Bug#769494: [Pkg-sysvinit-devel] Bug#769494: Bug#769494: Please mount cgroup automatically
Thorsten Glaser wrote: > > I notice that on my laptop I have some binfmt_misc filesystem mounted. > > I'm pretty sure I don't use anything that uses binfmt_misc. I also > > have something called pstore. IDK what that is. It's emty so I guess > > I'm not using it. > > I’m a bit concerned about all these. > > They increase the attack surface, they need resources > (especially on older or embedded-ish architectures), > and they clutter the visual output of, if not df(1), > then at least mount(8), to a point where one requires > manual postprocessing to make it legible. > > Yes, it seems harmless, but… idk, a system isn’t > perfect when there’s nothing left to add but nothing > needs to be removed any more. > > Stuff like that could perhaps be mounted from fstab, > populated by d-i. I remember /tmp, /dev/pts et al. > having been in fstab once too, nowadays they’re > automatically mounted, though I’m not concerned > about these. Seconded. Regards, Axel -- ,''`. | Axel Beckert , https://people.debian.org/~abe/ : :' : | Debian Developer, ftp.ch.debian.org Admin `. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5 `-| 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE signature.asc Description: Digital signature
Bug#769494: [Pkg-sysvinit-devel] Bug#769494: Please mount cgroup automatically
Thorsten Glaser writes ("Bug#769494: [Pkg-sysvinit-devel] Bug#769494: Please mount cgroup automatically"): > On Wed, 17 Oct 2018, Ian Jackson wrote: > > I notice that on my laptop I have some binfmt_misc filesystem mounted. > > I'm pretty sure I don't use anything that uses binfmt_misc. I also > > have something called pstore. IDK what that is. It's emty so I guess > > I'm not using it. > > I’m a bit concerned about all these. > > They increase the attack surface, they need resources > (especially on older or embedded-ish architectures), > and they clutter the visual output of, if not df(1), > then at least mount(8), to a point where one requires > manual postprocessing to make it legible. Well, these are reasonable points. Certainly I don't care enough to strongly advocate getting rid of the cgroupfs-mount package and you seem to care enough to advocate keeping it. If you think we should adopt a similar approach for other kernel filesystems then I guess you might want to go to d-policy about that. Regards, Ian.
Bug#769494: [Pkg-sysvinit-devel] Bug#769494: Please mount cgroup automatically
On Wed, 17 Oct 2018, Ian Jackson wrote: > I notice that on my laptop I have some binfmt_misc filesystem mounted. > I'm pretty sure I don't use anything that uses binfmt_misc. I also > have something called pstore. IDK what that is. It's emty so I guess > I'm not using it. I’m a bit concerned about all these. They increase the attack surface, they need resources (especially on older or embedded-ish architectures), and they clutter the visual output of, if not df(1), then at least mount(8), to a point where one requires manual postprocessing to make it legible. Yes, it seems harmless, but… idk, a system isn’t perfect when there’s nothing left to add but nothing needs to be removed any more. Stuff like that could perhaps be mounted from fstab, populated by d-i. I remember /tmp, /dev/pts et al. having been in fstab once too, nowadays they’re automatically mounted, though I’m not concerned about these. bye, //mirabilos -- tarent solutions GmbH Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/ Tel: +49 228 54881-393 • Fax: +49 228 54881-235 HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941 Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg
Bug#769494: [Pkg-sysvinit-devel] Bug#769494: Please mount cgroup automatically
Thorsten Glaser writes ("Bug#769494: [Pkg-sysvinit-devel] Bug#769494: Please mount cgroup automatically"): > On Wed, 17 Oct 2018, Daniel Abrecht wrote: > > I don't think mounting cgroup is sysvinits job. Mounting cgroups can be > > done using /etc/fstab and/or using the cgroupfs-mount package. I don't > > mind it being always added though. > > Why? I mean, what for? I run dozens of systems without it. Always mounting it would simplify things somewhat, overall. There would be a very small additional complexity on systems that didn't need it, but a quite large benefit in not having to maintain a separate mount-it package and so on. In general this is how we handle these kernel filesystems, usually (but not invariably - see the special xen fs). This is all assuming that there aren't any significant downsides to mounting it. I notice that on my laptop I have some binfmt_misc filesystem mounted. I'm pretty sure I don't use anything that uses binfmt_misc. I also have something called pstore. IDK what that is. It's emty so I guess I'm not using it. This all seems harmless enough. Am I wrong about cgroup ? Ian. -- Ian JacksonThese opinions are my own. If I emailed you from an address @fyvzl.net or @evade.org.uk, that is a private address which bypasses my fierce spamfilter.
Bug#769494: [Pkg-sysvinit-devel] Bug#769494: Please mount cgroup automatically
On Wed, 17 Oct 2018, Daniel Abrecht wrote: > I don't think mounting cgroup is sysvinits job. Mounting cgroups can be > done using /etc/fstab and/or using the cgroupfs-mount package. I don't > mind it being always added though. Why? I mean, what for? I run dozens of systems without it. bye, //mirabilos -- tarent solutions GmbH Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/ Tel: +49 228 54881-393 • Fax: +49 228 54881-235 HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941 Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg
Bug#769494: Please mount cgroup automatically
Daniel Abrecht writes ("Bug#769494: Please mount cgroup automatically"): > I don't think mounting cgroup is sysvinits job. Mounting cgroups can be > done using /etc/fstab and/or using the cgroupfs-mount package. I don't > mind it being always added though. Thanks for your message. I confess I am very ignorant but I don't understand why it would be a bad idea for this to be mounted on all systems. If the existence of cgroupfs-mount is just there to do this, because sysvinit doesn't, it seems like a lot of trouble. Maybe it would be better to have sysvinit do it, always, and then we could get rid of cgroupfs-mount and packages that wanted this facility wouldn't need to write anything in their control file. OTOH the current situation sounds tolerable. I have CC'd `cgroupfs-mo...@packages.debian.org' which is the maintainers of that package, so that they can have an opinion. (I'm afraid this mail will come across as a bit ignorant because I'm not really in a position to do any proper research like reading the rest of this bug or the cgroupfs-mount package description.) > This is my first mail to the debian bug tracker, I hope I was able to > help and to give some new helpful perspectives on this matter. Thank you for your contribution to Debian. I thought your message was very helpful, even if I don't know that I 100% agree with your conclusion :-). Regards, Ian. -- Ian JacksonThese opinions are my own. If I emailed you from an address @fyvzl.net or @evade.org.uk, that is a private address which bypasses my fierce spamfilter.
Bug#769494: Please mount cgroup automatically
Hello, I don't think mounting cgroup is sysvinits job. Mounting cgroups can be done using /etc/fstab and/or using the cgroupfs-mount package. I don't mind it being always added though. Also, I think this issue has already been solved. liblxc1, which is a dependency of lxc, has a dependency for "cgroupfs-mount or systemd", which means on non-systemd systems, when installing lxc or anything else which uses liblxc1, cgroupfs-mount will get installed, which will automatically mount the cgroups. I don't use lxc anymore, but I used to have it working in jessie without systemd back when I was still using it. I am using libvirt-lxc (which has been merged into libvirt-daemon) without systemd or lxc, though. I haven't seen a similar dependency on libvirt-daemon yet. libvirt-daemon can be used for other things than lxc containers, in which case cgroups don't seam to be required. I recommend adding a recommends to the libvirt-daemon package for "cgroupfs-mount or systemd" to account for all use cases. To summarize, I'm for closing this bug and just adding a "cgroupfs-mount or systemd" dependency or recommends to packages which need or benefit from it respectively, similar to how it is done with liblxc1. For this, a new bug could be opened for each affected packet. This is my first mail to the debian bug tracker, I hope I was able to help and to give some new helpful perspectives on this matter. Regards, Daniel Abrecht