tmpfiles: don't attempt creation of device nodes when we run in a container
This commit is contained in:
Lennart Poettering
parent
dcc9ba80e1
commit
cb7ed9dfca
|
|
@ -1296,7 +1296,8 @@ systemd_tmpfiles_SOURCES = \
|
|||
|
||||
systemd_tmpfiles_LDADD = \
|
||||
libsystemd-label.la \
|
||||
libsystemd-shared.la
|
||||
libsystemd-shared.la \
|
||||
libsystemd-capability.la
|
||||
|
||||
# ------------------------------------------------------------------------------
|
||||
systemd_machine_id_setup_SOURCES = \
|
||||
|
|
|
|||
6
TODO
6
TODO
|
|
@ -61,11 +61,9 @@ Features:
|
|||
|
||||
* json: properly serialize multiple fields with the same name per entry
|
||||
|
||||
* journalctl: make -l the default
|
||||
|
||||
* journald: add option to choose between "split up nothing", "split up login user journals", "split up all user journals"
|
||||
|
||||
* journal live copy, bsaed on libneon (client) and libmicrohttpd
|
||||
* journal live copy, based on libneon (client) and libmicrohttpd
|
||||
|
||||
* document in wiki json serialization
|
||||
|
||||
|
|
@ -81,8 +79,6 @@ Features:
|
|||
|
||||
* system.conf should have controls for cgroups
|
||||
|
||||
* tmpfiles: skip mknod if CAP_MKNOD is missing
|
||||
|
||||
* bind mount read-only the cgroup tree higher than than nspawn
|
||||
|
||||
* currently system services appear not to generate core dumps...
|
||||
|
|
|
|||
|
|
@ -38,6 +38,7 @@
|
|||
#include <sys/param.h>
|
||||
#include <glob.h>
|
||||
#include <fnmatch.h>
|
||||
#include <sys/capability.h>
|
||||
|
||||
#include "log.h"
|
||||
#include "util.h"
|
||||
|
|
@ -47,6 +48,7 @@
|
|||
#include "label.h"
|
||||
#include "set.h"
|
||||
#include "conf-files.h"
|
||||
#include "capability.h"
|
||||
|
||||
/* This reads all files listed in /etc/tmpfiles.d/?*.conf and creates
|
||||
* them in the file system. This is intended to be used to create
|
||||
|
|
@ -764,7 +766,19 @@ static int create_item(Item *i) {
|
|||
|
||||
case CREATE_BLOCK_DEVICE:
|
||||
case CREATE_CHAR_DEVICE: {
|
||||
mode_t file_type = (i->type == CREATE_BLOCK_DEVICE ? S_IFBLK : S_IFCHR);
|
||||
mode_t file_type;
|
||||
|
||||
if (have_effective_cap(CAP_MKNOD) == 0) {
|
||||
/* In a container we lack CAP_MKNOD. We
|
||||
shouldnt attempt to create the device node in
|
||||
that case to avoid noise, and we don't support
|
||||
virtualized devices in containers anyway. */
|
||||
|
||||
log_debug("We lack CAP_MKNOD, skipping creation of device node %s.", i->path);
|
||||
return 0;
|
||||
}
|
||||
|
||||
file_type = (i->type == CREATE_BLOCK_DEVICE ? S_IFBLK : S_IFCHR);
|
||||
|
||||
u = umask(0);
|
||||
label_context_set(i->path, file_type);
|
||||
|
|
|
|||
Loading…
Reference in New Issue