[lxc-users] Failed to reset devices.list (etc)

Sun Sep 9 14:52:06 UTC 2018

On Mon, Sep 10, 2018 at 01:54:21AM +1200, Richard Hector wrote:
> On 10/09/18 01:40, Christian Brauner wrote:
> > On Mon, Sep 10, 2018 at 01:30:42AM +1200, Richard Hector wrote:
> >> Hi all,
> >>
> >> I have messages like this in the logs on several of my (lxc, not lxd)
> >> containers:
> >>
> >> systemd[1]: phpsessionclean.service: Failed to reset devices.list:
> >> Operation not permitted
> >>
> >> systemd[1]: run-user-1000.mount: Failed to reset devices.list: Operation
> >> not permitted
> >>
> >> systemd[1]: apt-daily.service: Failed to reset devices.list: Operation
> >> not permitted
> >>
> >> systemd[1]: Failed to reset devices.list on
> >> /system.slice/systemd-tmpfiles-clean.service: Operation not permitted
> >>
> >> systemd[1]: Failed to reset devices.list on
> >> /system.slice/apt-daily.service: Operation not permitted
> >>
> >> Host is debian stretch, guests are a mix of debian and ubuntu.
> >>
> >> Searching the web finds various results of various ages; some claim to
> >> be fixed, others not.
> >>
> >> Some claim it's an issue with unprivileged containers only, but AFAIK
> >> I'm using privileged containers only (how do I tell?)
> >>
> >> What I can't find is:
> >>
> >> What is devices.list, what specifically (in each case) wants to reset
> >> it, and why?
> >>
> >> Can and should I stop it, and how?
> > 
> > No need to stop it. systemd will simply gracefully move one but report
> > an error. The devices.list regulates to what devices a privileged
> > container can have access to. The container not being able to mess with
> > it is very mucht wanted for security reasons. There's no way to stop it
> > from LXC's side. If you really care about this you could probably
> > disable all services that try to touch it. But it's really not needed.
> 
> 
> Thanks Christian,
> 
> So my understanding is: The systemd service file tries to restrict what
> the service can access, for security, by altering the devices.list
> 
> The container won't let anything mess with devices.list, for security.
> 
> The two can't both happen at the same time.

Yes.

> 
> Is that about right?
> 
> Is it not possible to say "you can make it tighter, but not looser"?

Yes.

> 
> I guess I just add it to my logcheck ignores and carry on?

Yes.

:)
Christian

> 
> Thanks,
> 
> Richard
> 
> > Christian
> > 
> >>
> >> There are some references to setting "PrivateNetwork=false" in the
> >> service file (for the phpsessionclean one, at least) - but that didn't
> >> seem to have any effect.
> >>
> >> Any tips?
> >>
> >> Thanks,
> >> Richard
> >> _______________________________________________
> >> lxc-users mailing list
> >> lxc-users at lists.linuxcontainers.org
> >> http://lists.linuxcontainers.org/listinfo/lxc-users
> >>
> >>
> >> _______________________________________________
> >> lxc-users mailing list
> >> lxc-users at lists.linuxcontainers.org
> >> http://lists.linuxcontainers.org/listinfo/lxc-users
> 
> 

> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20180909/905a110f/attachment.sig>