Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

systemd: patch to make LXC work, see https://github.com/lxc/lxc/issue… #37862

Closed
wants to merge 1 commit into from
Closed

systemd: patch to make LXC work, see https://github.com/lxc/lxc/issue… #37862

wants to merge 1 commit into from

Conversation

qknight
Copy link
Member

@qknight qknight commented Mar 26, 2018

Motivation for this change

when this patch is not present it is not possible to use LXC on nixos properly with 'user namspace'

see also: lxc/lxc#2226

note on usability

on nixos we can run a modified version of systemd inside the LXC based container and this patch is only required inside the container. this is pretty cool actually!

but, and this is a huge but, it would be helpful to not have to recompile the whole container software stack just because of this small patch not being in systemd in general (on the host and on the guest)

note on security

@qknight that pull request in particular changes the behaviour of stuff that systemd does, after fork, but before performing execv of the process in question, for the sub-case when unit has User= Group= specified only. Instead of attempting to use a priviledged KEYCTL_CHOWN operation, privilidges are instead dropped down to User=/Group= specified to create process-session keyring, and then priviledges are elevated back to continue the rest of the process setup code. The session keyring that is setup, is continiously "linked" to the currently forked process, and no communication is performed with the pid1. Overall, there is now less code running with elevated priviledges, and less syscalls used. Overall the security attack surface is now smaller.

I'm about to upload said pull request into ubuntu, and I will be SRUing it. Thus it will be covered by standard Ubuntu & Canonical support and security maintenance offerings.

lxc/lxc#2226 (comment)

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option build-use-sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Fits CONTRIBUTING.md.

@GrahamcOfBorg
Copy link

Success on x86_64-linux (full log)

Attempted: systemd

Partial log (click to expand)

shrinking RPATHs of ELF executables and libraries in /nix/store/822w5cl6zyaycvpbjg0jfv1c0ams3z64-systemd-237-man
gzipping man pages under /nix/store/822w5cl6zyaycvpbjg0jfv1c0ams3z64-systemd-237-man/share/man/
strip is /nix/store/fzcs0fn6bb04m82frhlb78nc03ny3w55-binutils-2.28.1/bin/strip
patching script interpreter paths in /nix/store/822w5cl6zyaycvpbjg0jfv1c0ams3z64-systemd-237-man
checking for references to /tmp/nix-build-systemd-237.drv-0 in /nix/store/822w5cl6zyaycvpbjg0jfv1c0ams3z64-systemd-237-man...
shrinking RPATHs of ELF executables and libraries in /nix/store/gzvzrdbgr708y9nbjldm3snnr2l7c831-systemd-237-dev
strip is /nix/store/fzcs0fn6bb04m82frhlb78nc03ny3w55-binutils-2.28.1/bin/strip
stripping (with command strip and flags -S) in /nix/store/gzvzrdbgr708y9nbjldm3snnr2l7c831-systemd-237-dev/lib 
patching script interpreter paths in /nix/store/gzvzrdbgr708y9nbjldm3snnr2l7c831-systemd-237-dev
checking for references to /tmp/nix-build-systemd-237.drv-0 in /nix/store/gzvzrdbgr708y9nbjldm3snnr2l7c831-systemd-237-dev...

@GrahamcOfBorg
Copy link

Success on aarch64-linux (full log)

Attempted: systemd

Partial log (click to expand)

gzipping man pages under /nix/store/dbzlsrjwgj2d2vha3qgidw0x6kk49rqs-systemd-237-man/share/man/
strip is /nix/store/3zq400fri5dv7d30lpxlqm2v9y1iis6j-binutils-2.28.1/bin/strip
patching script interpreter paths in /nix/store/dbzlsrjwgj2d2vha3qgidw0x6kk49rqs-systemd-237-man
checking for references to /build in /nix/store/dbzlsrjwgj2d2vha3qgidw0x6kk49rqs-systemd-237-man...
shrinking RPATHs of ELF executables and libraries in /nix/store/glfxzkh0jwmjhaq6n7ypj2kq7hv3qsr5-systemd-237-dev
strip is /nix/store/3zq400fri5dv7d30lpxlqm2v9y1iis6j-binutils-2.28.1/bin/strip
stripping (with command strip and flags -S) in /nix/store/glfxzkh0jwmjhaq6n7ypj2kq7hv3qsr5-systemd-237-dev/lib
patching script interpreter paths in /nix/store/glfxzkh0jwmjhaq6n7ypj2kq7hv3qsr5-systemd-237-dev
checking for references to /build in /nix/store/glfxzkh0jwmjhaq6n7ypj2kq7hv3qsr5-systemd-237-dev...
/nix/store/fs2fzbpql0c5z7p6xazws4c9qxnrk634-systemd-237

@Mic92
Copy link
Member

Mic92 commented Mar 26, 2018

Please add the patch to https://github.com/Nixos/systemd instead. It would be also nice if the valid concerns addressed by the upstream reviewers would be addressed here as well: https://github.com/systemd/systemd/pull/8447/files#r176907700

@qknight
Copy link
Member Author

qknight commented Mar 26, 2018

@Mic92 good point. maybe we should wait with the patch then until this has been fixed.

@qknight qknight closed this Mar 26, 2018
@Mic92
Copy link
Member

Mic92 commented Mar 26, 2018

Systemd is usually with merging for fixes from my experience.

@qknight
Copy link
Member Author

qknight commented Mar 26, 2018

@Mic92 systemd is usually <>? i think the sentence lacks a word...

@Mic92
Copy link
Member

Mic92 commented Mar 26, 2018
edited

Systemd is usually fast in merging fixes from my experience.

@qknight
Copy link
Member Author

qknight commented Mar 26, 2018

@Mic92 awesome! thanks.

@qknight
Copy link
Member Author

qknight commented Mar 27, 2018

@Mic92 the patch has been merged but i think only for master, see systemd/systemd#8447

so i need to make a PR to https://github.com/nixos/systemd with that patch for 2.37, right? i want that patch to be in 18.03 btw.

@Mic92
Copy link
Member

Mic92 commented Mar 28, 2018

@qknight yes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
10.rebuild-darwin: 1-10 10.rebuild-linux: 501+
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@qknight @GrahamcOfBorg @Mic92