On 15/06/2024 4.37 pm, Andrei Borzenkov wrote:
Not really. nftables checks the *socket* cgroup, not the *process* cgroup. The
socket may have been created while process was in the old cgroup.
I do not know whether kernel attempts to also move all process sockets to the
new cgroup. I suspect n
On 15/06/2024 2.27 pm, Andrei Borzenkov wrote:
On 15.06.2024 14:02, Mikhail Morfikov wrote:
But there's no curl pids in
/sys/fs/cgroup/user.slice/user-1000.slice/user@1000.service/cgroup.procs .
To be more specific, there's no pids at all in this cgroup.procs file. The curl
pids
On 15/06/2024 8.15 am, Andrei Borzenkov wrote:
On 14.06.2024 18:49, Mikhail Morfikov wrote:
On 14/06/2024 5.26 pm, Demi Marie Obenour wrote:
On Fri, Jun 14, 2024 at 10:06:34AM +0200, Mikhail Morfikov wrote:
On 13/06/2024 10.27 pm, Lennart Poettering wrote:
On Do, 13.06.24 21:38, Mikhail
On 14/06/2024 5.26 pm, Demi Marie Obenour wrote:
On Fri, Jun 14, 2024 at 10:06:34AM +0200, Mikhail Morfikov wrote:
On 13/06/2024 10.27 pm, Lennart Poettering wrote:
On Do, 13.06.24 21:38, Mikhail Morfikov (mmorfi...@gmail.com) wrote:
I'm trying to make the 4 things (systemd, cgr
On 13/06/2024 10.27 pm, Lennart Poettering wrote:
On Do, 13.06.24 21:38, Mikhail Morfikov (mmorfi...@gmail.com) wrote:
I'm trying to make the 4 things (systemd, cgrupsv2, cgrulesengd, and nftables)
work together, but I think I'm missing something.
Is "cgrulesengd" interfe
I'm trying to make the 4 things (systemd, cgrupsv2, cgrulesengd, and nftables)
work together, but I think I'm missing something.
Basically what I want to achieve is the filtering of OUTPUT packets in nftables
in the case of all user apps. System services work well either with
systemd+cgrupsv2+nft
I'm using AppArmor and it sometimes returns many audit logs. By default there
was something like this in the journal:
... audit[1397]: AVC apparmor= ...
... kernel: audit: type=1400 audit(1523275695.613:76): apparmor= ...
So there are two entries and they carry the same message. So the message is
On Tue, 19 May 2015 18:12:15 +0200
Tom Gundersen wrote:
> On Thu, Apr 9, 2015 at 4:29 PM, Mikhail Morfikov
> wrote:
> > I usually have two network interfaces on my laptops (one eth and one
> > wlan), and when I was using sysvinit I also was configuring the bond
> >
On Mon, 18 May 2015 18:18:57 +0200
Lennart Poettering wrote:
> On Mon, 18.05.15 18:16, Mikhail Morfikov (mmorfi...@gmail.com) wrote:
>
> > Something is wrong. I did the following steps:
> >
> > $ newgrp audio
> >
> > In the log I have the followi
On Mon, 18 May 2015 17:38:33 +0200
Lennart Poettering wrote:
> On Sun, 17.05.15 12:46, Mikhail Morfikov (mmorfi...@gmail.com) wrote:
>
> > As you can read, for instance here
> > (
> > http://enotty.pipebreaker.pl/2012/05/23/linux-automatic-user-acl-management/
> >
On Sun, 17 May 2015 15:00:11 +0200
Martin Pitt wrote:
> Mikhail Morfikov [2015-05-17 12:46 +0200]:
> > As you can read, for instance here
> > (
> > http://enotty.pipebreaker.pl/2012/05/23/linux-automatic-user-acl-management/
> > ), logind, which is a part of systemd,
On Sun, 17 May 2015 12:55:18 +0200
Reindl Harald wrote:
>
>
> Am 17.05.2015 um 12:46 schrieb Mikhail Morfikov:
> > Is that possible? I'm asking because I often listen to the music
> > and I don't really need my monitor to be on most of the time, so I
> >
As you can read, for instance here
( http://enotty.pipebreaker.pl/2012/05/23/linux-automatic-user-acl-management/
), logind, which is a part of systemd, can set permissions to some
devices for user sessions. There's also a vid showing how this kind of
behavior works in practice
( https://www.youtub
This is the log when my system works as usual:
(loginctl session-status)
1 - morfik (1000)
Since: Sun 2015-04-26 23:19:01 CEST; 18h ago
Leader: 1720 (lightdm)
Seat: seat0; vc7
Display: :0
Service: lightdm; type x11; class user
State: o
On Fri, 24 Apr 2015 19:04:53 +0200
Lennart Poettering wrote:
> On Tue, 27.01.15 04:28, Mikhail Morfikov (mmorfi...@gmail.com) wrote:
>
> Sorry for the really late reply, still trying to work through piles of
> mail.
> >
> > > Hmm, not sure I follow.
> > &
On Wed, 22 Apr 2015 00:28:12 +0200
MichaĆ Zegan wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Hello.
>
> I have just removed my journal files and restarted journald. I then
> generated sealing keys, saved the verification key. The system worked
> for maybe an hour or less, I had
I usually have two network interfaces on my laptops (one eth and one
wlan), and when I was using sysvinit I also was configuring the bond
interface via the /etc/network/interfaces file so the two interfaces
could work in the active-backup mode. But now, they work in balance-rr
mode which is set via
I think I get it now. I have two interfaces that have different DNS
servers set -- bond0 and br_lxc. All of the LXC containers use my
router's DNS and everything else uses 127.0.2.1 . The config file for
the br_lxc interface looks like this:
[Match]
Name=br_lxc
[Network]
Description=LXC bridge co
In the systemd-resolved manual we can read something like this:
The DNS servers contacted are determined from the global settings in
resolved.conf(5), the per-link static settings in .network files, and
the per-link dynamic settings received over DHCP.
1. Let's say that I have set all the t
This is the full log I got when I tried to mount the device:
Mar 14 20:46:08 morfikownia polkitd(authority=local)[1266]: Registered
Authentication Agent for unix-process:11439:94979 (system bus name :1.41
[/usr/bin/pkttyagent --notify-fd 5 --fallback], object path
/org/freedesktop/PolicyKit1/A
> You can use "options bonding max_bonds=0" to disable the creation of
> bond0.
>
That's exactly what I needed:
# cat /proc/net/bonding/bond0
Ethernet Channel Bonding Driver: v3.7.1 (April 27, 2011)
Bonding Mode: load balancing (round-robin)
MII Status: up
MII Polling Interval (ms): 1000
Up Del
> Alternatively, if you're attached to the name bond0, you might be able
> to something like this (not tested with systemd-networkd):
>
> /etc/modprobe.d/rename-bond.conf:
>
> install bonding /usr/sbin/modprobe --ignore-install bonding \
> $CMDLINE_OPTS; /usr/sbin/ip link set dev bond0 down
> The logic here is that when we create a new bond we will create it
> with these settings, but we will not change the settings of a
> preexisting bond, as that may have been created by somebody else we
> don't know about so we figure better leave it alone.
>
> The confusing part here is that the
I've just finished migration from /etc/init.d/networking script to
systemd-networkd solution, and I just wanted to ask a couple of things.
First, I have two interfaces -- one wire (eth1) and one wifi (wlan0),
and I want them to be bonded into one bond0 interface. I had that
solution when I was usi
What is the best way to set cgroup limits for user processes? I mean the
individual processes. I know that you can set limits for user.slice, but
how to set limits for, let's say, firefox?
I tried to make a service file for firefox, it looks like this:
[Unit]
Description=Firefox Web Browser
Docum
I'm playing with the journal to see what useful things it can do, and I
have two questions:
1. Rsyslog has the ability of filtering logs, for instance:
if $syslogtag contains "something" and ($msg contains "something-else" or $msg
contains "something-different") then -/var/log/trash.log
or some
Hello there! I just wanted to ask about the sealing log feature because I can't
make it work. I tried to set it up in the following way:
I stopped the journald service:
root:/var/log/journal/159815709bbc46c29ef786cfc497afd4# systemctl stop
systemd-journald-dev-log.socket
root:/var/log/journal/1
> That indicates that the systemd or apache inside the container do not
> correctly make use of the the socket passed into them. You need to
> make sure that inside the container you have pretty much the same
> .socket unit running as on the host. The ListStream lines must be
> identical, so that s
> Hmm, to implement something like this I think the best option would be
> to set up the interface to later pass to the container first on the
> host, then listen on the container's IP address on the host. When a
> connection comes in the container would have to be started via socket
> activation,
> Also note that using socket activation for cotnainers means that
> systemd instance inside the container also needs to have configuration
> for the socket, to pass it on to the service that ultimately shall
> answer for it. Are you sure that apache2 has support for that, and
> that you set it up?
I've set up a container via systemd-nspawn tool, and I wanted to use the
private network feature.
The line that launches the container includes --network-bridge= and
--network-veth options.
The whole systemd .service file looks like this:
[Unit]
Description=My little container
[Service]
Type=si
> Hmm, not sure I follow.
>
It only happens if I'm logged in as root in tmux.
> The session is shown as closing, that's good. Can you check what
> "systemctl status" reports on the scope unit if this hang happens?
>
> Lennart
>
I'm not sure if I did the right thing, but there it is.
Afte
> Normally, the SIGTERM should be delivered instantly on logout from
> logind. Unless the PAM session end hook wasn't called or so.
>
> If you log in as root, and then reproduce the 20s wait for another
> user what does "loginctl session-status" and "loginctl user-status"
> say about the session/
> Sorry, but I cannot parse this. Do you want a delay because when
> logging out and back in you want to be able to reuse your old
> gpg-agent? Or what precisely is the current behaviour and what do you
> want it to be instead?
>
> Lennart
>
No, I just want to speed it up. Now I have to wait abou
I'm using standalone Openbox and when I log out by killing Xserver
(ctrl+alt+backspace), some processes stay alive even though the user
logged out completely. I know there's a KillUserProcesses option in
the /etc/systemd/logind.conf file, and it works just fine, but with a
little lag. I mean, those
35 matches
Mail list logo
