grsecurity forums


https://forums.grsecurity.net/

systemd under systemd-nspawn waits for already defunct processes

https://forums.grsecurity.net/viewtopic.php?f=3&t=4623

Page 1 of 1

systemd under systemd-nspawn waits for already defunct processes

PostPosted: Wed Nov 30, 2016 7:20 am
by svvac
Hi,
I'm running a container using systemd-nspawn with a grsec-patched kernel on an up-to-date ArchLinux. On that container, when trying to use postfix, when I `systemctl stop postfix`, the process is correctly stopped, however systemd still waits for the process to exit (which it has).

There are lots of details in the original bug report against systemd (I was directed to you guys).

Let me know if there is anything more you need to diagnose the issue.

Cheers

Re: systemd under systemd-nspawn waits for already defunct processes

PostPosted: Wed Nov 30, 2016 9:21 am
by spender
Can you try disabling CONFIG_GRKERNSEC_CHROOT_FINDTASK? or echo 0 > /proc/sys/kernel/grsecurity/chroot_findtask

-Brad

Re: systemd under systemd-nspawn waits for already defunct processes

PostPosted: Wed Nov 30, 2016 10:31 am
by svvac
Indeed. `sysctl -w kernel.grsecurity.chroot_findtask=0` solves the issue.

Reading the chroot_findtask option description, it suggests that postfix escapes the container somehow? I'm not sure I fully understand the implications here...

Thanks a lot!

Edited to show my google-fu is not completely useless...
All times are UTC - 5 hours [ DST ]
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/