I know cntr does not explicitly say that it supports entering the environment of systemd units. But they should be basically the same as containers, right? With varying levels of namespace isolation depending on config.
I tried it on the pid of some systemd units and it worked as expected. However, for other like nginx with default NixOS configuration, I got the following error.
# cntr attach 2056
failed to apply capabilities, failed to read capability limit, failed to open /proc/sys/kernel/cap_last_cap, No such file or directory (os error 2)
I guess that is because nginx systemd unit is configured with ProtectProc=invisible. Is there a workaround for this already, so we can attach to everything except the capabilities of the “container”? Or is this something which is relatively easy to support?
I know cntr does not explicitly say that it supports entering the environment of systemd units. But they should be basically the same as containers, right? With varying levels of namespace isolation depending on config.
I tried it on the pid of some systemd units and it worked as expected. However, for other like nginx with default NixOS configuration, I got the following error.
I guess that is because nginx systemd unit is configured with
ProtectProc=invisible. Is there a workaround for this already, so we can attach to everything except the capabilities of the “container”? Or is this something which is relatively easy to support?