[lxc-users] Failed to reset devices.list (etc)

Richard Hector richard at walnut.gen.nz
Sun Sep 9 13:54:21 UTC 2018 

On 10/09/18 01:40, Christian Brauner wrote:
> On Mon, Sep 10, 2018 at 01:30:42AM +1200, Richard Hector wrote:
>> Hi all,
>>
>> I have messages like this in the logs on several of my (lxc, not lxd)
>> containers:
>>
>> systemd[1]: phpsessionclean.service: Failed to reset devices.list:
>> Operation not permitted
>>
>> systemd[1]: run-user-1000.mount: Failed to reset devices.list: Operation
>> not permitted
>>
>> systemd[1]: apt-daily.service: Failed to reset devices.list: Operation
>> not permitted
>>
>> systemd[1]: Failed to reset devices.list on
>> /system.slice/systemd-tmpfiles-clean.service: Operation not permitted
>>
>> systemd[1]: Failed to reset devices.list on
>> /system.slice/apt-daily.service: Operation not permitted
>>
>> Host is debian stretch, guests are a mix of debian and ubuntu.
>>
>> Searching the web finds various results of various ages; some claim to
>> be fixed, others not.
>>
>> Some claim it's an issue with unprivileged containers only, but AFAIK
>> I'm using privileged containers only (how do I tell?)
>>
>> What I can't find is:
>>
>> What is devices.list, what specifically (in each case) wants to reset
>> it, and why?
>>
>> Can and should I stop it, and how?
> 
> No need to stop it. systemd will simply gracefully move one but report
> an error. The devices.list regulates to what devices a privileged
> container can have access to. The container not being able to mess with
> it is very mucht wanted for security reasons. There's no way to stop it
> from LXC's side. If you really care about this you could probably
> disable all services that try to touch it. But it's really not needed.


Thanks Christian,

So my understanding is: The systemd service file tries to restrict what
the service can access, for security, by altering the devices.list

The container won't let anything mess with devices.list, for security.

The two can't both happen at the same time.

Is that about right?

Is it not possible to say "you can make it tighter, but not looser"?

I guess I just add it to my logcheck ignores and carry on?

Thanks,

Richard

> Christian
> 
>>
>> There are some references to setting "PrivateNetwork=false" in the
>> service file (for the phpsessionclean one, at least) - but that didn't
>> seem to have any effect.
>>
>> Any tips?
>>
>> Thanks,
>> Richard
>> _______________________________________________
>> lxc-users mailing list
>> lxc-users at lists.linuxcontainers.org
>> http://lists.linuxcontainers.org/listinfo/lxc-users
>>
>>
>> _______________________________________________
>> lxc-users mailing list
>> lxc-users at lists.linuxcontainers.org
>> http://lists.linuxcontainers.org/listinfo/lxc-users


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20180910/38f16605/attachment.sig>

More information about the lxc-users mailing list