Ubuntu
systemd package

core: fall back to bind-mounts for PrivateDevices= execution environments

Bug #1770481 reported by Christian Brauner
20
This bug affects 3 people
Affects Status Importance Assigned to Milestone
systemd (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

Hey,

Currently any service that has PrivateDevices=true set will fail to start in unprivileged containers since mknod is not possible and in privileged containers that drop CAP_MKNOD. I pushed a patch to systemd upstream that solves this problem and makes PrivateDevices useable in both scenarios. It would be great if this could be backported to Ubuntu 16.04 and 18.04. We already have a lot of users that would like this feature enabled/don't want to edit each service file:

16498617443da94533ef9ae28be0ffaace40c526 : https://github.com/systemd/systemd/commit/af984e137e7f53ca3e2fd885b03a25e17fdd0fad

af984e137e7f53ca3e2fd885b03a25e17fdd0fad : https://github.com/systemd/systemd/commit/16498617443da94533ef9ae28be0ffaace40c526

Thanks!
Christian

Revision history for this message
Christian Brauner (cbrauner) wrote :

We just had a short discussion on systemd and for systemd 229 on 16.04 we also need:

9e5f825280192be429cc79153235d12778427fae : https://github.com/systemd/systemd/commit/9e5f825280192be429cc79153235d12778427fae

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in systemd (Ubuntu):
status: New → Confirmed
Revision history for this message
Brian Morton (rokclimb15) wrote :

Confirmed problem on Ubuntu 16.04 host running 16.04 container with a packaged version of Proxysql2. Changing PrivateDevices to "no" allows the service to start.

```
[Unit]
Description=High Performance Advanced Proxy for MySQL
After=network.target

[Service]
Type=forking
RuntimeDirectory=proxysql
ExecStart=/usr/bin/proxysql -c /etc/proxysql.cnf
PIDFile=/var/lib/proxysql/proxysql.pid
SyslogIdentifier=proxysql
Restart=no
User=proxysql
Group=proxysql
PermissionsStartOnly=true
UMask=0007
LimitNOFILE=102400
LimitCORE=1073741824
ProtectHome=yes
NoNewPrivileges=true
CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_ALG
ProtectSystem=full
PrivateDevices=yes

[Install]
Alias=proxysql
WantedBy=multi-user.target
```

Revision history for this message
Dan Streetman (ddstreet) wrote :

please reopen if this is still an issue

Changed in systemd (Ubuntu):
status: Confirmed → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.