551792 – app-emulation/lxc-1.1.2 - systemd does not start in container with gentoo.moresecure.conf

Bug 551792 - app-emulation/lxc-1.1.2 - systemd does not start in container with gentoo.moresecure.conf

Summary: app-emulation/lxc-1.1.2 - systemd does not start in container with gentoo.mor...

Status:	RESOLVED UPSTREAM

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	[OLD] Core system (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Linux bug wranglers

URL:	https://github.com/lxc/lxc/pull/564
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2015-06-11 14:30 UTC by Dennis Schridde
Modified:	2015-06-13 11:52 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Dennis Schridde 2015-06-11 14:30:53 UTC

When I configure my container with gentoo.moresecure.conf and `lxc.init_cmd = /usr/lib/systemd/systemd`, the latter will not start up properly.

It does not start any processes, including dbus. When trying to execute systemctl, I see the following:
$ systemctl status
Failed to get D-Bus connection: Operation not permitted

When I use gentoo.common.conf instead, the container comes up as expected.

More details about the setup can be found in bug #551096.

Comment 1 Dennis Schridde 2015-06-11 14:47:31 UTC

When I disable the `lxc.cap.drop` line in gentoo.moresecure.conf, the container also starts up. Apparently systemd needs one ore more of these capabilities for proper operation, and is unable to fallback if it is missing. I'd be glad for any hints about which ones it needs.

Comment 2 Dennis Schridde 2015-06-11 17:40:13 UTC

Common (included by both CentOS and Gentoo) contains:
lxc.cap.drop = mac_admin mac_override sys_time sys_module

Adding the CentOS line lets systemd start, too:
lxc.cap.drop = setfcap setpcap sys_nice sys_pacct sys_rawio

Gentoo moresecure tries to drop these, which makes systemd fail:
lxc.cap.drop = audit_control audit_write dac_read_search fsetid ipc_owner linux_immutable mknod setfcap sys_admin sys_boot sys_pacct sys_ptrace sys_rawio sys_resource sys_tty_config syslog

The intention seems to be, that the different capabilities droped by these lines are added up, even though the manpage [1] suggests the opposite.

Anyway, the difference between the Gentoo (+) and CentOS (-) config is:
+audit_control +audit_write +dac_read_search +fsetid +ipc_owner +linux_immutable +mknod -setpcap +sys_admin +sys_boot -sys_nice +sys_ptrace +sys_resources +sys_tty_config +syslog

So to get the bare minimum of systemd to run, one needs the sys_admin and sys_resources caps.

The next issue is that journald shows nothing, which appears to be caused by the missing setpcap capability.

So this line seems to be the maximum possible (incl. +setpcap and +sys_nice from CentOS and -setpcap):
lxc.cap.drop = audit_control audit_write dac_read_search fsetid ipc_owner linux_immutable mknod setfcap sys_boot sys_nice sys_pacct sys_ptrace sys_rawio sys_tty_config syslog

[1]: http://man7.org/linux/man-pages/man5/lxc.container.conf.5.html

Comment 3 Dennis Schridde 2015-06-11 17:48:41 UTC

(In reply to Dennis Schridde from comment #2)
> So this line seems to be the maximum possible (incl. +setpcap and +sys_nice
> from CentOS and -setpcap):
Oops, obviously not with +setpcap, as that is necessary for journald, as we just figured out…

Comment 4 Dennis Schridde 2015-06-11 17:54:16 UTC

Submitted upstream as pull request: https://github.com/lxc/lxc/pull/564

Comment 5 Markos Chandras (RETIRED) gentoo-dev

2015-06-13 11:52:38 UTC

Well the templates are based on openrc (as discussed in the pull request). So I am closing this as upstream as I see no urgent reason to patch the downstream templates to add systemd support at the moment. As suggested, I believe it's best to document systemd needs in the Gentoo LXC wiki.