RFE: systemd.exec Type=Notify do not work with RootDirectory #3544
Comments
|
I figure if Type=notify or NotifyAccess= are explicitly set we indeed should just bind mount the socket into the chroot. I mean, If people mix RootDirectory= and any of those two settings, then they basically ask for it... |
|
or hmmm, bind mounting sucks here, because after all RootDirectory= doesn't imply fs namespacing... Maybe we should instead simply add BindPath= or so as generic way to bind mount something somewhere for a specific service, and then simply document that people should use it for /run/systemd/notify if they use RootDirectory=... |
|
Moving notify socket to abstract namespace would solve it. |
|
@zdzichu well, we used to have it in the abstract namespace, but doing this is nasty for containers as abstract AF_UNIX sockets are only namespaced if network namespaces are used for a container (which often is not), unlike in-file-system AF_UNIX sockets which are used for file system namespaces (which is definitely namespaced for containers). |
We already force mnt namespacing implicitely on private_tmp, read_write_dirs, etc.: We could document that in I would also prefer not to use abstract sockets for the notify socket: file sockets across mnt namespaces can be bypassed with bind mounts, but Abstract sockets across net namespaces cannot. |
I think it will much better if this will be done automatically if I would like to have this in the next systemd release, so let;s come out with a design decision in time to write the patch for the v231.
About this I think is a good idea, but if it is only to hide |
… to the host After this patch, systemd on the host marks the container as "active" when the init systemd in the container sends the ready message instead of doing it after the container is created. After this patch rkt sets `--service-type=notify`. Also appc/spec in godeps is patched to expose `SupportNotify`. Fixes: rkt#1464 Warning: If the application launched by rkt does not notify (with sd_notify()) that it is ready, then the application may be killed after a timeout. Note: Requires systemd v231 in stage1.
|
Fixed with 3bdc25a |
Submission type
NOTE: Do not submit anything other than bug reports or RFEs via the issue tracker!
systemd version the issue has been seen with
NOTE: Do not submit bug reports about anything but the two most recently released systemd versions upstream!
Used distribution
When a service set Type=notify and RootDirectory=, then the notification mechanism does not work, the serivice is marked "activating", and eventually killed by systemd because of timeout.
How to reproduce the issue:
sudo systemctl start chroot-test.servicesudo systemctl status chroot-test.serviceProposed solution
When both
Type=notifyandRootDirectory=are present, systemd will bind mount the/run/systemd/notifyon the host into the service filesystem in the same location.If
/run/systemd/notifyis not present in the service filesystem, systemd could create it by default or exit with an error. Ask to the user to set it up force them to understand better what is happening but will break service that now are working. Do not do anything will be more back compatible but it is still a wrong behavior. Any thoughts about it?The text was updated successfully, but these errors were encountered: