operating systems booted in an nspawn container might
+                refuse log-in attempts.</para>
        </refsect1>

        <refsect1>
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@ -1219,6 +1219,18 @@ finish:
        return r;
 }

+static bool audit_enabled(void) {
+        int fd;
+
+        fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_AUDIT);
+        if (fd >= 0) {
+                close_nointr_nofail(fd);
+                return true;
+        }
+
+        return false;
+}
+
 int main(int argc, char *argv[]) {
        pid_t pid = 0;
        int r = EXIT_FAILURE, k;
@ -1284,6 +1296,13 @@ int main(int argc, char *argv[]) {
                goto finish;
        }

+        if (audit_enabled()) {
+                log_warning("The kernel auditing subsystem is known to be incompatible with containers.\n"
+                            "Please make sure to turn off auditing with 'audit=0' on the kernel command\n"
+                            "line before using systemd-nspawn. Sleeping for 5s...\n");
+                sleep(5);
+        }
+
        if (path_equal(arg_directory, "/")) {
                log_error("Spawning container on root directory not supported.");
                goto finish;