Open arianvp opened 5 years ago
~Plot thickens. As there is a test that tests exactly this usecase: https://github.com/NixOS/nixpkgs/blob/master/nixos/tests/systemd-confinement.nix#L98~
~The test succeeds, eventhough the logs seem to suggest something is wrong.
It can't create /usr
, but it can cat to /usr/lib/testme/foo
?~
edit: I confused /var
and /usr
. the StateDirectory
stuff works. It's just that systemd
somehow insists on trying to create /usr
within the RootDirectory
subtest: check if StateDirectory works
machine: must succeed: echo 6 > /teststep
machine: exit status 0
(0.00 seconds)
machine: must succeed: chroot-exec touch /tmp/canary
machine# [ 12.102767] systemd[1]: Created slice system-test6.slice.
machine# [ 12.105618] systemd[1]: Started Confined Test Service 6 (PID 1008/UID 0).
machine# [ 12.116566] systemd[1010]: Failed to create directory at /nix/store/63i83mvgnmsnzn9b41hff624f3qc7pn6-test6--chroot/usr: Read-only file system
machine: exit status 0
(0.10 seconds)
machine: must succeed: chroot-exec "echo works > /var/lib/testme/foo"
machine# [ 12.208273] systemd[1]: Started Confined Test Service 6 (PID 1025/UID 0).
machine# [ 12.215631] systemd[1027]: Failed to create directory at /nix/store/63i83mvgnmsnzn9b41hff624f3qc7pn6-test6--chroot/usr: Read-only file system
machine: exit status 0
(0.09 seconds)
machine: must succeed: test "$(< /var/lib/testme/foo)" = works
machine: exit status 0
(0.00 seconds)
machine: must succeed: test ! -e /tmp/canary
machine: exit status 0
(0.00 seconds)
(0.19 seconds)
Neverminddddd. I'm confusing /usr/lib
and /var/lib
in my head. The StateDirectory
stuff does work. However, for some reason systemd
insists on trying to mkdir /usr
when it doesn't exist and then it fails (but the unit still succeeds, it just logs a message). Which is a totally different issue. I'll rename the issue accordingly
I also changed the toplevel description.
. Systemd logs from which line in the systemd source code an journal message comes from! how convenient! (with journalctl --output=json
)
The code that causes the log message is : https://github.com/systemd/systemd/blob/c6134d3e2f1d1d17b32b6e06556cd0c5429bc78a/src/core/namespace.c#L1430-L1432
It tries to create a 'base filesystem' when RootDirectory
or RootImage
is set but ignores the error if it can't. However, not all of the base_filesystem
paths really make sense in NixOS. Perhaps we should patch our fork of systemd so that it doesn't try to create all these 'useless' paths.
{ "bin", 0, "usr/bin\0", NULL },
{ "lib", 0, "usr/lib\0", NULL },
{ "root", 0755, NULL, NULL, true },
{ "sbin", 0, "usr/sbin\0", NULL },
{ "usr", 0755, NULL, NULL },
{ "var", 0755, NULL, NULL },
{ "etc", 0755, NULL, NULL },
{ "proc", 0755, NULL, NULL, true },
{ "sys", 0755, NULL, NULL, true },
{ "dev", 0755, NULL, NULL, true },
#if defined(__i386__) || defined(__x86_64__)
{ "lib64", 0, "usr/lib/x86_64-linux-gnu\0"
"usr/lib64\0", "ld-linux-x86-64.so.2" },
@aszlig do you think it would make sense to have /usr/bin/env
in the sandbox, just like /bin/sh
?
However, when we add it, I think the above code will then instead try to make a bin
directory and fail (it will try to symlink /bin
to /usr/bin
when /usr/bin
is present) or create a var
directory and fail. So it seems we should just patch this code out of systemd.
Yeah, I noticed that quirk already and wrote about that in the commit message.
@arianvp: Yes, as you already noted, I think we should patch that in our systemd fork.
As for /usr/bin/env
... I'm not in favour of this, because for most services there are no unpatched shebangs in scripts and for the rare cases where it isn't the case, one can still use BindReadOnlyPaths
.
Thank you for your contributions. This has been automatically marked as stale because it has had no activity for 180 days. If this is still important to you, we ask that you leave a comment below. Your comment can be as simple as "still important to me". This lets people see that at least one person still cares about this. Someone will have to do this at most twice a year if there is no other activity. Here are suggestions that might help resolve this more quickly:
Issue description
When we enable
confinement
, systemd insists on creating/usr
which it fails at because/
is mounted read-only between it trying to create/usr
andTemporaryFileSystem=/
being executed.I have no idea why it is trying to create
/usr
in the first placecc @aszlig
Steps to reproduce
Technical details
Please run
nix-shell -p nix-info --run "nix-info -m"
and paste the results.