These four units belong to the systemd package itself: > dev-hugepages.mount loaded failed failed Huge Pages File System > systemd-journald-audit.socket loaded failed failed Journal Audit Socket
These units attempt to not start in containers with less privileges with ConditionCapability=CAP_SYS_ADMIN and CAP_AUDIT_READ. This does work in nspawn, but it seems the LXD unprivileged containers pretend to have all these caps: Capabilities for `1': = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_syslog,cap_wake_alarm,cap_block_suspend,37+ep Which is misleading. Can we start containers with only those capabilities which are actually namespace aware and available to the container, and hide the rest? > systemd-sysctl.service loaded failed failed Apply Kernel Variables This is supposed to not start via ConditionPathIsReadWrite=/proc/sys/, but tries anyway, and with debug logging I get systemd-sysctl.service: ConditionPathIsReadWrite=/proc/sys/ succeeded. This is wrong as both "touch /proc/sys/foo" and "test -w /proc/sys" fail. I'll look into this. > systemd-remount-fs.service loaded failed failed Remount Root and Kernel File > Systems This is has "ConditionPathExists=/etc/fstab", but that's true for lxd containers because they have a dummy /etc/fstab with no entries, just a comment (thus ConditionFileNotEmpty= would not work either). Checking for the CAP_SYS_ADMIN capability would be appropriate (which is required for mounting), but that wouldn't work because of the above issue. This service does succeed in a container without apparmor restrictions (--config raw.lxc=lxc.aa_profile=unconfined). Adding ConditionPathIsReadWrite=!/ may be the simplest and most straightforward solution here. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lvm2 in Ubuntu. https://bugs.launchpad.net/bugs/1576341 Title: fails in lxd container Status in lvm2 package in Ubuntu: Confirmed Status in lxd package in Ubuntu: New Status in open-iscsi package in Ubuntu: Confirmed Status in systemd package in Ubuntu: Confirmed Bug description: The ubuntu:xenial image shows 'degraded' state in lxd on initial boot. $ lxc launch xenial x1 $ sleep 10 $ lxc file pull x1/etc/cloud/build.info - build_name: server serial: 20160420-145324 $ lxc exc x1 systemctl is-system-running degraded $ lxc exec x1 systemctl --state=failed UNIT LOAD ACTIVE SUB DESCRIPTION ● dev-hugepages.mount loaded failed failed Huge Pages File System ● iscsid.service loaded failed failed iSCSI initiator daemon (iscsid) ● open-iscsi.service loaded failed failed Login to default iSCSI targets ● systemd-remount-fs.service loaded failed failed Remount Root and Kernel File Systems ● systemd-sysctl.service loaded failed failed Apply Kernel Variables ● lvm2-lvmetad.socket loaded failed failed LVM2 metadata daemon socket ● systemd-journald-audit.socket loaded failed failed Journal Audit Socket LOAD = Reflects whether the unit definition was properly loaded. ACTIVE = The high-level unit activation state, i.e. generalization of SUB. SUB = The low-level unit activation state, values depend on unit type. 7 loaded units listed. Pass --all to see loaded but inactive units, too. To show all installed unit files use 'systemctl list-unit-files'. ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: open-iscsi 2.0.873+git0.3b4b4500-14ubuntu3 ProcVersionSignature: Ubuntu 4.4.0-18.34-generic 4.4.6 Uname: Linux 4.4.0-18-generic x86_64 ApportVersion: 2.20.1-0ubuntu2 Architecture: amd64 Date: Thu Apr 28 17:28:04 2016 ProcEnviron: TERM=xterm-256color PATH=(custom, no user) SourcePackage: open-iscsi UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lvm2/+bug/1576341/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
