sys-apps/systemd: allow @mount syscalls for systemd-udevd.service #3367
Conversation
|
Instead of patching the source, can we ship a unit drop in? |
|
Build action triggered: https://github.com/flatcar/scripts/actions/runs/19365076690 |
Indeed, that is what I was expecting. The |
|
One can argue where this would go, e.g., we have some drop-ins in https://github.com/flatcar/init/tree/flatcar-master/systemd/system |
|
I was discussing with @t-lo, and he suggested it would be better to ship it directly in a systemd package instead of baselayout. But yeah, it might be easier to ship it in init/baselayout so that we don't have to maintain yet another patch. |
|
The package is also a good place: the drop-in file can be brought in through the ebuild installing it instead of a source patch |
|
Our systemd package is currently forked from Gentoo, but ideally we would unfork it at some point. You could add the drop-in using a |
fa21dea to
6b04d15
Compare
6b04d15 to
a96a073
Compare
chewi
left a comment
There was a problem hiding this comment.
You don't need to put this in the cros_post_src_install_timesync function. You can create another function called cros_post_src_install_udev.
a96a073 to
7ac5bbf
Compare
| mkdir -p "${dir}" | ||
| pushd "${dir}" | ||
| cat <<EOF >flatcar.conf || die | ||
| # In Flatcar we are using modprobe helpers that run depmod in temporary | ||
| # overlay. systemd-udevd.service may try to load drivers for some block devices | ||
| # (e.g. ZFS), which ends up calling our helpers, which invoke mount command. | ||
| # The mount syscalls are forbidden by the default systemd-udevd syscall filter. | ||
|
|
||
| [Service] | ||
| SystemCallFilter=@mount | ||
| EOF | ||
| popd |
There was a problem hiding this comment.
Sorry, I should have spotted this before. You've based this on the other function, but it doesn't use || die enough and doesn't use ebuild helpers either. Don't feel you have to waste CI time running it again though, a local build is enough to check this.
| mkdir -p "${dir}" | |
| pushd "${dir}" | |
| cat <<EOF >flatcar.conf || die | |
| # In Flatcar we are using modprobe helpers that run depmod in temporary | |
| # overlay. systemd-udevd.service may try to load drivers for some block devices | |
| # (e.g. ZFS), which ends up calling our helpers, which invoke mount command. | |
| # The mount syscalls are forbidden by the default systemd-udevd syscall filter. | |
| [Service] | |
| SystemCallFilter=@mount | |
| EOF | |
| popd | |
| insinto "$(systemd_get_systemunitdir)/systemd-udevd.service.d" | |
| newins - flatcar.conf <<EOF | |
| # In Flatcar we are using modprobe helpers that run depmod in temporary | |
| # overlay. systemd-udevd.service may try to load drivers for some block devices | |
| # (e.g. ZFS), which ends up calling our helpers, which invoke mount command. | |
| # The mount syscalls are forbidden by the default systemd-udevd syscall filter. | |
| [Service] | |
| SystemCallFilter=@mount | |
| EOF |
|
Thanks for the feedback! Updated the implementation to use proper ebuild helpers ( |
7ac5bbf to
eaa4279
Compare
chewi
left a comment
There was a problem hiding this comment.
Great! Sorry for all the round trips.
In Flatcar we are using modprobe helpers that run depmod in temporary overlay. systemd-udevd.service may try to load drivers for some block devices (e.g. ZFS), which ends up calling our helpers, which invoke mount command. The mount syscalls are forbidden by the default systemd-udevd syscall filter. Signed-off-by: Daniel Zatovic <[email protected]>
eaa4279 to
8e94ac0
Compare
|
Oops, this should have had a changelog entry. Please use the PR template in future. |
|
The missing changelog has been added to 4515 and the fix (with the changelog) has been backported to 4459. |
In Flatcar we are using modprobe helpers that run depmod in temporary overlay. systemd-udevd.service may try to load drivers for some block devices (e.g. ZFS), which ends up calling our helpers, which invoke mount command. The mount syscalls are forbidden by the default systemd-udevd syscall filter.