[systemd-devel] Does systemd-nspawn support running systemd in a user namespace

We are seeing issues attempting to do this with docker/runc. Basic problem is /sys/fs/cgroup/systemd is owned by real root. Is there something we need to change in runc, to make this directory owned by UserNamespace-Root? ___ systemd-devel mailing list

Re: [systemd-devel] Issues with docker systemd cgroups integration

Expanding this out to systemd-devel mailing list. On 03/14/2016 01:04 PM, Mrunal Patel wrote: Hi, Lukas, We are using systemd cgroups support in docker for Fedora/RHEL and seeing some issues. Here is the flow of the code in docker/runc/libcontainer: 1. We create a Transient Unit setting some

Re: [systemd-devel] I want to run systemd inside of a locked down base docker container

On 02/10/2016 05:21 PM, Lennart Poettering wrote: > On Wed, 10.02.16 16:43, Daniel J Walsh (dwa...@redhat.com) wrote: > >>>>> I don't see why one would want to mask systemd-logind.service. If you >>>>> permit logins and PAM at all, you really need that.

Re: [systemd-devel] I want to run systemd inside of a locked down base docker container

On 02/10/2016 04:27 PM, Lennart Poettering wrote: > On Wed, 10.02.16 15:58, Daniel J Walsh (dwa...@redhat.com) wrote: >>>>>> sed -i 's/^enable/disable/g' /lib/systemd/system-preset/* >>>>> Why would this matter? >>>> We don'

Re: [systemd-devel] I want to run systemd inside of a locked down base docker container

On 02/10/2016 01:41 PM, Lennart Poettering wrote: > On Wed, 10.02.16 10:22, Ranjib Dey (dey.ran...@gmail.com) wrote: > >> Docker(ls -alh) >> >> crw--- 1 root root 136, 9 Feb 10 18:20 console >> lrwxrwxrwx 1 root root 13 Feb 10 18:20 fd -> /proc/self/fd >> crw-rw-rw- 1 root root 1

Re: [systemd-devel] I want to run systemd inside of a locked down base docker container

On 02/10/2016 01:14 PM, Lennart Poettering wrote: > On Wed, 10.02.16 11:36, Daniel J Walsh (dwa...@redhat.com) wrote: > >>>> systemctl mask systemd-firstboot initrd-udevadm-cleanup-db.service >>>> systemd-udev-settle.service systemd-udev-trigger.service >

Re: [systemd-devel] I want to run systemd inside of a locked down base docker container

On 02/10/2016 11:16 AM, Lennart Poettering wrote: > On Wed, 10.02.16 10:56, Daniel J Walsh (dwa...@redhat.com) wrote: > >> On Fedora I see a few services starting up and failing when I run >> systemd, I have been able to disable these >> by executing. >> >>

Re: [systemd-devel] I want to run systemd inside of a locked down base docker container

On 02/10/2016 11:16 AM, Lennart Poettering wrote: > On Wed, 10.02.16 10:56, Daniel J Walsh (dwa...@redhat.com) wrote: > >> On Fedora I see a few services starting up and failing when I run >> systemd, I have been able to disable these >> by executing. >> >>

[systemd-devel] I want to run systemd inside of a locked down base docker container

On Fedora I see a few services starting up and failing when I run systemd, I have been able to disable these by executing. RUN systemctl disable sysinit.target remote-fs.target systemd-remount-fs;\ systemctl mask systemd-firstboot initrd-udevadm-cleanup-db.service systemd-udev-settle.service

Re: [systemd-devel] Trying to get journalctl -M UUID to work with docker containers

On 02/08/2016 08:18 AM, Mantas Mikulėnas wrote: > On Mon, Feb 8, 2016 at 3:09 PM, Daniel J Walsh <mailto:dwa...@redhat.com>> wrote: > > I have patches into docker to allow it to register with machinectl and > run systemd inside of the container without --privileges.

[systemd-devel] Trying to get journalctl -M UUID to work with docker containers

I have patches into docker to allow it to register with machinectl and run systemd inside of the container without --privileges. I also set it up so that the /var/log/journald/UUID on the host is mounted inside of the container, so that journald inside of the container writes to this location on t

Re: [systemd-devel] Does systemd launch gdb on an application that crashes now?

On 01/07/2016 09:49 AM, Zbigniew Jędrzejewski-Szmek wrote: > On Thu, Jan 07, 2016 at 09:26:15AM -0500, Daniel J Walsh wrote: >> I am seeing gdb run in the SELinux type of a few different crashed >> domains. I am trying to figure out how this is happening, so we can >>

[systemd-devel] Does systemd launch gdb on an application that crashes now?

I am seeing gdb run in the SELinux type of a few different crashed domains. I am trying to figure out how this is happening, so we can figure out a secure solution. I know that kde has some kind of hack to handle this, and abrt does it but it does it under the abrt_t process not in the same conte

Re: [systemd-devel] SElinux in container

On 08/24/2015 07:49 AM, arnaud gaboury wrote: > On Mon, Aug 24, 2015 at 1:30 PM, Daniel J Walsh wrote: >> >> On 08/23/2015 08:10 AM, arnaud gaboury wrote: >>> Here is my setup: >>> >>> Host: Archlinux systemd 224-1 >>> Container: Fedora 22 sy

Re: [systemd-devel] SElinux in container

On 08/23/2015 08:10 AM, arnaud gaboury wrote: > Here is my setup: > > Host: Archlinux systemd 224-1 > Container: Fedora 22 systemd 219 > > The container is a server and has vocation to be one day deployed on a > dediacted server for production. In this way, I would like to set > SElinux (default

[systemd-devel] I am adding RegisterMachine to docker.

When container stops machinectl still shows it registered? Do I need to Unregister the machine? I though systemd would notice the pid died and remove the machine. ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedeskto

Re: [systemd-devel] 219/Fedora22: NFS mounts do not set SELINUX label to nfs_t: errno=-22

On 05/26/2015 09:46 AM, Lennart Poettering wrote: > On Sun, 24.05.15 15:01, Anthony Alba (ascanio.al...@gmail.com) wrote: > >> Hi, >> >> On Fedora 22, systemd 219, NFS mounts no longer acquire a default label >> nfs_t. >> >> mount 192.168.1.6:/var/exports/1 1 -orootcontext=system_u:object_r:nfs_

Re: [systemd-devel] Docker vs PrivateTmp

Yes I was trying to get a comment from Alex, since he did the original patch. On 01/23/2015 12:26 PM, Lennart Poettering wrote: > On Fri, 23.01.15 11:31, Daniel J Walsh (dwa...@redhat.com) wrote: > > You just sent a full quote without any comment of yours? > >> On 01/22/2015

Re: [systemd-devel] Docker vs PrivateTmp

On 01/22/2015 10:02 PM, Lennart Poettering wrote: > On Sat, 17.01.15 23:02, Lars Kellogg-Stedman (l...@redhat.com) wrote: > >> See the `devicemapper` mountpoint created by Docker for the container: >> >> # grep devicemapper/mnt /proc/mounts >> >> /dev/mapper/docker-253:6-98310-e68df3f45d6

Re: [systemd-devel] Docker vs PrivateTmp

On 01/19/2015 12:27 AM, Lars Kellogg-Stedman wrote: > On Sun, Jan 18, 2015 at 11:38:12PM -0500, Lars Kellogg-Stedman wrote: >> I think we actually want MountFlags=slave, which will permit mounts >> from the global namespace to propagate into the service namespace >> without permitting propagation

[systemd-devel] I am trying to hook up docker and systemd.

I have a working version of docker which runs systemd/journald within the container and sets up the /var/log/journal/UUID inside the container to match the version outside. I also have registered the container with machinectl. Everything seems to work fine except that when I execute journalctl -

Re: [systemd-devel] systemd-nspawn@.service is unusable

On 12/05/2014 08:49 AM, Peter Lemenkov wrote: > 2014-12-05 16:25 GMT+03:00 Lennart Poettering : >> On Fri, 05.12.14 16:58, Peter Lemenkov (lemen...@gmail.com) wrote: >> >>> Ok, now I've got something. Here is a a diff between good (1st, >>> commandline) and bad (2nd, systemd service) sessions: >>>

Re: [systemd-devel] Should systemd-logind provide a DM-independent mechanism for handling guest accounts?

It would be fairly easy to setup pam_namespace for the guest user to provide a temporary /tmp and ~/. Now, just like we do for xguest. Then you could setup the login account to use no password and the guest_u user and allow users onto the system. This would get you most of the things you want.

Re: [systemd-devel] Expected behavior when systemd cannot load SELinux policy

On 11/07/2014 11:09 AM, Lennart Poettering wrote: > On Fri, 07.11.14 11:30, Jan Synáček (jsyna...@redhat.com) wrote: > >> Hello, >> >> currently, when SELINUX=enforcing and SELINUXTYPE= are >> set in /etc/selinux/config, systemd refuses to boot with >> "Failed to load SELinux policy. Freezing." >>

Re: [systemd-devel] [PATCH 2/4] mount-setup: introduce mount_setup_run_dirs()

On 10/08/2014 07:40 AM, Lennart Poettering wrote: > On Tue, 07.10.14 14:14, Michal Sekletar (msekl...@redhat.com) wrote: > >>> Hence, if a container manager mounts everything properly, then mount_setup() >>> should be a NOP anyway... >> In theory yes, but in fact not having /run mounted as tmpfs

Re: [systemd-devel] User sessions: limit the ability to migrate cgroups

On 08/13/2014 12:11 PM, Alban Crequy wrote: > On Wed, 13 Aug 2014 16:37:17 +0200 > Lennart Poettering wrote: > >> On Thu, 07.08.14 15:19, Alban Crequy (alban.cre...@collabora.co.uk) >> wrote: >> >>> Hi, >>> >>> Should unprivileged processes be allowed to change cgroup? >> Well, they shouldn#t d

Re: [systemd-devel] Blog on running systemd within a docker container.

On 05/02/2014 11:54 AM, Lennart Poettering wrote: > On Wed, 30.04.14 14:21, Daniel J Walsh (dwa...@redhat.com) wrote: > >> http://rhatdan.wordpress.com/2014/04/30/running-systemd-within-a-docker-container/ > There are a couple of things in the story that I'd like to correc

Re: [systemd-devel] Blog on running systemd within a docker container.

On 05/01/2014 09:28 AM, Zbigniew Jędrzejewski-Szmek wrote: > On Wed, Apr 30, 2014 at 02:21:44PM -0400, Daniel J Walsh wrote: >> http://rhatdan.wordpress.com/2014/04/30/running-systemd-within-a-docker-container/ > Interesting. > > The part where you remove all the links in .wants

[systemd-devel] Blog on running systemd within a docker container.

http://rhatdan.wordpress.com/2014/04/30/running-systemd-within-a-docker-container/ ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] pcre in daemons

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/26/2014 03:05 PM, Zbigniew Jędrzejewski-Szmek wrote: > On Wed, Feb 26, 2014 at 08:54:34PM +0100, Thomas H.P. Andersen wrote: >> The todo says: "something pulls in pcre as shared object dependency into >> our daemons such as hostnamed" >> >> Norm

Re: [systemd-devel] [PATCH] selinux: Only attempt to load policy exactly once, in the real root

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/20/2014 02:27 PM, Eric Paris wrote: > I like it, if it's reasonable/possible > > On Thu, Feb 20, 2014 at 2:26 PM, Lennart Poettering > wrote: >> On Thu, 20.02.14 13:50, Eric Paris (epa...@parisplace.org) wrote: >> >>> Not really. If it doesn

Re: [systemd-devel] [PATCH 1/3] Add SELinuxContext configuration item

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/07/2014 08:22 AM, Michael Scherer wrote: > Le jeudi 06 février 2014 à 12:21 -0800, David Timothy Strauss a écrit : >> In order to maximize consistency with newly committed options in >> systemd-nspawn, would it make sense to allow independent co

Re: [systemd-devel] [PATCH 1/1] Allow systemd to run without assigning container to machine.slice

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/31/2014 09:51 AM, Zbigniew Jędrzejewski-Szmek wrote: > On Fri, Jan 31, 2014 at 08:27:29AM -0500, Daniel J Walsh wrote: >> -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 >> >> On 01/30/2014 07:09 PM, Zbigniew Jędrzejewski-Sz

Re: [systemd-devel] [PATCH 1/1] Allow systemd to run without assigning container to machine.slice

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/31/2014 11:20 AM, Zbigniew Jędrzejewski-Szmek wrote: > On Fri, Jan 31, 2014 at 10:51:22AM -0500, Daniel J Walsh wrote: >>>> Currently docker uses lxc tools under the covers to launch the >>>> container, we want to

Re: [systemd-devel] [PATCH 1/1] Allow systemd to run without assigning container to machine.slice

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/31/2014 10:45 AM, Zbigniew Jędrzejewski-Szmek wrote: > On Fri, Jan 31, 2014 at 10:00:12AM -0500, Daniel J Walsh wrote: >> My plan is not to have the user no they are running systemd-nspawn >> >> Imaging the user is creat

Re: [systemd-devel] [PATCH 1/1] Allow systemd to run without assigning container to machine.slice

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/30/2014 07:09 PM, Zbigniew Jędrzejewski-Szmek wrote: > On Thu, Jan 30, 2014 at 04:29:14PM -0500, Dan Walsh wrote: >> If I want to run a container as a service, it would be nice if it used >> the service cgroup configuration > Your patch will brea

Re: [systemd-devel] [PATCH] Add SELinuxContext configuration item

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/03/2014 12:35 PM, Michael Scherer wrote: > Le vendredi 03 janvier 2014 à 11:48 -0500, Daniel J Walsh a écrit : >> On 01/03/2014 09:16 AM, Michael Scherer wrote: > >> Well thinking about this again, I think still to the s

Re: [systemd-devel] [PATCH] Add SELinuxContext configuration item

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/03/2014 09:16 AM, Michael Scherer wrote: > Le vendredi 03 janvier 2014 à 12:23 +, "Jóhann B. Guðmundsson" a écrit > : >> On 01/03/2014 10:56 AM, Michael Scherer wrote: >>> Le vendredi 03 janvier 2014 à 00:58 +, "Jóhann B. Guðmundsson" a

Re: [systemd-devel] [PATCH] Add SELinuxContext configuration item

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/28/2013 11:47 AM, Michael Scherer wrote: > Le samedi 28 décembre 2013 à 14:30 +0100, Lennart Poettering a écrit : >> On Fri, 27.12.13 23:26, m...@zarb.org (m...@zarb.org) wrote: >> >>> From: Michael Scherer >>> >>> This permit to let system ad

Re: [systemd-devel] [PATCH] selinux: fix selinux check for transient units

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/18/2013 05:45 PM, Michal Sekletar wrote: > On Mon, Nov 18, 2013 at 04:19:20PM -0500, Daniel J Walsh wrote: On > 11/16/2013 08:10 AM, Lennart Poettering wrote: >>>> On Thu, 14.11.13 15:43, Daniel J Walsh (dwa...

Re: [systemd-devel] [PATCH] selinux: fix selinux check for transient units

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/16/2013 08:10 AM, Lennart Poettering wrote: > On Thu, 14.11.13 15:43, Daniel J Walsh (dwa...@redhat.com) wrote: > >> >> -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 >> >> On 11/14/2013 12:50 PM, Harald Hoyer wro

Re: [systemd-devel] [PATCH] selinux: fix selinux check for transient units

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/14/2013 12:50 PM, Harald Hoyer wrote: > On 11/05/2013 11:12 PM, Daniel J Walsh wrote: >> On 11/05/2013 12:22 PM, Lennart Poettering wrote: > >> Ok lets add a check that checks for start on a service labeled with the >&

Re: [systemd-devel] [PATCH] selinux: fix selinux check for transient units

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/05/2013 12:22 PM, Lennart Poettering wrote: Ok lets add a check that checks for start on a service labeled with the remote process label, then we can add rules like allow systemd_logind_t self:service start Or we can make it simpler and have t

Re: [systemd-devel] [PATCH] selinux: fix selinux check for transient units

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/04/2013 02:05 PM, Lennart Poettering wrote: > On Mon, 04.11.13 17:06, Lennart Poettering (lenn...@poettering.net) wrote: > >> On Thu, 31.10.13 15:51, Vaclav Pavlin (vpav...@redhat.com) wrote: >> >>> From: Václav Pavlín >> >> Sorry, I don't un

Re: [systemd-devel] [PATCH] systemctl: show hint about --full when lines don't fit

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 08/03/2013 07:45 PM, Zbigniew Jędrzejewski-Szmek wrote: > Looks like: > > $ systemctl status avahi-daemon avahi-daemon.service - Avahi mDNS/DNS-SD > Stack Loaded: loaded (/usr/lib/systemd/system/avahi-daemon.service; > enabled) Active: active (runn

Re: [systemd-devel] FYI setroubleshoot has better integration with journald in F20

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 08/02/2013 11:49 AM, Zbigniew Jędrzejewski-Szmek wrote: > On Fri, Aug 02, 2013 at 04:36:15PM +0200, Tomasz Torcz wrote: >> On Fri, Aug 02, 2013 at 10:14:50AM -0400, Daniel J Walsh wrote: >>> http://danwalsh.livejournal.com/657

[systemd-devel] FYI setroubleshoot has better integration with journald in F20

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 http://danwalsh.livejournal.com/65777.html I think we need a systemctl status -verbose httpd -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlH7vtoACgk

[systemd-devel] We are working on trying to scale up to > 1000 containers.

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 One concern we have is what will happen to systemd if we start 1000 services at boot. systemctl start httpd_sandbox.target For example. Is there anything we can do to throttle the start of so many unit files. Or would systemd do something itself.

Re: [systemd-devel] [PATCH] udev hwdb: Store binary database in libdir, not in /etc

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 06/17/2013 04:50 PM, Lennart Poettering wrote: > On Mon, 17.06.13 22:12, Tom Gundersen (t...@jklm.no) wrote: > >>> The only case, where this scheme would fail, is if you backup and >>> restore a system to a different partitioning scheme. >> >> I

Re: [systemd-devel] Any movement on adding a pid indicator for setroubleshoot to add to the journal entry.

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 05/07/2013 08:22 AM, Kay Sievers wrote: > On Tue, May 7, 2013 at 2:04 PM, Daniel J Walsh wrote: > >> Really would like to be able to track an alert back to the causing pid. > > You mean the: * introduce generic AUGMENT_PI

[systemd-devel] Any movement on adding a pid indicator for setroubleshoot to add to the journal entry.

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Really would like to be able to track an alert back to the causing pid. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlGI7dgACgkQrlYvE4MpobMxgACgpFVhYWfQi

Re: [systemd-devel] Secure Linux Containers. I have masked down the systemd starting most daemons within containers.

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/06/2013 09:08 AM, Lennart Poettering wrote: > On Thu, 14.02.13 07:16, Daniel J Walsh (dwa...@redhat.com) wrote: > >> -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 >> >> Welcome to Fedora 19 (Rawhide)! >> &g

[systemd-devel] Secure Linux Containers. I have masked down the systemd starting most daemons within containers.

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Welcome to Fedora 19 (Rawhide)! Set hostname to . /dev/mapper/control: mknod failed: Operation not permitted Failure to communicate with kernel device-mapper driver. Check that device-mapper is available in the kernel. [ OK ] Listening on Dela

Re: [systemd-devel] Simple question.

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/26/2013 08:07 PM, David Strauss wrote: > On Fri, Jan 25, 2013 at 12:42 PM, Mantas Mikulėnas > wrote: >> That some users may want to take advantage of modern Linux features and >> run httpd without *ever* giving it full root privileges – which it

[systemd-devel] Simple question.

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 How would I write a unit file to run an apache service as the user dwalsh (3267) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlECthIACgkQrlYvE4MpobNjEQCf

Re: [systemd-devel] [PATCH] selinux-access: Delete debugging message logged as an error

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/24/2013 10:47 PM, Lennart Poettering wrote: > On Thu, 24.01.13 17:47, Colin Walters (walt...@verbum.org) wrote: > >> I don't see why this should be logged at all, so let's delete it. > > Applied. I also removed a couple of other messages that a

Re: [systemd-devel] setroubleshoot integration.

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/09/2013 04:52 PM, Zbigniew Jędrzejewski-Szmek wrote: > On Wed, Jan 09, 2013 at 02:58:12PM -0500, Daniel J Walsh wrote: >> -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 >> >> On 01/09/2013 02:49 PM, Lennart Poettering wrote:

Re: [systemd-devel] setroubleshoot integration.

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/09/2013 02:49 PM, Lennart Poettering wrote: > On Wed, 09.01.13 17:44, Zbigniew Jędrzejewski-Szmek (zbys...@in.waw.pl) > wrote: > >>> systemctl httpd status SELinux is blocking httpd read access on >>> /var/www/index.html setroubleshoot ...

Re: [systemd-devel] setroubleshoot integration.

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/09/2013 01:42 PM, Zbigniew Jędrzejewski-Szmek wrote: > On Wed, Jan 09, 2013 at 12:31:05PM -0500, Daniel J Walsh wrote: >> -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 >> >> On 01/09/2013 11:55 AM, Zbigniew Jędrzejewski-Sz

Re: [systemd-devel] setroubleshoot integration.

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/09/2013 11:55 AM, Zbigniew Jędrzejewski-Szmek wrote: > On Wed, Jan 09, 2013 at 05:44:02PM +0100, Zbigniew Jędrzejewski-Szmek > wrote: >> On Wed, Jan 09, 2013 at 11:00:36AM -0500, Daniel J Walsh wrote: >>> -BEGIN PGP SIG

[systemd-devel] setroubleshoot integration.

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 One of my goals with setroubleshoot analysys is to get it integrated into the journald system. In Fedora I am adding systemd.journal.send(siginfo.format_text()) Which will put the setroubleshoot info into the journal, but what I really need is to ad

Re: [systemd-devel] I have switched libvirt-sandbox containers to use multi-user.target

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/20/2012 09:53 AM, Daniel P. Berrange wrote: > On Tue, Nov 20, 2012 at 09:50:39AM -0500, Daniel J Walsh wrote: >> -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 >> >> On 11/20/2012 09:36 AM, Daniel P. Berrange wrote: >&g

Re: [systemd-devel] I have switched libvirt-sandbox containers to use multi-user.target

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/20/2012 09:36 AM, Daniel P. Berrange wrote: > On Tue, Nov 20, 2012 at 08:52:51AM -0500, Daniel J Walsh wrote: >> -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 >> >> On 11/19/2012 07:41 PM, Lennart Poettering wrote: >&

Re: [systemd-devel] I have switched libvirt-sandbox containers to use multi-user.target

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/19/2012 07:41 PM, Lennart Poettering wrote: > On Fri, 16.11.12 15:06, Daniel J Walsh (dwa...@redhat.com) wrote: > >> Isn't there a way to shut off systemV init scripts altogether, it just >> so happens that we hit one on

Re: [systemd-devel] I have switched libvirt-sandbox containers to use multi-user.target

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/16/2012 02:56 PM, Lennart Poettering wrote: > On Fri, 16.11.12 09:23, Daniel J Walsh (dwa...@redhat.com) wrote: > >> The only problem I see is that now sysV init scripts are firing off >> within the container. (iSCSI daemon).

[systemd-devel] I have switched libvirt-sandbox containers to use multi-user.target

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 The only problem I see is that now sysV init scripts are firing off within the container. (iSCSI daemon). What can I do to stop this within the container? -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with unde

[systemd-devel] I added the uuid to match a container to /var/log/journal

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ls -l /var/log/journal/ total 12 drwxr-xr-x. 2 root root 12288 Nov 16 08:47 1b16d5a8cec649e7ba7d9f9f6ef8f393 lrwxrwxrwx. 1 root root52 Nov 13 15:24 1f9684eeed2d43d3bfee702a89f849d6 -> /var/lib/libvirt/filesystems/apache1/var/log/journal lrwxrwxrwx

Re: [systemd-devel] Journal API demo application: "tallow" - a fail2ban replacement

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/08/2012 01:18 PM, Douglas, William wrote: > On Thu, Nov 8, 2012 at 8:54 AM, Kay Sievers wrote: >> On Thu, Nov 8, 2012 at 8:31 AM, William Douglas >> wrote: >>> "Kok, Auke-jan H" writes: I wrote a demo application that uses the jour

[systemd-devel] selabel_lookup_raw can return ENOENT and be a non failure mode.

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEUEARECAAYFAlB3NV8ACgkQrlYvE4MpobP7wwCY6mI+73m3XXJk2xtrjTloWoIG VgCgo7xK8/EuGzBdKs7lXAWYYRi923M= =nqZY -END PGP SIGNATU

[systemd-devel] SELinux patch still broken, in that we are not checking the correct source context.

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 This patch does the dbus calls correctly. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlB3NOUACgkQrlYvE4MpobOFCACgvMzYDOUYb+THKlSZF2+RcSfD 8R8AnRgG1DMDW0XkH/

Re: [systemd-devel] Latest SELinux patch off of 760c85c0bdf02d68589971b869f61038e7893d75

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Another attempt with potential buffer overflow bug fixed. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBlw1oACgkQrlYvE4MpobMLFwCfduUwrF8RRyOHGwVFxsQZZwzM Jy

[systemd-devel] Latest SELinux patch off of 760c85c0bdf02d68589971b869f61038e7893d75

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBls7MACgkQrlYvE4MpobPaUgCg4rejxmHdP7jkO38+KR/31ONL lGYAn36W0Hi80AX1UCfXyLyBJDW8C3AO =UTqj -END PGP SIGNATU

[systemd-devel] New SELinux Patch to fix gettys not starting and poweroff/reboot commands from userspace working.

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Lots of new debugging/Error messages, to figure out what was failing. Fix audit messages to not add cmdline of path if it does not exist. Fix handling of initilization of selinux libraries. Use log_error instead of log_full(LOG_ERROR If bus_get_sel

[systemd-devel] No TTY and inability to shutdown/reboot from user session

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Seems to be SELinux patch is causing systemd-logind not to be able to send dbus message to systemd. In the logs I see this message Sep 21 16:57:39 celtics systemd-logind[874]: System is powering down. Sep 21 16:57:39 celtics systemd-logind[874]: Fail

[systemd-devel] Latest SELinux Access Patch.

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 This patch adds the ability to look at the calling process that is trying to do dbus calls into systemd, then it checks with the SELinux policy to see if the calling process is allowed to do the activity. The basic idea is we want to allow NetworkMana

Re: [systemd-devel] Not sure if I am doing something wrong or if this is a bug.

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 08/03/2012 03:45 PM, Lennart Poettering wrote: > On Mon, 30.07.12 17:13, Daniel J Walsh (dwa...@redhat.com) wrote: > >> -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 >> >> In containers we are blocking systemd from creati

Re: [systemd-devel] Not sure if I am doing something wrong or if this is a bug.

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07/30/2012 10:08 PM, Mathieu Bridon wrote: > On Mon, 2012-07-30 at 21:49 +, "Jóhann B. Guðmundsson" wrote: >> On 07/30/2012 09:13 PM, Daniel J Walsh wrote: >>> Is this failing to see the /etc/systemd/system/httpd.

[systemd-devel] Not sure if I am doing something wrong or if this is a bug.

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 In containers we are blocking systemd from creating containers. If I try to run httpd within a container it asks for PrivateTmp and SELinux stops systemd from setting up the PrivateTmp. In order to get around this, I decided to try to create a unit f

[systemd-devel] Looking for comments on this patch.

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 The goal of this patch is to add the ability for systemd to verify that SELinux policy allows the calling process to do the specified action. Start/Stop/Service This is expanded upon in this Feature Page Article. https://fedoraproject.org/wiki/Featur

Re: [systemd-devel] Hosting a sprint in SF?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07/10/2012 02:33 PM, David Strauss wrote: > On Tue, Jul 10, 2012 at 5:47 AM, Daniel J Walsh wrote: >> We have been talking to the openshift guys on the side and have explained >> what we are doing. They are interested and will prob

Re: [systemd-devel] Hosting a sprint in SF?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07/09/2012 06:24 PM, Lennart Poettering wrote: > On Fri, 29.06.12 09:34, David Strauss (da...@davidstrauss.net) > wrote: > >> >> On Fri, Jun 29, 2012 at 5:58 AM, Lennart Poettering >> wrote: >>> It's going to be an LXC/libvirt/systemd/SELinux ha

Re: [systemd-devel] Fix systemd-udev labeling of /var/run directory.

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 05/31/2012 07:51 AM, Kay Sievers wrote: > On Thu, May 31, 2012 at 1:04 PM, Daniel J Walsh wrote: > >> Ok Eric and I will work to get it upstream. I guess for F18 I can move >> the /var/run definition to /run and reverse the eq

Re: [systemd-devel] Fix systemd-udev labeling of /var/run directory.

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 05/31/2012 07:01 AM, Lennart Poettering wrote: > On Thu, 31.05.12 06:54, Daniel J Walsh (dwa...@redhat.com) wrote: > > Heya, > >>>> On Wed, 30.05.12 16:13, Daniel J Walsh (dwa...@redhat.com) wrote: >>>>

Re: [systemd-devel] Fix systemd-udev labeling of /var/run directory.

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 05/30/2012 08:27 PM, Lennart Poettering wrote: > On Wed, 30.05.12 23:32, Lennart Poettering (lenn...@poettering.net) wrote: > >> >> On Wed, 30.05.12 16:13, Daniel J Walsh (dwa...@redhat.com) wrote: >> >>&

[systemd-devel] Fix systemd-udev labeling of /var/run directory.

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 systemd-udev is currently incorrectly labeling /run/udev/* content because it is using selinux prefix labeling of /dev. This patch will allow systemd-udev to use prefix labeling of /dev and /run. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12

Re: [systemd-devel] [HEADSUP] systemd Optimizations

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 05/13/2012 04:44 PM, Lennart Poettering wrote: > Heya, > > I just put together a first version of a wiki text explaining a couple fo > ways to improve system boot-up performance even further: > > http://freedesktop.org/wiki/Software/systemd/Optimi

Re: [systemd-devel] [ANNOUNCE] systemd v44

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/19/2012 10:12 AM, Kay Sievers wrote: > On Mon, Mar 19, 2012 at 15:03, Thierry Reding > wrote: >> * Daniel J Walsh wrote: >>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 >>> >>> On 03/19/2012 07:

Re: [systemd-devel] [ANNOUNCE] systemd v44

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/19/2012 07:59 AM, Thierry Reding wrote: > * Kay Sievers wrote: >> On Sat, Mar 17, 2012 at 15:14, Koen Kooi >> wrote: >>> >>> Op 16 mrt. 2012, om 02:40 heeft Lennart Poettering het volgende >>> geschreven: >>> Heya, this is prim

Re: [systemd-devel] dracut: ordering of modules

> the error below. After switching root, the policy is successfully > loaded by Systemd. > > Thanks > > Roberto Sassu > > Well in F16 dracut is not supposed to load the policy. > On 02/13/2012 06:00 PM, Daniel J Walsh wrote: On 02/13/2012 05:29 > AM, Harald Hoyer wrote:

Re: [systemd-devel] dracut: ordering of modules

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/13/2012 05:29 AM, Harald Hoyer wrote: > Am 13.02.2012 11:17, schrieb Roberto Sassu: >> Hi Harald >> >> this functionality seems to be broken in dracut due to a change >> in the SELinux load_policy tool. After enabling the selinux >> module in dr

Re: [systemd-devel] We are working on Secure Container Applications.

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/09/2012 09:38 PM, Lennart Poettering wrote: > On Mon, 09.01.12 16:42, Daniel J Walsh (dwa...@redhat.com) wrote: > >> The idea is to run multiple instances of the same application >> within a container. For example multi

[systemd-devel] We are working on Secure Container Applications.

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 The idea is to run multiple instances of the same application within a container. For example multiple Apache servers. I am working on a tool to create these containers, which will create a service unit file. # virt-sandbox-service create -e /usr/sb

Re: [systemd-devel] selinux policy updates for logind

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/03/2012 11:02 AM, Bill Nottingham wrote: > Matthias Clasen (matthias.cla...@gmail.com) said: >> On Wed, Dec 28, 2011 at 9:25 AM, Daniel J Walsh >> wrote: >> >>> Well are you seeing a AVC about local_login_t

Re: [systemd-devel] selinux policy updates for logind

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/28/2011 09:07 AM, Matthias Clasen wrote: >>> Matthias >> What AVCs are you seeing? > > I'm getting 'access denied' when trying to call e.g. > org.freedesktop.login1.Manager.Reboot from a user process. Which > seems disingenuous, considering tha

Re: [systemd-devel] selinux policy updates for logind

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/23/2011 09:16 PM, Matthias Clasen wrote: > I've spent some time playing with the ConsoleKit-replacement > functionality in logind, and noticed that I couldn't test the > PolicyKit integration for the poweroff/reboot methods in logind, > since se

[systemd-devel] SELinux needs labels to be assigned at boot time to /sys

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 The only way to do this is by running restorecon over the contents. We would like to add /sys to the list of directories that systemd fixes at boot time, just like /dev https://bugzilla.redhat.com/show_bug.cgi?id=767355 -BEGIN PGP SIGNATURE-

Re: [systemd-devel] New pam module to start a session.

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 10/14/2011 04:34 AM, Stef Bon wrote: > Hi, > > I've rewritten an existing pam module pam_script. What it does: > > . runs a script . unshare the mount namespace (if configured, > default yes) > > if the directory to chroot to is specfied it does

Re: [systemd-devel] nspawn remounts /selinux readonly, thus breaking logins

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07/08/2011 08:18 AM, Zbigniew Jędrzejewski-Szmek wrote: > On 07/08/2011 01:59 PM, Daniel J Walsh wrote: >> On 07/08/2011 07:45 AM, Lennart Poettering wrote: >>> On Fri, 08.07.11 10:41, Zbigniew Jdrzejewski-Szmek (zbys...@in.

Re: [systemd-devel] nspawn remounts /selinux readonly, thus breaking logins

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07/08/2011 07:45 AM, Lennart Poettering wrote: > On Fri, 08.07.11 10:41, Zbigniew Jędrzejewski-Szmek (zbys...@in.waw.pl) wrote: > >> >> On 07/07/2011 11:17 PM, Lennart Poettering wrote: >>> On Thu, 07.07.11 16:52, Daniel

Re: [systemd-devel] nspawn remounts /selinux readonly, thus breaking logins

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07/07/2011 04:45 PM, Lennart Poettering wrote: > On Thu, 07.07.11 22:42, Zbigniew Jędrzejewski-Szmek (zbys...@in.waw.pl) wrote: > >> Hi, >> on freshly installed fedora-15 system, I've been trying out the nspawn, and >> running "systemd-nspawn -D de

  1   2   >