audit: since audit is apparently never going to be fixed for containers tell the user what's going on
Let's try to be helpful to the user and give him a hint what he can do to make nspawn work with normal OS containers. https://bugzilla.redhat.com/show_bug.cgi?id=893751
This commit is contained in:
Lennart Poettering
parent
f49fd1d57a
commit
77b6e19458
7
README
7
README
|
|
@ -79,6 +79,13 @@ REQUIREMENTS:
|
||||||
CONFIG_EFI_VARS
|
CONFIG_EFI_VARS
|
||||||
CONFIG_EFI_PARTITION
|
CONFIG_EFI_PARTITION
|
||||||
|
|
||||||
|
Note that kernel auditing is broken when used with systemd's
|
||||||
|
container code. When using systemd in conjunction with
|
||||||
|
containers please make sure to either turn off auditing at
|
||||||
|
runtime using the kernel command line option "audit=0", or
|
||||||
|
turn it off at kernel compile time using:
|
||||||
|
CONFIG_AUDIT=n
|
||||||
|
|
||||||
dbus >= 1.4.0
|
dbus >= 1.4.0
|
||||||
libcap
|
libcap
|
||||||
libblkid >= 2.20 (from util-linux) (optional)
|
libblkid >= 2.20 (from util-linux) (optional)
|
||||||
|
|
|
||||||
|
|
@ -142,16 +142,19 @@
|
||||||
might be necessary to add this file to the container
|
might be necessary to add this file to the container
|
||||||
tree manually if the OS of the container is too old to
|
tree manually if the OS of the container is too old to
|
||||||
contain this file out-of-the-box.</para>
|
contain this file out-of-the-box.</para>
|
||||||
|
</refsect1>
|
||||||
|
|
||||||
|
<refsect1>
|
||||||
|
<title>Incompatibility with Auditing</title>
|
||||||
|
|
||||||
<para>Note that the kernel auditing subsystem is
|
<para>Note that the kernel auditing subsystem is
|
||||||
currently broken when used together with
|
currently broken when used together with
|
||||||
containers. We hence recommend turning it off entirely
|
containers. We hence recommend turning it off entirely
|
||||||
when using <command>systemd-nspawn</command> by
|
by booting with <literal>audit=0</literal> on the
|
||||||
booting with <literal>audit=0</literal> on the kernel
|
kernel command line, or by turning it off at kernel
|
||||||
command line, or by turning it off at kernel build
|
build time. If auditing is enabled in the kernel
|
||||||
time. If auditing is enabled in the kernel operating
|
operating systems booted in an nspawn container might
|
||||||
systems booted in an nspawn container might refuse
|
refuse log-in attempts.</para>
|
||||||
log-in attempts.</para>
|
|
||||||
</refsect1>
|
</refsect1>
|
||||||
|
|
||||||
<refsect1>
|
<refsect1>
|
||||||
|
|
|
||||||
|
|
@ -1219,6 +1219,18 @@ finish:
|
||||||
return r;
|
return r;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static bool audit_enabled(void) {
|
||||||
|
int fd;
|
||||||
|
|
||||||
|
fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_AUDIT);
|
||||||
|
if (fd >= 0) {
|
||||||
|
close_nointr_nofail(fd);
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
int main(int argc, char *argv[]) {
|
int main(int argc, char *argv[]) {
|
||||||
pid_t pid = 0;
|
pid_t pid = 0;
|
||||||
int r = EXIT_FAILURE, k;
|
int r = EXIT_FAILURE, k;
|
||||||
|
|
@ -1284,6 +1296,13 @@ int main(int argc, char *argv[]) {
|
||||||
goto finish;
|
goto finish;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (audit_enabled()) {
|
||||||
|
log_warning("The kernel auditing subsystem is known to be incompatible with containers.\n"
|
||||||
|
"Please make sure to turn off auditing with 'audit=0' on the kernel command\n"
|
||||||
|
"line before using systemd-nspawn. Sleeping for 5s...\n");
|
||||||
|
sleep(5);
|
||||||
|
}
|
||||||
|
|
||||||
if (path_equal(arg_directory, "/")) {
|
if (path_equal(arg_directory, "/")) {
|
||||||
log_error("Spawning container on root directory not supported.");
|
log_error("Spawning container on root directory not supported.");
|
||||||
goto finish;
|
goto finish;
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue