Re: [systemd-devel] Confusing error message
Hi On Tue, Jun 23, 2015 at 4:28 AM, Johannes Ernst johannes.er...@gmail.com wrote: $ systemctl restart systemd-networkd Failed to restart systemd-networkd.service: The name org.freedesktop.PolicyKit1 was not provided by any .service files $ sudo systemctl restart systemd-networkd Works. Presumably this error message could be improved, in particular because that name is indeed not provided by any .service files :-) So if you're not root, systemctl needs to ask polkit to perform authorization. It does this, by sending a dbus message to polkit. If that well-known bus-name is not owned by anyone, the error message in question gets returned. So with inside knowledge, it does make sense ;) Regarding changing this: For debug purposes, it is highly valuable to know the cause of failure. This message clearly tells a developer what went wrong. Not sure we want to change this. Or more importantly, I'm not entirely sure it is easy to change this, as this error is generated deep down in the polkit-code. We could just throw that message away and always return EPERM. Not sure it's worth it, though. Thanks David ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Confusing error message
Perhaps if there is an issue with polkit (or permissions in general) we should always print something like, Unable to perform action without privileges; try again with sudo. in addition to the polkit message. On July 14, 2015 12:59:53 AM PDT, David Herrmann dh.herrm...@gmail.com wrote: Hi On Tue, Jun 23, 2015 at 4:28 AM, Johannes Ernst johannes.er...@gmail.com wrote: $ systemctl restart systemd-networkd Failed to restart systemd-networkd.service: The name org.freedesktop.PolicyKit1 was not provided by any .service files $ sudo systemctl restart systemd-networkd Works. Presumably this error message could be improved, in particular because that name is indeed not provided by any .service files :-) So if you're not root, systemctl needs to ask polkit to perform authorization. It does this, by sending a dbus message to polkit. If that well-known bus-name is not owned by anyone, the error message in question gets returned. So with inside knowledge, it does make sense ;) Regarding changing this: For debug purposes, it is highly valuable to know the cause of failure. This message clearly tells a developer what went wrong. Not sure we want to change this. Or more importantly, I'm not entirely sure it is easy to change this, as this error is generated deep down in the polkit-code. We could just throw that message away and always return EPERM. Not sure it's worth it, though. Thanks David ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- Sent from my Android device with K-9 Mail. Please excuse my brevity.___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] Asking for advice - two network interfaces in a container
Hello All! My system has two network planes - control plane (several 10.0.0.0/8 networks) and data plane (non-RFC1918 network, visible to end-users). These two networks separated by two different bridges and some iptables magic. All my business logic is handled using control plane (using various network protocols). So far all my containers connected to a control plane only - I have a lot of them actually. They work fine, orchestrated properly (with high availability, load balancing etc). Also I've got three VMs (KVM if it matters) which provides a different services to the end-users. Thus they has to be connected to a data plane. So all of them have two separate NICs - one for end user interaction, and another one for control plane. Although it's possible to handle all the business logic via data plane I'd rather to avoid that. Could anyone give me an advice/hint on how to design something like this properly? So far I don't see a standard method for systemd-nspawn to assign more that one NIC to the container. -- With best regards, Peter Lemenkov. ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] How to keep certain services or mounts active during shutdown?
Lennart Poettering wrote But this means that wicked is generally incompatible with NFS-root. Fortunately not! The SuSE support pointed me to an option that wasn't documented in the SLES 12 manual section about wicked (but that I could have found when googling with the correct keywords :-(): Adding STARTMODE='nfsroot' in /etc/sysconfig/network/ifcfg-eth0 (instead of auto, onboot, manual etc) has exactly the wanted effect: Shutting down wicked, e.g. by systemctl stop wicked leaves the devices with this option running. In yast this option can be marked, but I never use yast and to all the configs manually, so I missed it there, too. Anyway, problem solved ;-) cu, Frank -- Dipl.-Inform. Frank Steiner Web: http://www.bio.ifi.lmu.de/~steiner/ Lehrstuhl f. BioinformatikMail: http://www.bio.ifi.lmu.de/~steiner/m/ LMU, Amalienstr. 17 Phone: +49 89 2180-4049 80333 Muenchen, Germany Fax: +49 89 2180-99-4049 * Rekursion kann man erst verstehen, wenn man Rekursion verstanden hat. * ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] user instance of systemd while inside a container
Hello, I created an nspawn container which is also running systemd. I can't figure out why the systemd --user instances aren't started. I'd like to manage some processes run as a specific user inside the container. Previously I was using a VM to do it this way, and I would like to be able to port the same code over to the container image. Is there some setup I need to do to get the instance started? I tried searching on the web, but came up with very little documentation. user instances appear to be started by pam.. Maybe pam is not being used as the login for the container? Is the only alternative to put a bunch of system level services and label them as User=specificuser Thanks for your help. Regards, Jake ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] [--dmesg] 'kdbus': Function not implemented
Hi all, [Gentoo] I updated yesterday to version 'sys-apps/systemd-222-r1'; Jul 14 16:18:27 ric-pc systemd[1]: *Failed to insert module 'kdbus': Function not implemented* Atenciosamente * RICARDO BASTOS CAMPOS * Análise e Desenvolvimento de Sistemas MS Researcher at INF in P arallel and D istributed P rocessing Systems (UFRGS) Porto Alegre, RS - Brasil ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [--dmesg] 'kdbus': Function not implemented
On 07/14/2015 03:39 PM, RicΛrdo Bastos™ wrote: [Gentoo] I updated yesterday to version 'sys-apps/systemd-222-r1'; Jul 14 16:18:27 ric-pc systemd[1]: *Failed to insert module 'kdbus': Function not implemented* That's just a non-fatal warning message which is caused by a bug in libkmod that has been fixed a while ago. https://git.kernel.org/cgit/utils/kernel/kmod/kmod.git/commit/?id=114ec87c85 This will go away automatically once a new version of libkmod has been released. Also see https://github.com/systemd/systemd/issues/203 Thanks, Daniel ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Fedora 21 and systemd-nspawn
On Jun 15, 2015, at 18:15, Chris Morgan chmor...@gmail.com wrote: But yeah, was wondering if there were known users of nspawn containers that discussed their use cases. I’m starting to us it for testing of installation and upgrades of various web apps on UBOS [1] using webapptest [2]. This means spinning up, doing installing a few things, running curl from the host, and then shutting down lots of containers in a short amount of time. So far, I have been using VirtualBox, which takes a looong time and only works on x86, but I’d also like to test on various little ARM devices. Currently, the jury is still out whether nspawn is currently reliable enough to migrate most of our automated tests to it. Most of my posts to this list in the past month have come from trying to figure that out / make it work. Cheers, Johannes. [1] http://ubos.net/ http://ubos.net/ [2] http://ubos.net/docs/developers/app-test.html#alternate-scaffolds http://ubos.net/docs/developers/app-test.html#alternate-scaffolds ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Fedora 21 and systemd-nspawn
On Mon, 2015-06-15 at 21:15 -0400, Chris Morgan wrote: On Monday, June 15, 2015, Lennart Poettering lenn...@poettering.net wrote: On Mon, 15.06.15 13:22, Matthew Karas (mkarasc...@gmail.com) wrote: Yes - that seems to have let me set the password. Now I can get started learning about this. Thanks a lot! Though it does return an error about selinux when I start the shell to set the password $ sudo systemd-nspawn -bD /srv/srv1 Spawning container srv1 on /srv/srv1. Press ^] three times within 1s to kill container. Failed to create directory /srv/srv1//sys/fs/selinux: Read-only file system Failed to create directory /srv/srv1//sys/fs/selinux: Read-only file system Hmm, weird. Is /srv/srv1 read-only or so? Lennart -- Lennart Poettering, Red Hat ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel On a somewhat related topic, are many people making use of nspawn containers in production or test environments? I was a little surprised by the issues I had when trying them out with f21. f22 seems smoother but still required the audit=0 and I think I had to disable selinux to set the password but I was trying for a while with a blank password so... But yeah, was wondering if there were known users of nspawn containers that discussed their use cases. Chris I am using it to host instances of webservers. It's much easier and more intuitive than using docker. I haven't tried rkt, but that appears to use nspawn as the back end anyways. Docker expects you to create separate containers for each application, and expects to expose network in a certain specific way. nspawn was able to simulate virtual machines, ie: full user space systems. docker I had a lot of trouble trying to get setup and started, and configured. With nspawn, I just install the packages, run it as nspawn and away I go. Since I'm just using it to provision network devices via macvlans and separating processes, I did not worry about the security. Basically, I assumed that since i controlled all the container applications anyways, it should be fine. So far it's worked out great. Far better than trying to manage something as complex as docker, and it worked much more intuitively with how virtual machines have worked in the past. Regards, Jake ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] How do I find out why a service was started? (systemd-tmpfiles-setup failed in container)
On Jul 3, 2015, at 4:01, Lennart Poettering lenn...@poettering.net wrote: On Wed, 01.07.15 13:50, Johannes Ernst (johannes.er...@gmail.com mailto:johannes.er...@gmail.com) wrote: My container is degraded because systemd-tmpfiles-setup.service failed. My understanding is that it should not run in the container anyway. (Right?) It should run in a container; its purpose is both necessary, and I don't see why a container would have any difficulty with it. It runs just fine in both system and even unprivileged user containers here. Here is what fails: # /usr/bin/systemd-tmpfiles --create --remove --boot --exclude-prefix=/dev Failed to create file /sys/devices/system/cpu/microcode/reload: Read-only file system We should probably handle this case in a nicer way, and downgrade EROFS error for cases like this. Should I file this as an issue, so it won’t get lost, or do you keep track of this kind of thing somewhere else? Cheers, Johannes. ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel