FS#55082 - [devtools] arch-nspawn broken when run inside container
Attached to Project:
Arch Linux
Opened by Maarten de Vries (de-vri-es) - Wednesday, 09 August 2017, 13:23 GMT
Last edited by Kristian (klausenbusk) - Saturday, 03 June 2023, 18:07 GMT
Opened by Maarten de Vries (de-vri-es) - Wednesday, 09 August 2017, 13:23 GMT
Last edited by Kristian (klausenbusk) - Saturday, 03 June 2023, 18:07 GMT
|
Details
When running `arch-nspawn` from inside a container (either
started with `arch-nspawn` or `systemd-nspawn` directly), it
now fails with the error shown below. I tested this with
systemd-234.11-6 and devtools-20170320-3.
$ sudo arch-nspawn temp [root@temp ~]# arch-nspawn temp Failed to open system bus: No such file or directory Received notify message without valid credentials. Ignoring. Host and machine ids are equal (....): refusing to link journals If binding /run/dbus/system_bus_socket into the container: $ sudo arch-nspawn temp --bind-ro /run/dbus/system_bus_socket [root@temp ~]# arch-nspawn temp Failed to allocate scope: Unit temp.scope already exists. Received notify message without valid credentials. Ignoring. Host and machine ids are equal (....): refusing to link journals Parent died too early This is probably caused by the fact that `systemd-nspawn` now registers a scope when `--register=no` is specified, unless `--keep-unit` is also specified [1]. That was done to enable `--slice` and `--property` to work with `--register=no`. But to register the scope, `systemd-nspawn` needs to contact systemd over dbus. Additionally, the scope name is not unique right now [2], so only binding `/run/dbus/system_bus_socket` into the container won't help. The fix for that has already been merged upstream though [3]. [1] https://github.com/systemd/systemd/pull/6166 [2] https://github.com/systemd/systemd/issues/6347 [3] https://github.com/systemd/mkosi/pull/127 The fix could be as easy as adding `--keep-unit` to the `systemd-nspawn` flags. That means `--slice` and `--property` still won't work with `arch-nspawn`, but I don't think that really matters. The alternative is to wait for the fix to be released and/or land in Arch and bind `/run/dbus/system_bus_socket` into the container from `arch-nspawn`. That does expose the entire dbus system bus to the container though. I'm not sure if that is desirable. Note that this currently prevents running `mkarchroot` inside a container, since it runs `arch-nspawn` without exposing a way to add `--keep-unit`. Once [3] is available in Arch, `mkarchroot` should work again if `/run/dbus/dbus_system_socket` was bound into the container from which `mkarchroot` is run. So maybe the conclusion is that nothing has to be done except wait for [3]. People wanting to run nested containers should then either bind the dbus system bus into their container, or run `{arch,systemd}-nspawn` with `--keep-unit`. I think the devtools maintainers can best decide on this. |
This task depends upon
Closed by Kristian (klausenbusk)
Saturday, 03 June 2023, 18:07 GMT
Reason for closing: Upstream
Additional comments about closing: Please report upstream if this is still relevant: https://gitlab.archlinux.org/archlinux/d evtools.
Saturday, 03 June 2023, 18:07 GMT
Reason for closing: Upstream
Additional comments about closing: Please report upstream if this is still relevant: https://gitlab.archlinux.org/archlinux/d evtools.
A unique scope name should fix running multiple containers in parallel from the host, but it is not really a nice solution for running nested containers. You would still be forced to expose the dbus system bus in the container, allowing root in the container to manage systemd services of the host (amongst others, if I'm not mistaken).