Summary: | app-emulation/lxc-1.1.2 - systemd does not start in container with gentoo.moresecure.conf | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Dennis Schridde <dschridde+gentoobugs> |
Component: | [OLD] Core system | Assignee: | Gentoo Linux bug wranglers <bug-wranglers> |
Status: | RESOLVED UPSTREAM | ||
Severity: | normal | ||
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://github.com/lxc/lxc/pull/564 | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Dennis Schridde
2015-06-11 14:30:53 UTC
When I disable the `lxc.cap.drop` line in gentoo.moresecure.conf, the container also starts up. Apparently systemd needs one ore more of these capabilities for proper operation, and is unable to fallback if it is missing. I'd be glad for any hints about which ones it needs. Common (included by both CentOS and Gentoo) contains: lxc.cap.drop = mac_admin mac_override sys_time sys_module Adding the CentOS line lets systemd start, too: lxc.cap.drop = setfcap setpcap sys_nice sys_pacct sys_rawio Gentoo moresecure tries to drop these, which makes systemd fail: lxc.cap.drop = audit_control audit_write dac_read_search fsetid ipc_owner linux_immutable mknod setfcap sys_admin sys_boot sys_pacct sys_ptrace sys_rawio sys_resource sys_tty_config syslog The intention seems to be, that the different capabilities droped by these lines are added up, even though the manpage [1] suggests the opposite. Anyway, the difference between the Gentoo (+) and CentOS (-) config is: +audit_control +audit_write +dac_read_search +fsetid +ipc_owner +linux_immutable +mknod -setpcap +sys_admin +sys_boot -sys_nice +sys_ptrace +sys_resources +sys_tty_config +syslog So to get the bare minimum of systemd to run, one needs the sys_admin and sys_resources caps. The next issue is that journald shows nothing, which appears to be caused by the missing setpcap capability. So this line seems to be the maximum possible (incl. +setpcap and +sys_nice from CentOS and -setpcap): lxc.cap.drop = audit_control audit_write dac_read_search fsetid ipc_owner linux_immutable mknod setfcap sys_boot sys_nice sys_pacct sys_ptrace sys_rawio sys_tty_config syslog [1]: http://man7.org/linux/man-pages/man5/lxc.container.conf.5.html (In reply to Dennis Schridde from comment #2) > So this line seems to be the maximum possible (incl. +setpcap and +sys_nice > from CentOS and -setpcap): Oops, obviously not with +setpcap, as that is necessary for journald, as we just figured out… Submitted upstream as pull request: https://github.com/lxc/lxc/pull/564 Well the templates are based on openrc (as discussed in the pull request). So I am closing this as upstream as I see no urgent reason to patch the downstream templates to add systemd support at the moment. As suggested, I believe it's best to document systemd needs in the Gentoo LXC wiki. |