systemd under systemd-nspawn waits for already defunct processes

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

systemd under systemd-nspawn waits for already defunct processes

Postby svvac » Wed Nov 30, 2016 7:20 am

Hi,
I'm running a container using systemd-nspawn with a grsec-patched kernel on an up-to-date ArchLinux. On that container, when trying to use postfix, when I `systemctl stop postfix`, the process is correctly stopped, however systemd still waits for the process to exit (which it has).

There are lots of details in the original bug report against systemd (I was directed to you guys).

Let me know if there is anything more you need to diagnose the issue.

Cheers
svvac
 
Posts: 2
Joined: Wed Nov 30, 2016 7:13 am

Re: systemd under systemd-nspawn waits for already defunct processes

Postby spender » Wed Nov 30, 2016 9:21 am

Can you try disabling CONFIG_GRKERNSEC_CHROOT_FINDTASK? or echo 0 > /proc/sys/kernel/grsecurity/chroot_findtask

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Re: systemd under systemd-nspawn waits for already defunct processes

Postby svvac » Wed Nov 30, 2016 10:31 am

Indeed. `sysctl -w kernel.grsecurity.chroot_findtask=0` solves the issue.

Reading the chroot_findtask option description, it suggests that postfix escapes the container somehow? I'm not sure I fully understand the implications here...

Thanks a lot!

Edited to show my google-fu is not completely useless...
svvac
 
Posts: 2
Joined: Wed Nov 30, 2016 7:13 am


Return to grsecurity support