Discussion:
Requirements for successful mounting of RootImage?
Add Reply
Lennart Poettering
2017-07-31 13:50:26 UTC
Reply
Permalink
Raw Message
Hey,
[Unit]
[Install]
WantedBy=multi-user.target
[Service]
Type=oneshot
ExecStart=/bin/ls -lR
RootImage=/fs
MountAPIVFS=no
Any reason you turn this off? This is likely to break sooner or later,
so it would make a ton of sense to test things first with it left on,
before checking anything else.
Disk /dev/loop0: 1.1 MiB, 1192960 bytes, 2330 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x3990f3e6
Device Boot Start End Sectors Size Id Type
/dev/loop0p1 * 34 2329 2296 1.1M 83 Linux
That should work. See if "systemd-nspawn -i" can get a shell in it. If
so, RootImage= should work too, it uses the same code.

Also, consider invoking /usr/lib/systemd/systemd-dissect on the image
file, it will tell you whether it can make sense of the image, and how
it would mount it.
bin
bin/ls
boot
dev
etc
etc/group
etc/nsswitch.conf
etc/passwd
home
lib
lib64
lib64/ld-linux-x86-64.so.2
lib/libc.so.6
lib/libdl.so.2
lib/libpcre.so.3
lib/libpthread.so.0
lib/libselinux.so.1
media
opt
proc
root
run
sbin
srv
sys
tmp
usr
usr/bin
usr/lib
usr/lib64
usr/lib/x86_64-linux-gnu
usr/sbin
var
var/tmp
Jul 30 13:25:42 machine systemd[1]: Starting test.service...
Jul 30 13:25:42 machine kernel: loop0: p1
Jul 30 13:25:42 machine systemd[1]: test.service: Main process exited,
code=killed, status=6/ABRT
Jul 30 13:25:42 machine systemd[1]: Failed to start test.service.
Jul 30 13:25:42 machine systemd[1]: test.service: Unit entered failed state.
Jul 30 13:25:42 machine systemd[1]: test.service: Failed with result
'signal'.
It looks like systemd successfully mounts the file system, but then
2761 mount("/dev/loop1p1", "/run/systemd/unit-root", "squashfs",
MS_NODEV, NULL <unfinished ...>
2761 <... mount resumed> ) = 0
2761 rt_sigprocmask(SIG_UNBLOCK, [ABRT], <unfinished ...>
2761 <... rt_sigprocmask resumed> NULL, 8) = 0
2761 rt_sigprocmask(SIG_BLOCK, ~[RTMIN RT_1], [], 8) = 0
2761 getpid( <unfinished ...>
2761 <... getpid resumed> ) = 2761
2761 gettid( <unfinished ...>
2761 <... gettid resumed> ) = 2761
2761 tgkill(2761, 2761, SIGABRT <unfinished ...>
2761 <... tgkill resumed> ) = 0
2761 rt_sigprocmask(SIG_SETMASK, [], <unfinished ...>
2761 <... rt_sigprocmask resumed> NULL, 8) = 0
2761 --- SIGABRT {si_signo=SIGABRT, si_code=SI_TKILL, si_pid=2761,
si_uid=0} ---
2761 +++ killed by SIGABRT +++
The file system can be mounted by hand with losetup and mount, and
/bin/ls can be run from chroot. So I think everything should be OK but
RootImage still does not work and the error messages are useless.
Perhaps I miss some RootImage requirements? What exactly they are?
They are documented briefly in "systemd-nspawn's" --image= setting.

That said, if systemd actually mounted something, then the image is
fine. Most likely something is simply borked in the namespacing code,
and that is kind hard to debug, because logging is already turned off
at that point. It should be relatively easy to patch that in
temporarily though, i.e. find apply_mount_namespace() in
src/core/execute.c and place a log_open() before the setup_namespace()
invocation, and check if this improves logging for you.

Lennart
--
Lennart Poettering, Red Hat
Lennart Poettering
2017-07-31 13:51:18 UTC
Reply
Permalink
Raw Message
Hey,
[Unit]
[Install]
WantedBy=multi-user.target
[Service]
Type=oneshot
ExecStart=/bin/ls -lR
RootImage=/fs
MountAPIVFS=no
btw, just to mention that, if you want to quickly test something like
this, you can also use:

# systemd-run -p RootImage=/fs /bin/ls -lR

Lennart
--
Lennart Poettering, Red Hat
Topi Miettinen
2017-08-20 13:20:48 UTC
Reply
Permalink
Raw Message
Sorry, your messages were in spam folder (must be due to some kind of
evil plan by the systemd haters), so I didn't notice them until now.
Post by Lennart Poettering
Hey,
[Unit]
[Install]
WantedBy=multi-user.target
[Service]
Type=oneshot
ExecStart=/bin/ls -lR
RootImage=/fs
MountAPIVFS=no
Any reason you turn this off? This is likely to break sooner or later,
so it would make a ton of sense to test things first with it left on,
before checking anything else.
OK, but that did not help.
Post by Lennart Poettering
Disk /dev/loop0: 1.1 MiB, 1192960 bytes, 2330 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x3990f3e6
Device Boot Start End Sectors Size Id Type
/dev/loop0p1 * 34 2329 2296 1.1M 83 Linux
That should work. See if "systemd-nspawn -i" can get a shell in it. If
so, RootImage= should work too, it uses the same code.
Also, consider invoking /usr/lib/systemd/systemd-dissect on the image
file, it will tell you whether it can make sense of the image, and how
it would mount it.
# /lib/systemd/systemd-dissect /root.sqsh
Found writable 'root' partition of type squashfs without verity
(/dev/block/7:0)
Post by Lennart Poettering
Perhaps I miss some RootImage requirements? What exactly they are?
They are documented briefly in "systemd-nspawn's" --image= setting.
I tried systemd-nspawn with the image, but that also refuses. There's
this error:
# systemd-nspawn --image=/root.sqsh
Spawning container root.sqsh on /root.sqsh.
Press ^] three times within 1s to kill container.
Timezone Europe/Helsinki does not exist in container, not updating
container timezone.
Failed to create /var/log: Read-only file system

It looks like the image is mounted read-only:
2427 mkdir("/tmp/nspawn-root-jlYu4k/var/log", 0755) = -1 EROFS
(Read-only file system)

If I add "--tmpfs=/var" and move the mount_custom() call in nspawn.c
between setup_seccomp() and setup_timezone(), there's no error and
systemd-nspawn can mount the image and run the command. But it would be
nice to understand why the image is mounted read-only in the first place.

Adding a read-write /var to test.service does not help either:
BindPaths=/tmp/var.test:/var

The contents seem to be fine because there's no error when using nspawn
with --directory.
Post by Lennart Poettering
That said, if systemd actually mounted something, then the image is
fine. Most likely something is simply borked in the namespacing code,
and that is kind hard to debug, because logging is already turned off
at that point. It should be relatively easy to patch that in
temporarily though, i.e. find apply_mount_namespace() in
src/core/execute.c and place a log_open() before the setup_namespace()
invocation, and check if this improves logging for you.
I'll try that next.
Post by Lennart Poettering
Lennart
-Topi
Lennart Poettering
2017-08-31 16:32:02 UTC
Reply
Permalink
Raw Message
Post by Topi Miettinen
Post by Lennart Poettering
Disk /dev/loop0: 1.1 MiB, 1192960 bytes, 2330 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x3990f3e6
Device Boot Start End Sectors Size Id Type
/dev/loop0p1 * 34 2329 2296 1.1M 83 Linux
That should work. See if "systemd-nspawn -i" can get a shell in it. If
so, RootImage= should work too, it uses the same code.
Also, consider invoking /usr/lib/systemd/systemd-dissect on the image
file, it will tell you whether it can make sense of the image, and how
it would mount it.
# /lib/systemd/systemd-dissect /root.sqsh
Found writable 'root' partition of type squashfs without verity
(/dev/block/7:0)
Hmm, I figure we shouldn't claim "writable" here, given that it is
squashfs, which is r/o
Post by Topi Miettinen
Post by Lennart Poettering
Perhaps I miss some RootImage requirements? What exactly they are?
They are documented briefly in "systemd-nspawn's" --image= setting.
I tried systemd-nspawn with the image, but that also refuses. There's
# systemd-nspawn --image=/root.sqsh
Spawning container root.sqsh on /root.sqsh.
Press ^] three times within 1s to kill container.
Timezone Europe/Helsinki does not exist in container, not updating
container timezone.
Failed to create /var/log: Read-only file system
2427 mkdir("/tmp/nspawn-root-jlYu4k/var/log", 0755) = -1 EROFS
(Read-only file system)
Yeah, it's squashfs, squashfs is read-only by definition...

If you are using a read-only image you need to populate /var properly,
or you --volatile= in some form... (which is similar to --tmpfs=/var...
Post by Topi Miettinen
If I add "--tmpfs=/var" and move the mount_custom() call in nspawn.c
between setup_seccomp() and setup_timezone(), there's no error and
systemd-nspawn can mount the image and run the command. But it would be
nice to understand why the image is mounted read-only in the first place.
squashfs...

Lennart
--
Lennart Poettering, Red Hat
Loading...