Bug 1503066
Summary: | systemd read-only container fails to start systemd-journald.socket | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Jan Pazdziora <jpazdziora> |
Component: | runc | Assignee: | Jindrich Novy <jnovy> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | atomic-bugs <atomic-bugs> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 7.4 | CC: | amurdaca, dwalsh, jpazdziora, lsm5, mpatel |
Target Milestone: | rc | Keywords: | Extras |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-06-03 13:59:04 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jan Pazdziora
2017-10-17 10:12:06 UTC
What seems to be missing in the read-only container is /dev/log. The /dev seems to be mounted read-only: tmpfs on /dev type tmpfs (ro,relatime,context="system_u:object_r:svirt_sandbox_file_t:s0:c31,c804",mode=755) Well /dev can be readonly but /dev/log should not. But maybe this is being created. Which means that /dev/ should really not be readonly. This might be an issue in runc. Antonio can you check if runc is setting /dev read-only if the read-only flag is passed? (In reply to Daniel Walsh from comment #3) > Well /dev can be readonly but /dev/log should not. But maybe this is being > created. Which means that /dev/ should really not be readonly. Right, /dev/log does not exist in /dev and systemd-journald.socket attempts to create it. I'm not sure if we have a way to have /dev/log exist (maybe as symlink to /var?) in the read-only /dev filesystem ... No, we need to fix runc or docker to not mount /dev as readonly that is not part of the image and should be read/write The situation when running fedora:24 is strange though -- the systemd upon startup says Starting Update is Completed... [ OK ] Listening on Journal Socket (/dev/log). Starting Journal Service... [ OK ] Started Load/Save Random Seed. yet there is no /dev/log in the container # docker exec systemd-ro ls -la /dev/log ls: cannot access '/dev/log': No such file or directory and of course the /dev is mounted read-only there as well. # docker exec systemd-ro mount | grep '/dev ' tmpfs on /dev type tmpfs (ro,relatime,context="system_u:object_r:svirt_sandbox_file_t:s0:c14,c449",mode=755) I would test with newer fedora:* images but due to bug 1373780, the systemd does not show status upon boot at all, so it's hard to see what is actually going on there. I believe this works on RHEL8. Reopen if I am mistaken. |