Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

EDIT: nixos/stage-2-init: add systemdFlags option #3105

Closed

Conversation

offlinehacker
Copy link
Contributor

Add boot.systemdFlags option to change systemd boot flags.

@wmertens
Copy link
Contributor

This makes tons of sense since it's a boot script. 👍

@edolstra
Copy link
Member

Doesn't docker run containers in a private PID namespace?

The systemd manpage suggests you shouldn't use this option:

These options are hence of little use except for debugging. Note that it is not supported booting and maintaining a full system with systemd running
in --system mode, but PID not 1. In practice, passing --system explicitly is only useful in conjunction with --test.

@offlinehacker
Copy link
Contributor Author

Well it does not work if i remove this option, if i run docker in
privileged mode it works, but whole point of running containers is not
droping all the provileges. How about adding extraSystemdOptions to
stage-2-init?

On Fri, Jun 27, 2014 at 2:55 PM, Eelco Dolstra notifications@github.com
wrote:

Doesn't docker run containers in a private PID namespace?

The systemd manpage suggests you shouldn't use this option:

These options are hence of little use except for debugging. Note that it is not supported booting and maintaining a full system with systemd running
in --system mode, but PID not 1. In practice, passing --system explicitly is only useful in conjunction with --test.


Reply to this email directly or view it on GitHub
#3105 (comment).

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.11 (GNU/Linux)

mQENBFEY1PEBCADPOfERF2wo4qeoq9L1m2z4pKfWqNd4B6BsoFUWPNd7BXmY+9JG
jJddSkmYobWec7XjAFTBL0Xbttt+rK9SIED2dCOmU1FYMQElhGlM3PNA3kaiQFeV
ijgH318GCfZzDd0dWa5TN/IshVeWXwgngsIEmZTVf1VSeb3eO3B8Fxe3zsSLUq0b
71MmU5eLVP9pMkm5V5BTYp+lV70FIekKygkKq+uTDo1csWUatbs4Qvgv37Bymy2t
oTwOBXGoinQk5N/6asR1jWs3vKv0L0SruoZy/kEG/jXb4l2OZUP85EVMganYKouE
OchVmcmhBdWV+t3HK4r2ATfyEcMRzvzSflA1ABEBAAG0Jkpha2EgSHVkb2tsaW4g
PGpha2FodWRva2xpbkBnbWFpbC5jb20+iQE+BBMBAgAoBQJRGNTxAhsDBQkB4TOA
BgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRD6Zxi5hZclKnXNCACLOKa8abQp
eTWv9SXUwC7LVM5pP2mXcgn+Ipqr6YWBdLx4Iij0YlvUok9VeKvwTpUlT+cx++o3
wCM3AYrUyJE+zrtw49lInUmutz9seqJLU895oq+D+UuGoORrLBpEZrYR5f83uUmQ
E3Z1ZmWrNGXYtITWDtVZD/KauMF2nkPcmy/XaYXhd4WHD81DGNlKtGAHig6A3Phc
8Mr0A4yLDeRQJm8lCFEsxMJUNTupgY+ybbsMfVGx1gQvvGOTioV8CLCoRchUCCcm
YPArFg40KzIDSNjwdo9EVZDnlPx1hbOppfQydxP+JVnZsqoYmVY4UhIWi/NfOl3V
UMjl338INW1zuQENBFEY1PEBCADRSIfelOMjaTH7IfpMFFUc5Gys//njFnW9QAUg
wyfs2AFxUp6vKQ7nxXQiJXVhKTwe9iqo+oGxaHp4AeTjC7vXsfMuF5g5lfttbAo3
YEobEe6OG5so41nbwan6SyeIIQ2AmQqJBw8TKKMSec2qUN0Pw7iZRs0o9uJM/obG
DPsAsMOQgNLxJyMCP7X2jBtDXxkMFVHMmk50Tl3h3Fi9qWuNxgTXjs0tUvKkXiu2
Pco952jnm7HpCIKBek2pqR/UJXXb5qxy5G6Lc0qaMWZ5GKnSMTJmTY6Xl44EnaLK
zh0rqgF9qpoWck470ZbiGASMtB008hy2l0cyxUfvDaS3tY4hABEBAAGJASUEGAEC
AA8FAlEY1PECGwwFCQHhM4AACgkQ+mcYuYWXJSoT6AgAkvzvC0EGmeCR3cn9O3Gf
yG00Kqk9/1gJvlphis7AAce8iUgU+4xd94Vp0u8rghpdy88xKN5lF1W2YZQmmBaf
AVe6b7TOg6kxc3GKkVsWDxNyQKkpB46BwefIGaSljH7502X9aEWosrqWyJJNYCtt
QDit4BysX0Ww3Ka5Rx6ZFhC9ybPKoW2i8JwpyBaXDt7R2k+PC/ClBf9qzL+sb2es
zh/zCMVKNdm8KUITHU/5lgn2qZpUFZwiASPCMGGFP9u8g6UKeUTYTPD+GWaHIW63
RAgNIAffxx0M1r3P/2ipkAdI3NX/1iBKDQNG8Odsf+BswFKrNCnyUDdLPvJAhODS
gw==
=tmrm
-----END PGP PUBLIC KEY BLOCK-----

@offlinehacker
Copy link
Contributor Author

Ok i've change this pull request, instead of hardcoding --system i added boot.systemdFlags, so user can now set his own flags at boot. I also updated pull request msg.

@offlinehacker offlinehacker changed the title nixos/stage-2-init: allways start systemd in system mode nixos/stage-2-init: add systemdFlags option Jun 27, 2014
@offlinehacker offlinehacker changed the title nixos/stage-2-init: add systemdFlags option EDIT: nixos/stage-2-init: add systemdFlags option Jun 27, 2014
@edolstra
Copy link
Member

Actually the point of a container is that you appear to have (almost) all privileges inside the container :-)

I don't object to adding --system per se, but running systemd in system mode when it's not PID 1 seems like the wrong thing to do.

@offlinehacker
Copy link
Contributor Author

Well it looks like it works for docker/libcontainer, so i think boot.systemdFlags is a way to go, until docker or systemd fixes these bugs.

@edolstra
Copy link
Member

That misses the point. Why doesn't the container have its own PID namespace? Doesn't docker support that?

@offlinehacker
Copy link
Contributor Author

I actually don't know, it looks like it has, but i have no idea why PID is not 1, if i don't set --system flag it does want to start systemd in user mode. It looks like this problem is also elsewhere. I will report this bug upstream and let them handle this.

@edolstra
Copy link
Member

How is the NixOS stage 2 script invoked? It should be done using "exec", otherwise it will run as PID > 1 (and so will systemd).

@offlinehacker
Copy link
Contributor Author

I don't know how it's invoked, i guess i will look in libcontainer source code, but will see how much i understand golang.

@offlinehacker
Copy link
Contributor Author

Yeah, looks like PID is 6, this looks like they run something before init, and looks like i can't simply fix this.

@edolstra
Copy link
Member

Unless the actual PID 1 cleans up zombies, then the container won't work properly (because that only works when systemd is PID 1).

@offlinehacker
Copy link
Contributor Author

Ok, i've managed to run systemd as PID 1 in libcontainer, but in that case it freezes without any log output. Do you have any idea?

@offlinehacker
Copy link
Contributor Author

This is a backtrace from gdb:

(gdb) bt
#0  0x00007ff44f7e3d10 in __pause_nocancel () from /nix/store/94n64qy99ja0vgbkf675nyk39g9b978n-glibc-2.19/lib/libpthread.so.0
#1  0x000000000048595d in freeze ()
#2  0x000000000049aa2e in main ()

EDIT: I also reported this bug upstream to docker, moby/moby#6730

@7c6f434c
Copy link
Member

So even if we fix the merge conflict, we'd get little until docker fixes the bug?

@edolstra
Copy link
Member

@offlinehacker Is this still needed? NixOS runs on Docker without it, right?

@offlinehacker
Copy link
Contributor Author

No, this is not needed anymore, i've found a hack around, i'm closing this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
9.needs: reporter feedback This issue needs the person who filed it to respond
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants