This fixes an issue within journald aborting when running inside
archlinux container via systemd-nspawn on a debian host with audit
enabled kernel.
The journald binary in the archlinux container would try to bind an
audit netlink socket which isn't allowed from within containers.
The failed bind call then leads to a abort of journald which in turn
disables loggingfor the whole container.
This commit fixes this by logging and ignoring the EPERM error raised
from the kernel after the bind call if it detects that it's running
inside a container.
---
src/journal/journald-audit.c | 8 +++++++-
src/journal/journald-server.c | 2 ++
2 files changed, 9 insertions(+), 1 deletion(-)
diff --git a/src/journal/journald-audit.c b/src/journal/journald-audit.c
index 46eb82f..1b36984 100644
--- a/src/journal/journald-audit.c
+++ b/src/journal/journald-audit.c
@@ -20,6 +20,7 @@
***/
#include "missing.h"
+#include "virt.h"
#include "journald-audit.h"
typedef struct MapField {
@@ -533,8 +534,13 @@ int server_open_audit(Server *s) {
}
r = bind(s->audit_fd, &http://sa.sa, sizeof(http://sa.nl));
- if (r < 0)
+ if (r < 0) {
+ if (errno == EPERM && detect_container(NULL) > 0) {
+ log_debug("Audit not supported in
containers.");
+ return 0;
+ }
return log_error_errno(errno, "Failed to join audit
multicast group: %m");
+ }
} else
fd_nonblock(s->audit_fd, 1);
diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c
index 5e07ce3..21f383a 100644
--- a/src/journal/journald-server.c
+++ b/src/journal/journald-server.c
@@ -1585,9 +1585,11 @@ int server_init(Server *s) {
if (r < 0)
return r;
+#ifdef HAVE_AUDIT
r = server_open_audit(s);
if (r < 0)
return r;
+#endif
r = server_open_kernel_seqnum(s);
if (r < 0)
--
2.3.5
_______________________________________________
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel
