[systemd-devel] Understanding DHCP, DNS and IPMasquerade

[Johannes Ernst]

My host obtains an IP address and DNS server via DHCP from upstream via 
Ethernet like this (systemd 219, Arch Linux)

[Match]
Name=en*

[Network]
DHCP=ipv4

It has the resolv.conf symlink to /run/systemd/resolve/resolv.conf, and the DNS 
server from DHCP shows up there.

It also has this test.network file:

[Match]
Name=ve-*

[Network]
Address=0.0.0.0/28
IPMasquerade=yes
IPv4LL=yes
DHCPServer=yes
IPForward=yes

My host runs a container like this: (systemd 219, UBOS (just like Arch Linux))

systemd-nspawn -b -D test -n

The container does not have any networkd configuration. It has the resolv.conf 
symlink, and runs systemd-networkd

I was expecting:
 * container gets an IP address from host in some new subnet: WORKS, e.g 
10.0.0.2
 * container can route to upstream via IPMasquerade: WORKS, after manual 
'modprobe iptable_nat'
 * container gets the DNS server from the host: FAILS: /etc/resolv.conf points 
to Google name servers instead (8.8.8.8 etc)
 * host and container can ping test (if test is the name of the container 
machine per machinectl): FAILS, neither can

What am I misunderstanding or doing wrong? If somebody educates me, I’ll put 
the insights on a wiki somewhere (e.g. Arch)

Thanks,


Johannes.

___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [survey] BTRFS_IOC_DEVICES_READY return status

[Andrei Borzenkov]

В Fri, 12 Jun 2015 21:16:30 +0800
Anand Jain  пишет:

> 
> 
> BTRFS_IOC_DEVICES_READY is to check if all the required devices
> are known by the btrfs kernel, so that admin/system-application
> could mount the FS. It is checked against a device in the argument.
> 
> However the actual implementation is bit more than just that,
> in the way that it would also scan and register the device
> provided in the argument (same as btrfs device scan subcommand
> or BTRFS_IOC_SCAN_DEV ioctl).
> 
> So BTRFS_IOC_DEVICES_READY ioctl isn't a read/view only ioctl,
> but its a write command as well.
> 
> Next, since in the kernel we only check if total_devices
> (read from SB)  is equal to num_devices (counted in the list)
> to state the status as 0 (ready) or 1 (not ready). But this
> does not work in rest of the device pool state like missing,
> seeding, replacing since total_devices is actually not equal
> to num_devices in these state but device pool is ready for
> the mount and its a bug which is not part of this discussions.
> 
> 
> Questions:
> 
>   - Do we want BTRFS_IOC_DEVICES_READY ioctl to also scan and
> register the device provided (same as btrfs device scan
> command or the BTRFS_IOC_SCAN_DEV ioctl)
> OR can BTRFS_IOC_DEVICES_READY be read-only ioctl interface
> to check the state of the device pool. ?
> 

udev is using it to incrementally assemble multi-device btrfs, so in
this case I think it should. Are there any other users?

>   - If the the device in the argument is already mounted,
> can it straightaway return 0 (ready) ? (as of now it would
> again independently read the SB determine total_devices
> and check against num_devices.
> 

I think yes; obvious use case is btrfs mounted in initrd and later
coldplug. There is no point to wait for anything as filesystem is
obviously there.

>   - What should be the expected return when the FS is mounted
> and there is a missing device.
> 

This is similar to problem mdadm had to solve. mdadm starts timer as
soon as enough raid devices are present; if timer expires before raid
is complete, raid is started in degraded mode. This avoids spurious
rebuilds. So it would be good if btrfs could distinguish between enough
devices to mount and all devices.
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Help needed for optimizing my boot time

[Francis Moreau]

On 06/12/2015 06:26 PM, Andrei Borzenkov wrote:
> В Fri, 12 Jun 2015 16:56:08 +0200
> Francis Moreau  пишет:
> 
>> On 06/11/2015 06:23 PM, Dan Williams wrote:
>>> On Thu, 2015-06-11 at 15:15 +0200, Francis Moreau wrote:
>> [...]

 Does ntpd service really need 'After=network.target', not sure.
>>>
>>> The 'network online' targets are really just there for ignorant services
>>> that don't respond to network events themselves, that expect the network
>>> to be up and running before they start.  Of course, those services don't
>>> have any way to say *which* network interface they care about, so if you
>>> have more than one interface in your system they still get it wrong.
>>
>> Do such services exist actually ?
>>
> 
> Until recently ntpd required working name resolution (i.e. often DNS)
> to find its peers. If you mount something over network on boot you want
> to have reasonable confidence that network is up.
> 
>> I can't see how such service can work if they can't handle the offline
>> case properly...
>>
> 
> Please explain how filesystem on iSCSI target is supposed to handle
> offline case properly. 
> 

I was talking about ntpd, I dont know for you specific case.

>> BTW 'network online' target doesn't seem to mean the network is up
>> because if I boot my computer offline, this target is still reached and
>> passed.
>>
> 
> Yes, network-online.target is not there to make boot impossible; it is
> there to delay boot until network is considered to be up. It makes
> little sense in pure dynamic environment; it is quite useful in static
> server environment where network is expected to be always present but
> may take some time to be configured.
>

Then if it's not reliable in some cases how can it be used by some
generic services such as ntpd if ntpd is not prepared to handle the
offline case ?

>>>
>>> But anyway, if ntpd or autofs can respond to network events using
>>> netlink or listening on D-Bus to NetworkManager/connman/etc or getting
>>> triggered by eg NetworkManager dispatcher scripts, then they probably
>>> don't need to block on network-online.  But if they can't, and they
>>> expect the network to be up and running before they start, then yes they
>>> will block startup until some kind of networking is running.
>>
>> Well I must be missing something but I can't see why ntpd or autofs
>> would rely and have any deps on NM whereas they need to deal with the
>> generic case, i.e. the one where NM is not installed and used.
>>
> 
> Where do you see any deps on NM? network-online.target is generic
> target which will be used with any underlying networking implementation.

I was refering to "if ntpd or autofs can respond to network events using
netlink or listening on D-Bus to NetworkManager/connman/etc"

>>
>> IOW, any services having "After: network-online.target" look odd to me.
>>
> 
> Welcome to real world :)
> 

No, real world is not "wait for ntpd, autofs to be activated before I
can login" or at least not in my world ;)

I don't really understand your opinion, are you saying that ntpd should
used "After: network-online.target" ?

Thanks
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Help needed for optimizing my boot time

[Andrei Borzenkov]

В Fri, 12 Jun 2015 16:56:08 +0200
Francis Moreau  пишет:

> On 06/11/2015 06:23 PM, Dan Williams wrote:
> > On Thu, 2015-06-11 at 15:15 +0200, Francis Moreau wrote:
> [...]
> >>
> >> Does ntpd service really need 'After=network.target', not sure.
> > 
> > The 'network online' targets are really just there for ignorant services
> > that don't respond to network events themselves, that expect the network
> > to be up and running before they start.  Of course, those services don't
> > have any way to say *which* network interface they care about, so if you
> > have more than one interface in your system they still get it wrong.
> 
> Do such services exist actually ?
> 

Until recently ntpd required working name resolution (i.e. often DNS)
to find its peers. If you mount something over network on boot you want
to have reasonable confidence that network is up.

> I can't see how such service can work if they can't handle the offline
> case properly...
> 

Please explain how filesystem on iSCSI target is supposed to handle
offline case properly. 

> BTW 'network online' target doesn't seem to mean the network is up
> because if I boot my computer offline, this target is still reached and
> passed.
> 

Yes, network-online.target is not there to make boot impossible; it is
there to delay boot until network is considered to be up. It makes
little sense in pure dynamic environment; it is quite useful in static
server environment where network is expected to be always present but
may take some time to be configured.

> > 
> > But anyway, if ntpd or autofs can respond to network events using
> > netlink or listening on D-Bus to NetworkManager/connman/etc or getting
> > triggered by eg NetworkManager dispatcher scripts, then they probably
> > don't need to block on network-online.  But if they can't, and they
> > expect the network to be up and running before they start, then yes they
> > will block startup until some kind of networking is running.
> 
> Well I must be missing something but I can't see why ntpd or autofs
> would rely and have any deps on NM whereas they need to deal with the
> generic case, i.e. the one where NM is not installed and used.
> 

Where do you see any deps on NM? network-online.target is generic
target which will be used with any underlying networking implementation.
> 
> IOW, any services having "After: network-online.target" look odd to me.
> 

Welcome to real world :)
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

[systemd-devel] Pass environment variables down to systemd-service in container

[Peter Paule]

Hi there,

is there a chance to pass (the given) environment variables down to
`unicorn` and `delayed_job-worker`?

systemd (host)
  |
   - docker-app.service
 Environment="RAILS_ENV=production"
 Environment="DATABASE_URL=postgresql://localhost/app_development"
  |
   - docker
  |
   - systemd (container)
  |
   - unicorn (ruby)
  |
   - delayed_job-worker (ruby)

Background:

I need to wrap a rails application within CentOS-image. To make the image
re-usable I decided to use the DATABASE_URL-environment variable to configure
the database. I also need to switch the RAILS_ENV.

I'm using this image here
https://registry.hub.docker.com/u/feduxorg/centos/dockerfile/. It's based on
the official docker image which uses the `systemd-container`-package from
CentOS.


___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Shutting down service using systemd-nspawn

[Peter Paule]

> Not sure I follow: why do this indirectly by killing nspawn?
> Why not send this to the container init directly?
> 
> Note that if you know the nspawn PID, you can derive the external PID
> of the init process easily by reading
> /proc/$PID/task/$PID/children. It will only container one PID, and
> that's init.

That's an easy one. I didn't know how to get that pid. Thanks a lot 
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH] fstab-generator: Do less sanity checking

[poma]

On 25.03.2015 00:05, Tobias Hunger wrote:
> Mount whatever the user asked to be mounted on / and /usr on the
> kernel command line. Do less sanity check and do *not* bail out
> when the mount device looks strange or does not exist.
> 
> This basically makes the changes for deviceless filesystems
> from yesterday unnecessary and is in line with what we do for
> filesystems set up in fstab.
> 
> Remove some code that is now dead.
> ---
>  src/fstab-generator/fstab-generator.c | 34 +++---
>  src/shared/generator.c|  5 -
>  src/shared/util.c | 29 -
>  src/shared/util.h |  1 -
>  4 files changed, 15 insertions(+), 54 deletions(-)
> 
> diff --git a/src/fstab-generator/fstab-generator.c 
> b/src/fstab-generator/fstab-generator.c
> index 77c97fd..5bd800e 100644
> --- a/src/fstab-generator/fstab-generator.c
> +++ b/src/fstab-generator/fstab-generator.c
> @@ -397,20 +397,18 @@ static int add_root_mount(void) {
>  _cleanup_free_ char *what = NULL;
>  const char *opts;
>  
> -if (fstype_is_deviceless(arg_root_fstype)) {
> -if (free_and_strdup(&what, arg_root_what) < 0)
> -return log_oom();
> -} else {
> -if (isempty(arg_root_what)) {
> -log_debug("Could not find a root= entry on the 
> kernel command line.");
> -return 0;
> -}
> +if (isempty(arg_root_what)) {
> +log_debug("Could not find a root= entry on the kernel 
> command line.");
> +return 0;
> +}
>  
> -what = fstab_node_to_udev_node(arg_root_what);
> -if (!path_is_absolute(what)) {
> -log_debug("Skipping entry what=%s where=/sysroot 
> type=%s", what, strna(arg_root_fstype));
> -return 0;
> -}
> +what = fstab_node_to_udev_node(arg_root_what);
> +if (!what)
> +log_oom();
> +
> +if (is_device_path(what) && path_is_read_only_fs("sys") > 0) {
> +log_info("Running in a container, ignoring kernel command 
> line configuration for %s.", what);
> +return 0;
>  }
>  
>  if (!arg_root_options)
> @@ -426,7 +424,7 @@ static int add_root_mount(void) {
>   "/sysroot",
>   arg_root_fstype,
>   opts,
> - 1,
> + is_device_path(what) ? 1 : 0,
>   false,
>   false,
>   false,
> @@ -466,10 +464,8 @@ static int add_usr_mount(void) {
>  return 0;
>  
>  what = fstab_node_to_udev_node(arg_usr_what);
> -if (!path_is_absolute(what)) {
> -log_debug("Skipping entry what=%s where=/sysroot/usr 
> type=%s", what, strna(arg_usr_fstype));
> -return -1;
> -}
> +if (!what)
> +log_oom();
>  
>  if (!arg_usr_options)
>  opts = arg_root_rw > 0 ? "rw" : "ro";
> @@ -483,7 +479,7 @@ static int add_usr_mount(void) {
>   "/sysroot/usr",
>   arg_usr_fstype,
>   opts,
> - 1,
> + is_device_path(what) ? 1 : 0,
>   false,
>   false,
>   false,
> diff --git a/src/shared/generator.c b/src/shared/generator.c
> index c348ca2..569b25b 100644
> --- a/src/shared/generator.c
> +++ b/src/shared/generator.c
> @@ -42,11 +42,6 @@ int generator_write_fsck_deps(
>  assert(what);
>  assert(where);
>  
> -if (fstype_is_deviceless(fstype)) {
> -log_debug("Not checking deviceless filesystem \"%s\".", 
> fstype);
> -return 0;
> -}
> -
>  if (!is_device_path(what)) {
>  log_warning("Checking was requested for \"%s\", but it is 
> not a device.", what);
>  return 0;
> diff --git a/src/shared/util.c b/src/shared/util.c
> index 2d50f73..ad548da 100644
> --- a/src/shared/util.c
> +++ b/src/shared/util.c
> @@ -1713,35 +1713,6 @@ bool fstype_is_network(const char *fstype) {
>  return nulstr_contains(table, fstype);
>  }
>  
> -bool fstype_is_deviceless(const char *fstype) {
> -static const char table[] =
> -"autofs\0"
> -"bdev\0"
> -"cgroup\0"
> -"configfs\0"
> -"cpuset\0"
> -"debugfs\0"
> -"devpts\0"
> -"devtmpfs\0"
> -"efivarfs\0"
> -"hugetlbfs\0"
> -"mqueue\0"
> -"overlayfs\0"
> -"pipefs\0"
> -"proc\0"
> -  

Re: [systemd-devel] Help needed for optimizing my boot time

[Francis Moreau]

On 06/11/2015 06:23 PM, Dan Williams wrote:
> On Thu, 2015-06-11 at 15:15 +0200, Francis Moreau wrote:
[...]
>>
>> Does ntpd service really need 'After=network.target', not sure.
> 
> The 'network online' targets are really just there for ignorant services
> that don't respond to network events themselves, that expect the network
> to be up and running before they start.  Of course, those services don't
> have any way to say *which* network interface they care about, so if you
> have more than one interface in your system they still get it wrong.

Do such services exist actually ?

I can't see how such service can work if they can't handle the offline
case properly...

BTW 'network online' target doesn't seem to mean the network is up
because if I boot my computer offline, this target is still reached and
passed.

> 
> But anyway, if ntpd or autofs can respond to network events using
> netlink or listening on D-Bus to NetworkManager/connman/etc or getting
> triggered by eg NetworkManager dispatcher scripts, then they probably
> don't need to block on network-online.  But if they can't, and they
> expect the network to be up and running before they start, then yes they
> will block startup until some kind of networking is running.

Well I must be missing something but I can't see why ntpd or autofs
would rely and have any deps on NM whereas they need to deal with the
generic case, i.e. the one where NM is not installed and used.

In my understanding, they would either use netlink or simply retry later.

I just checked ntpd source code and it seems to use netlink. I can't
find any ntpd script installed in /etc/NetworkManager/dispatcher.d but
ntpd get informed when an network interface is added/removed.

IOW, any services having "After: network-online.target" look odd to me.

Thanks
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

[systemd-devel] [survey] BTRFS_IOC_DEVICES_READY return status

[Anand Jain]

BTRFS_IOC_DEVICES_READY is to check if all the required devices
are known by the btrfs kernel, so that admin/system-application
could mount the FS. It is checked against a device in the argument.

However the actual implementation is bit more than just that,
in the way that it would also scan and register the device
provided in the argument (same as btrfs device scan subcommand
or BTRFS_IOC_SCAN_DEV ioctl).

So BTRFS_IOC_DEVICES_READY ioctl isn't a read/view only ioctl,
but its a write command as well.

Next, since in the kernel we only check if total_devices
(read from SB)  is equal to num_devices (counted in the list)
to state the status as 0 (ready) or 1 (not ready). But this
does not work in rest of the device pool state like missing,
seeding, replacing since total_devices is actually not equal
to num_devices in these state but device pool is ready for
the mount and its a bug which is not part of this discussions.


Questions:

 - Do we want BTRFS_IOC_DEVICES_READY ioctl to also scan and
   register the device provided (same as btrfs device scan
   command or the BTRFS_IOC_SCAN_DEV ioctl)
   OR can BTRFS_IOC_DEVICES_READY be read-only ioctl interface
   to check the state of the device pool. ?

 - If the the device in the argument is already mounted,
   can it straightaway return 0 (ready) ? (as of now it would
   again independently read the SB determine total_devices
   and check against num_devices.

 - What should be the expected return when the FS is mounted
   and there is a missing device.


Thanks, Anand
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH] core: if PR_SET_CHILD_SUBREAPER fails, log_error instead of warning

[Lennart Poettering]

On Sat, 23.05.15 13:04, Cristian Rodríguez (crrodrig...@opensuse.org) wrote:

> It was a warning when we still supported kernel < 3.4. current
> minimum version is 3.7.

For the sake of the archives: this has been merged now as PR #76.

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [ANNOUNCE] Git development moved to github

[Ronny Chevalier]

On Fri, Jun 12, 2015 at 5:30 AM, Filipe Brandenburger
 wrote:
> On Thu, Jun 11, 2015 at 12:31 PM, Ronny Chevalier
>  wrote:
>> On Thu, Jun 11, 2015 at 6:31 PM, Filipe Brandenburger 
>>  wrote:
>>> Another downside of adding comments to the commits is that e-mail
>>> notifications are not sent for them (I just noticed that while lurking
>>> on #164, I got e-mails for the main thread but not for Lennart's
>>> comments on commit 5f33680.)
>>
>> Yes you need to specify for each PR you are interested in that you
>> want to receive mail notifications for the PR... (I think it's the
>> subscribe button at the bottom)
>
> Sorry I should have explained myself better...

No I understood, but what I meant is that in addition of "watching", I
think you have to subscribe to a particular PR to receive mail
notifications for the comments on the commits, or maybe I'm wrong and
there is no way to get mail notifications for this, which is weird I
think...

>
> I "watch" systemd/systemd as a whole, so I get all notifications
> without having to ask for them individually...
>
> On #164, I *did* get an e-mail for @zonque's comment ("Also, you
> forgot to add the new files to Makefile.am and po/LINGUAS...") but I
> did *not* get e-mails for @poettering's comments on commit 5f33680
> ("Hmm, can you please change the commit msg to say this is the catalog
> translation? ...") and the replies on that thread (@s8321414 replied
> "@poettering How can I do this using git?" etc.)
>
> I think that's one more symptom of the fact that, for GitHub, the
> commit itself doesn't directly belong to the PR, and so does not
> belong to the project either...
>
> The e-mail notifications are not really a great big deal (still, they
> are annoying), but I think it's just one more sign that adding
> comments to the commits will end up causing trouble in the future...
>
> Cheers,
> Filipe
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel