Bug#769494: [Pkg-sysvinit-devel] Bug#769494: Bug#769494: Please mount cgroup automatically
Thorsten Glaser wrote: > > I notice that on my laptop I have some binfmt_misc filesystem mounted. > > I'm pretty sure I don't use anything that uses binfmt_misc. I also > > have something called pstore. IDK what that is. It's emty so I guess > > I'm not using it. > > I’m a bit concerned about all these. > > They increase the attack surface, they need resources > (especially on older or embedded-ish architectures), > and they clutter the visual output of, if not df(1), > then at least mount(8), to a point where one requires > manual postprocessing to make it legible. > > Yes, it seems harmless, but… idk, a system isn’t > perfect when there’s nothing left to add but nothing > needs to be removed any more. > > Stuff like that could perhaps be mounted from fstab, > populated by d-i. I remember /tmp, /dev/pts et al. > having been in fstab once too, nowadays they’re > automatically mounted, though I’m not concerned > about these. Seconded. Regards, Axel -- ,''`. | Axel Beckert , https://people.debian.org/~abe/ : :' : | Debian Developer, ftp.ch.debian.org Admin `. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5 `-| 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE signature.asc Description: Digital signature
Bug#769494: [Pkg-sysvinit-devel] Bug#769494: Please mount cgroup automatically
Thorsten Glaser writes ("Bug#769494: [Pkg-sysvinit-devel] Bug#769494: Please
mount cgroup automatically"):
> On Wed, 17 Oct 2018, Ian Jackson wrote:
> > I notice that on my laptop I have some binfmt_misc filesystem mounted.
> > I'm pretty sure I don't use anything that uses binfmt_misc. I also
> > have something called pstore. IDK what that is. It's emty so I guess
> > I'm not using it.
>
> I’m a bit concerned about all these.
>
> They increase the attack surface, they need resources
> (especially on older or embedded-ish architectures),
> and they clutter the visual output of, if not df(1),
> then at least mount(8), to a point where one requires
> manual postprocessing to make it legible.
Well, these are reasonable points. Certainly I don't care enough to
strongly advocate getting rid of the cgroupfs-mount package and you
seem to care enough to advocate keeping it.
If you think we should adopt a similar approach for other kernel
filesystems then I guess you might want to go to d-policy about that.
Regards,
Ian.
Bug#769494: [Pkg-sysvinit-devel] Bug#769494: Please mount cgroup automatically
On Wed, 17 Oct 2018, Ian Jackson wrote: > I notice that on my laptop I have some binfmt_misc filesystem mounted. > I'm pretty sure I don't use anything that uses binfmt_misc. I also > have something called pstore. IDK what that is. It's emty so I guess > I'm not using it. I’m a bit concerned about all these. They increase the attack surface, they need resources (especially on older or embedded-ish architectures), and they clutter the visual output of, if not df(1), then at least mount(8), to a point where one requires manual postprocessing to make it legible. Yes, it seems harmless, but… idk, a system isn’t perfect when there’s nothing left to add but nothing needs to be removed any more. Stuff like that could perhaps be mounted from fstab, populated by d-i. I remember /tmp, /dev/pts et al. having been in fstab once too, nowadays they’re automatically mounted, though I’m not concerned about these. bye, //mirabilos -- tarent solutions GmbH Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/ Tel: +49 228 54881-393 • Fax: +49 228 54881-235 HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941 Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg
Bug#769494: [Pkg-sysvinit-devel] Bug#769494: Please mount cgroup automatically
Thorsten Glaser writes ("Bug#769494: [Pkg-sysvinit-devel] Bug#769494: Please
mount cgroup automatically"):
> On Wed, 17 Oct 2018, Daniel Abrecht wrote:
> > I don't think mounting cgroup is sysvinits job. Mounting cgroups can be
> > done using /etc/fstab and/or using the cgroupfs-mount package. I don't
> > mind it being always added though.
>
> Why? I mean, what for? I run dozens of systems without it.
Always mounting it would simplify things somewhat, overall. There
would be a very small additional complexity on systems that didn't
need it, but a quite large benefit in not having to maintain a
separate mount-it package and so on. In general this is how we handle
these kernel filesystems, usually (but not invariably - see the
special xen fs).
This is all assuming that there aren't any significant downsides to
mounting it.
I notice that on my laptop I have some binfmt_misc filesystem mounted.
I'm pretty sure I don't use anything that uses binfmt_misc. I also
have something called pstore. IDK what that is. It's emty so I guess
I'm not using it.
This all seems harmless enough. Am I wrong about cgroup ?
Ian.
--
Ian JacksonThese opinions are my own.
If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.
Bug#769494: [Pkg-sysvinit-devel] Bug#769494: Please mount cgroup automatically
On Wed, 17 Oct 2018, Daniel Abrecht wrote: > I don't think mounting cgroup is sysvinits job. Mounting cgroups can be > done using /etc/fstab and/or using the cgroupfs-mount package. I don't > mind it being always added though. Why? I mean, what for? I run dozens of systems without it. bye, //mirabilos -- tarent solutions GmbH Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/ Tel: +49 228 54881-393 • Fax: +49 228 54881-235 HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941 Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg
Bug#769494: Please mount cgroup automatically
Daniel Abrecht writes ("Bug#769494: Please mount cgroup automatically"):
> I don't think mounting cgroup is sysvinits job. Mounting cgroups can be
> done using /etc/fstab and/or using the cgroupfs-mount package. I don't
> mind it being always added though.
Thanks for your message.
I confess I am very ignorant but I don't understand why it would be a
bad idea for this to be mounted on all systems.
If the existence of cgroupfs-mount is just there to do this, because
sysvinit doesn't, it seems like a lot of trouble. Maybe it would be
better to have sysvinit do it, always, and then we could get rid of
cgroupfs-mount and packages that wanted this facility wouldn't need to
write anything in their control file.
OTOH the current situation sounds tolerable.
I have CC'd `cgroupfs-mo...@packages.debian.org' which is the
maintainers of that package, so that they can have an opinion. (I'm
afraid this mail will come across as a bit ignorant because I'm not
really in a position to do any proper research like reading the rest
of this bug or the cgroupfs-mount package description.)
> This is my first mail to the debian bug tracker, I hope I was able to
> help and to give some new helpful perspectives on this matter.
Thank you for your contribution to Debian. I thought your message was
very helpful, even if I don't know that I 100% agree with your
conclusion :-).
Regards,
Ian.
--
Ian JacksonThese opinions are my own.
If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.
Bug#769494: Please mount cgroup automatically
Hello, I don't think mounting cgroup is sysvinits job. Mounting cgroups can be done using /etc/fstab and/or using the cgroupfs-mount package. I don't mind it being always added though. Also, I think this issue has already been solved. liblxc1, which is a dependency of lxc, has a dependency for "cgroupfs-mount or systemd", which means on non-systemd systems, when installing lxc or anything else which uses liblxc1, cgroupfs-mount will get installed, which will automatically mount the cgroups. I don't use lxc anymore, but I used to have it working in jessie without systemd back when I was still using it. I am using libvirt-lxc (which has been merged into libvirt-daemon) without systemd or lxc, though. I haven't seen a similar dependency on libvirt-daemon yet. libvirt-daemon can be used for other things than lxc containers, in which case cgroups don't seam to be required. I recommend adding a recommends to the libvirt-daemon package for "cgroupfs-mount or systemd" to account for all use cases. To summarize, I'm for closing this bug and just adding a "cgroupfs-mount or systemd" dependency or recommends to packages which need or benefit from it respectively, similar to how it is done with liblxc1. For this, a new bug could be opened for each affected packet. This is my first mail to the debian bug tracker, I hope I was able to help and to give some new helpful perspectives on this matter. Regards, Daniel Abrecht
