Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Disable PrivateDevices for MemcacheD on CentOS 7
This patch adds the `memcached_disable_privatedevices` variable that allows deployers to disable PrivateDevices in the systemd unit file. This is a workaround to fix the systemd/LXC issues with bind mounting an already bind mounted `/dev/ptmx` inside the LXC container. See Launchpad bug, lxc/lxc#1623, or systemd/systemd#6121 for more details. The is_metal variable is removed as it is unused. Related-bug: 1697531 Change-Id: Id7c148bf901354a3dfc2f189ec659f2b92fc7985
- Loading branch information
Jesse Pretorius
committed
Jun 15, 2017
1 parent
3f822ea
commit a9acd22
Showing
4 changed files
with
49 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
21 changes: 21 additions & 0 deletions
21
releasenotes/notes/centos-private-devices-issue-0088e6f8c70a601f.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
--- | ||
issues: | ||
- | | ||
MemcacheD sets `PrivateDevices=true` in its systemd unit file to | ||
add extra security around mount namespaces. While this is useful | ||
when running MemcacheD on a bare metal host with other services, it | ||
is less useful when MemcacheD is already in a container with its own | ||
namespaces. In addition, LXC 2.0.8 presents `/dev/ptmx` as a bind mount | ||
within the container and systemd 219 (on CentOS 7) cannot make an | ||
additional bind mount of `/dev/ptmx` when `PrivateDevices` is enabled. | ||
Deployers can `memcached_disable_privatedevices` to `yes` to set | ||
`PrivateDevices=false` in the systemd unit file for MariaDB on CentOS 7. | ||
The default is `no`, which keeps the default systemd unit file settings | ||
from the MemcacheD package. | ||
For additional information, refer to the following bugs: | ||
* https://bugs.launchpad.net/openstack-ansible/+bug/1697531 | ||
* https://github.com/lxc/lxc/issues/1623 | ||
* https://github.com/systemd/systemd/issues/6121 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
[Service] | ||
PrivateDevices={{ memcached_disable_privatedevices | bool | ternary('false', 'true') }} |