[systemd-devel] DeviceAllow=/dev/net/tun in systemd-nspawn@.service has no effect
Hello, Just out of curiosity, I commented out DeviceAllow=/dev/net/tun rwm in systemd-nspawn@.service and tried running. A failure was expected, but it was not. copy_devnodes() in src/nspawn/nspawn.c executes mknod() on /dev/net/tun, EPERM is expected because DeviceAllow=/dev/net/tun rwm does not exist. But /dev/net/tun was created and systemd-nspawn was not failed. Doesn't DeviceAllow= apply to child processes spawned by raw_clone(SIGCHLD|CLONE_NEWNS) or any other reasons? I'm using arch linux, kernel is 5.16.10 and systemd is 250.3. Here is the output. I also commented out DeviceAllow=char-pts rw and it didn't fail: sh-5.1# tail -n 20 /usr/lib/systemd/system/systemd-nspawn\@.service TasksMax=16384 WatchdogSec=3min DevicePolicy=closed #DeviceAllow=/dev/net/tun rwm #DeviceAllow=char-pts rw # nspawn itself needs access to /dev/loop-control and /dev/loop, to implement # the --image= option. Add these here, too. DeviceAllow=/dev/loop-control rw DeviceAllow=block-loop rw DeviceAllow=block-blkext rw # nspawn can set up LUKS encrypted loopback files, in which case it needs # access to /dev/mapper/control and the block devices /dev/mapper/*. DeviceAllow=/dev/mapper/control rw DeviceAllow=block-device-mapper rw [Install] WantedBy=machines.target sh-5.1# systemctl start systemd-nspawn@test sh-5.1# machinectl MACHINE CLASS SERVICEOS VERSION ADDRESSES testcontainer systemd-nspawn arch - - 1 machines listed. sh-5.1# machinectl shell test Connected to machine test. Press ^] three times within 1s to exit session. [root@test ~]# ls -l /dev/net/tun crw-rw-rw- 1 root root 10, 200 Feb 20 05:13 /dev/net/tun Regards, Gibeom Gwon
Re: [systemd-devel] --luks-offline-discard option has no effect on systemd-homed
On 7/29/21 4:48 AM, Lennart Poettering wrote: On Sa, 17.07.21 23:55, Gibeom Gwon (gb.g...@stackframe.dev) wrote: Hello, I'm trying to create a systemd-homed based user, there is a problem with --luks-offline-discard option. According to homectl(1), if this option is true, home directory loopback file is minified on logout. But in my case it's not at all. Here is my executed command and output. I thought I had fixed that issue. Which systemd version is this? Lennart -- Lennart Poettering, Berlin I tested again with current systemd-stable repo and it worked as a charm. Is the fix backported after 249 release? Thanks, Gibeom Gwon ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] --luks-offline-discard option has no effect on systemd-homed
Hello, I'm trying to create a systemd-homed based user, there is a problem with --luks-offline-discard option. According to homectl(1), if this option is true, home directory loopback file is minified on logout. But in my case it's not at all. Here is my executed command and output. # df -h Filesystem Size Used Avail Use% Mounted on devtmpfs 3.9G 0 3.9G 0% /dev tmpfs 3.9G 1.1M 3.9G 1% /dev/shm tmpfs 1.6G 9.5M 1.6G 1% /run /dev/mapper/root 234G 118G 105G 53% / tmpfs 3.9G 220K 3.9G 1% /tmp /dev/sda1 191M 62M 130M 33% /boot tmpfs 787M 60K 787M 1% /run/user/60448 # homectl create test --storage=luks --luks-offline-discard=yes Please enter new password for user test: Please enter new password for user test (repeat): # homectl inspect test User name: test State: inactive Disposition: regular Last Change: Sat 2021-07-17 23:18:05 KST Login OK: yes Password OK: yes UID: 60444 GID: 60444 (test) Directory: /home/test Storage: luks (strong encryption) Image Path: /home/test.home Removable: no Shell: /bin/bash LUKS Discard: online=no offline=yes LUKS UUID: dd4ffd2f0e334280945af86f6d64906d Part UUID: 64c13ffc40b74a8594bb10f6523d0548 FS UUID: 2d39d33d882e450dbab52c516b8bcbb5 File System: btrfs LUKS Cipher: aes Cipher Mode: xts-plain64 Volume Key: 256bit Mount Flags: nosuid nodev exec Disk Size: 88.5G Disk Floor: 256.0M Disk Ceiling: 104.2G Auth. Limit: 30 attempts per 1min Passwords: 1 Local Sig.: yes Service: io.systemd.Home # df -h Filesystem Size Used Avail Use% Mounted on devtmpfs 3.9G 0 3.9G 0% /dev tmpfs 3.9G 1.1M 3.9G 1% /dev/shm tmpfs 1.6G 9.5M 1.6G 1% /run /dev/mapper/root 234G 206G 16G 93% / tmpfs 3.9G 220K 3.9G 1% /tmp /dev/sda1 191M 62M 130M 33% /boot tmpfs 787M 60K 787M 1% /run/user/60448 # homectl activate test Please enter password for user test: # df -h Filesystem Size Used Avail Use% Mounted on devtmpfs 3.9G 0 3.9G 0% /dev tmpfs 3.9G 1.1M 3.9G 1% /dev/shm tmpfs 1.6G 9.5M 1.6G 1% /run /dev/mapper/root 234G 206G 16G 93% / tmpfs 3.9G 220K 3.9G 1% /tmp /dev/sda1 191M 62M 130M 33% /boot tmpfs 787M 60K 787M 1% /run/user/60448 /dev/mapper/home-test 89G 3.4M 89G 1% /home/test # homectl deactivate test # df -h Filesystem Size Used Avail Use% Mounted on devtmpfs 3.9G 0 3.9G 0% /dev tmpfs 3.9G 1.1M 3.9G 1% /dev/shm tmpfs 1.6G 9.5M 1.6G 1% /run /dev/mapper/root 234G 206G 16G 93% / tmpfs 3.9G 220K 3.9G 1% /tmp /dev/sda1 191M 62M 130M 33% /boot tmpfs 787M 60K 787M 1% /run/user/60448 As you can see the home directory doesn't shrink even when deactivated after activated. The systemd-homed debug log says, "File system does not support FITRIM, not trimming.". Note that my system's root directory is encrypted with LUKS2 and LVM is not used. I'm not sure is this a bug of systemd or limitation of the kernel. Is there any way to solve this? Thanks, Gibeom Gwon ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
