Re: [systemd-devel] Mount error when running systemd-nspawn with --private-network
On Jun 25 2018, Lennart Poettering wrote: > On Sa, 23.06.18 14:42, Nikolaus Rath (nikol...@rath.org) wrote: > >> Hello, >> >> When running systemd-nspawn with --private-network, I am getting mount >> errors: >> >> # systemd-nspawn -M iofabric --as-pid2 --private-users=1379532800:65536 >> --register=no --private-network >> Spawning container iofabric on /var/lib/machines/iofabric.raw. >> Press ^] three times within 1s to kill container. >> Selected user namespace base 1379532800 and range 65536. >> Failed to mount n/a on /tmp/nspawn-root-2Ar2iL/sys/fs/selinux (MS_BIND ""): >> No such file or directory >> Failed to mount n/a on /tmp/nspawn-root-2Ar2iL/sys/fs/selinux >> (MS_RDONLY|MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_REMOUNT|MS_BIND ""): >> Invalid argument >> >> This is on a (host) system with SELinux disabled. >> >> What do these errors mean? > > Hmm, this suggests nspawn tries to mount selinuxfs into the container > even though the kernel doesn't actually support that. This is weird... > > What#s the systemd version in use here? $ systemd --version systemd 232 +PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN > > Which distro is this? Debian stable (stretch) on host, and CentOS 7 in the container. > Is selinux compiled out of the kernel or just > disabled during runtime? How do I find out for sure? All I can say is: $ grep SELINUX /boot/config-4.18.0-rc1 CONFIG_SECURITY_SELINUX=y # CONFIG_SECURITY_SELINUX_BOOTPARAM is not set # CONFIG_SECURITY_SELINUX_DISABLE is not set CONFIG_SECURITY_SELINUX_DEVELOP=y CONFIG_SECURITY_SELINUX_AVC_STATS=y CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=0 # CONFIG_DEFAULT_SECURITY_SELINUX is not set Best, -Nikolaus -- GPG Fingerprint: ED31 791B 2C5C 1613 AF38 8B8A D113 FCAC 3C4E 599F »Time flies like an arrow, fruit flies like a Banana.« ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] systemd-nspawn: starting multiple shells
On Sa, 23.06.18 21:57, Nikolaus Rath (nikol...@rath.org) wrote: > On Jun 23 2018, Nikolaus Rath wrote: > > On Jun 23 2018, aleivag wrote: > >> short answer, yes, `machinectl login` is only suppported for systemd-init , > >> and `machinectl shell` `systemd-run` will try to talk to the container via > >> dbus, so i dont think you are force to have systemd runing inside the > >> container (i may be wrong) but you do need to have dbus (and its easy to > >> just have systemd). if you dont need it, you can always use nsenter to > >> access a namespace on your machine > > > > Still not working: > [..] > > $ sudo machinectl shell root@iofabric > > [sudo] password for nikratio: > > Failed to get shell PTY: Cannot set property > > StandardInputFileDescriptor, or unknown property. > > So this seems to be caused by systemd in the container being too old, > and is therefore not available here. > > The 'nsenter' approach seems to work so far, but I don't see a generally > applicable way to figure out the right PID. Is there a trick for > that? machinectl show --value $MACHINE -p Leader Lennart -- Lennart Poettering, Red Hat ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel