Discussion:
Why does nspawn check if in a user session?
(too old to reply)
Luke Shumaker
2017-09-14 04:55:56 UTC
Permalink
Raw Message
Hi all,

I have another question about `systemd-nspawn` internals.

When sanity-checking argv, it does:

if (arg_keep_unit && arg_register && cg_pid_get_owner_uid(0, NULL) >= 0) {
log_error("--keep-unit --register=yes may not be used when invoked from a user session.");
return -EINVAL;
}

(the `&& arg_register` bit was added in 234)

Why does nspawn care if it is in a user session?

My best guess is that it doesn't want to share its cgroup with any
other processes, and it is using user session membership as a sloppy
proxy for that. If that's the case, wouldn't it be more correct and
robust to check for other processes in
"/sys/fs/cgroup/.../cgroup.procs"?
--
Happy hacking,
~ Luke Shumaker
Lennart Poettering
2017-09-14 07:45:06 UTC
Permalink
Raw Message
Post by Luke Shumaker
Hi all,
I have another question about `systemd-nspawn` internals.
if (arg_keep_unit && arg_register && cg_pid_get_owner_uid(0, NULL) >= 0) {
log_error("--keep-unit --register=yes may not be used when invoked from a user session.");
return -EINVAL;
}
(the `&& arg_register` bit was added in 234)
Why does nspawn care if it is in a user session?
My best guess is that it doesn't want to share its cgroup with any
other processes, and it is using user session membership as a sloppy
proxy for that. If that's the case, wouldn't it be more correct and
robust to check for other processes in
"/sys/fs/cgroup/.../cgroup.procs"?
It's simply a check that people don't call the tool from a regular
shell login, and thus make the session scope unit the shell login is
running in the container unit. Because when nspawn then exits it might
continue to be registered with machined as container unit even though
it really doesn't apply anymore.

I think using some kind of wrapper tool around nspawn that stays
running while nspawn is running is an OK thing and shouldn't prohibit
nspawn from registering the unit in machined as container unit, hence
I don't think it would be right to check the PID list as you suggest.

Lennart
--
Lennart Poettering, Red Hat
Loading...