Skip to content

mount namespace cleanups#10012

Closed
yuwata wants to merge 3 commits intosystemd:masterfrom
yuwata:namespace-slave-remounting
Closed

mount namespace cleanups#10012
yuwata wants to merge 3 commits intosystemd:masterfrom
yuwata:namespace-slave-remounting

Conversation

@yuwata
Copy link
Member

@yuwata yuwata commented Sep 5, 2018

Since 1beab8b, failure in unshare() is treated differently from other mount() failures.
When remounting / as SLAVE failed, then no mount point specified in the unit is not mounted yet. So, this makes the remounting failure be treated as the same as unshare() failure.

I hope this partially fixes #9700 and #10011.

@yuwata yuwata added the pid1 label Sep 5, 2018
@yuwata
Copy link
Member Author

yuwata commented Sep 5, 2018

@mbiebl Could you test this?

@yuwata yuwata force-pushed the namespace-slave-remounting branch from c302f21 to cfe3155 Compare September 5, 2018 05:58
@yuwata yuwata added the tests label Sep 5, 2018
@yuwata
Copy link
Member Author

yuwata commented Sep 5, 2018

@evverx and @mbiebl I have added a check for mount namespace in test-execute. I've tested this only on nspawn with --drop-capability CAP_SYS_ADMIN.

@yuwata yuwata force-pushed the namespace-slave-remounting branch from d3d176f to 4221f27 Compare September 5, 2018 06:33
@yuwata yuwata force-pushed the namespace-slave-remounting branch from 4221f27 to 563860e Compare September 5, 2018 13:16
@yuwata
Copy link
Member Author

yuwata commented Sep 5, 2018

Updated. @sourcejedi's comment is addressed.

@evverx
Copy link
Contributor

evverx commented Sep 5, 2018

Some of the tests fail because systemd can't start services that have DynamicUsers such as systemd-resolved and systemd-networkd. I don't think that this PR has changed this and I'm not sure what can be done about it. My opinion (which is very unpopular here, to say the least :-)) is that systemd shouldn't proceed to start services in this case and if services are supposed to be run everywhere, then the brittle security features shouldn't be used there in the first place. I know we've discussed that before, but, hey, at least I tried :-)

@mbiebl
Copy link
Contributor

mbiebl commented Sep 5, 2018

@evverx
Copy link
Contributor

evverx commented Sep 5, 2018

That just means that everything will stop working as soon as it has been decided that they should be turned on again. My grumpy comments aside, @mbiebl are you saying that all the tests are passing now with this patch applied?

@mbiebl
Copy link
Contributor

mbiebl commented Sep 5, 2018

With this PR applied, some/most of the test-suite failures are fixed.
test-execute still fails from root-unittests (no regression to v237),
networkd-test.py still fails (regression to v237)

test log attached:
log.txt

@evverx
Copy link
Contributor

evverx commented Sep 5, 2018

It seems to me that even though the static user is used, context->dynamic_user is true, which, in turn, makes systemd stop systemd-resolved (and any other service with DynamicUser for that matter).

@mbiebl
Copy link
Contributor

mbiebl commented Sep 5, 2018

@evverx The Debian systemd package does allocate static system users in postinst but does not patch out DynamicUser=yes from systemd-{networkd,resolved,timesyncd}.service.

@evverx
Copy link
Contributor

evverx commented Sep 5, 2018

@mbiebl sorry, I didn't mean to say that something is wrong with the Debian package. I don't think it should be patched out explicitly. It's just that maybe the condition ! context->dynamic_user isn't entirely correct.

@yuwata
Copy link
Member Author

yuwata commented Sep 6, 2018

@evverx Thank you for the comment. I've dropped the condition !c->dynamic_user. PTAL.
@mbiebl Thank you for testing this. Could you test this again?

@yuwata yuwata force-pushed the namespace-slave-remounting branch from 563860e to 12af23c Compare September 6, 2018 02:34
@mbiebl
Copy link
Contributor

mbiebl commented Sep 6, 2018

Unfortunately networkd/timesyncd/resolved still fails with the updated PR (specifically the networkd-test.py test)
When I try to e.g. run networkd in the LXC container, I get

● systemd-networkd.service - Network Service
   Loaded: loaded (/lib/systemd/system/systemd-networkd.service; disabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Thu 2018-09-06 05:11:51 UTC; 3s ago
     Docs: man:systemd-networkd.service(8)
  Process: 1317 ExecStart=/lib/systemd/systemd-networkd (code=exited, status=226/NAMESPACE)
 Main PID: 1317 (code=exited, status=226/NAMESPACE)

Sep 06 05:11:51 autopkgtest-lxc-bkpkiz systemd[1]: systemd-networkd.service: Service has no hold-off time (RestartSec=0), scheduling restart.
Sep 06 05:11:51 autopkgtest-lxc-bkpkiz systemd[1]: systemd-networkd.service: Scheduled restart job, restart counter is at 5.
Sep 06 05:11:51 autopkgtest-lxc-bkpkiz systemd[1]: Stopped Network Service.
Sep 06 05:11:51 autopkgtest-lxc-bkpkiz systemd[1]: systemd-networkd.service: Start request repeated too quickly.
Sep 06 05:11:51 autopkgtest-lxc-bkpkiz systemd[1]: systemd-networkd.service: Failed with result 'exit-code'.
Sep 06 05:11:51 autopkgtest-lxc-bkpkiz systemd[1]: Failed to start Network Service.
Sep 06 05:11:50 autopkgtest-lxc-bkpkiz systemd[1]: systemd-networkd.service: Failed to reset devices.list: Operation not permitted
Sep 06 05:11:50 autopkgtest-lxc-bkpkiz systemd[1]: Starting Network Service...
Sep 06 05:11:50 autopkgtest-lxc-bkpkiz systemd[1305]: systemd-networkd.service: Failed to set up mount namespacing: Permission denied
Sep 06 05:11:50 autopkgtest-lxc-bkpkiz systemd[1305]: systemd-networkd.service: Failed at step NAMESPACE spawning /lib/systemd/systemd-networkd: Permission denied
Sep 06 05:11:50 autopkgtest-lxc-bkpkiz systemd[1]: systemd-networkd.service: Main process exited, code=exited, status=226/NAMESPACE
Sep 06 05:11:50 autopkgtest-lxc-bkpkiz systemd[1]: systemd-networkd.service: Failed with result 'exit-code'.
Sep 06 05:11:50 autopkgtest-lxc-bkpkiz systemd[1]: Failed to start Network Service.
Sep 06 05:11:50 autopkgtest-lxc-bkpkiz systemd[1]: systemd-networkd.service: Service has no hold-off time (RestartSec=0), scheduling restart.
Sep 06 05:11:50 autopkgtest-lxc-bkpkiz systemd[1]: systemd-networkd.service: Scheduled restart job, restart counter is at 1.
Sep 06 05:11:50 autopkgtest-lxc-bkpkiz systemd[1]: Stopped Network Service.
Sep 06 05:11:50 autopkgtest-lxc-bkpkiz systemd[1]: systemd-networkd.service: Failed to reset devices.list: Operation not permitted
Sep 06 05:11:50 autopkgtest-lxc-bkpkiz systemd[1]: Starting Network Service...
Sep 06 05:11:50 autopkgtest-lxc-bkpkiz systemd[1308]: systemd-networkd.service: Failed to set up mount namespacing: Permission denied
Sep 06 05:11:50 autopkgtest-lxc-bkpkiz systemd[1308]: systemd-networkd.service: Failed at step NAMESPACE spawning /lib/systemd/systemd-networkd: Permission denied
Sep 06 05:11:50 autopkgtest-lxc-bkpkiz systemd[1]: systemd-networkd.service: Main process exited, code=exited, status=226/NAMESPACE
Sep 06 05:11:50 autopkgtest-lxc-bkpkiz systemd[1]: systemd-networkd.service: Failed with result 'exit-code'.
Sep 06 05:11:50 autopkgtest-lxc-bkpkiz systemd[1]: Failed to start Network Service.
Sep 06 05:11:50 autopkgtest-lxc-bkpkiz systemd[1]: systemd-networkd.service: Service has no hold-off time (RestartSec=0), scheduling restart.
Sep 06 05:11:50 autopkgtest-lxc-bkpkiz systemd[1]: systemd-networkd.service: Scheduled restart job, restart counter is at 2.
Sep 06 05:11:50 autopkgtest-lxc-bkpkiz systemd[1]: Stopped Network Service.
Sep 06 05:11:50 autopkgtest-lxc-bkpkiz systemd[1]: systemd-networkd.service: Failed to reset devices.list: Operation not permitted
Sep 06 05:11:50 autopkgtest-lxc-bkpkiz systemd[1]: Starting Network Service...
Sep 06 05:11:51 autopkgtest-lxc-bkpkiz systemd[1311]: systemd-networkd.service: Failed to set up mount namespacing: Permission denied
Sep 06 05:11:51 autopkgtest-lxc-bkpkiz systemd[1311]: systemd-networkd.service: Failed at step NAMESPACE spawning /lib/systemd/systemd-networkd: Permission denied
Sep 06 05:11:51 autopkgtest-lxc-bkpkiz systemd[1]: systemd-networkd.service: Main process exited, code=exited, status=226/NAMESPACE
Sep 06 05:11:51 autopkgtest-lxc-bkpkiz systemd[1]: systemd-networkd.service: Failed with result 'exit-code'.
Sep 06 05:11:51 autopkgtest-lxc-bkpkiz systemd[1]: Failed to start Network Service.
Sep 06 05:11:51 autopkgtest-lxc-bkpkiz systemd[1]: systemd-networkd.service: Service has no hold-off time (RestartSec=0), scheduling restart.
Sep 06 05:11:51 autopkgtest-lxc-bkpkiz systemd[1]: systemd-networkd.service: Scheduled restart job, restart counter is at 3.
Sep 06 05:11:51 autopkgtest-lxc-bkpkiz systemd[1]: Stopped Network Service.
Sep 06 05:11:51 autopkgtest-lxc-bkpkiz systemd[1]: systemd-networkd.service: Failed to reset devices.list: Operation not permitted
Sep 06 05:11:51 autopkgtest-lxc-bkpkiz systemd[1]: Starting Network Service...
Sep 06 05:11:51 autopkgtest-lxc-bkpkiz systemd[1314]: systemd-networkd.service: Failed to set up mount namespacing: Permission denied
Sep 06 05:11:51 autopkgtest-lxc-bkpkiz systemd[1314]: systemd-networkd.service: Failed at step NAMESPACE spawning /lib/systemd/systemd-networkd: Permission denied
Sep 06 05:11:51 autopkgtest-lxc-bkpkiz systemd[1]: systemd-networkd.service: Main process exited, code=exited, status=226/NAMESPACE
Sep 06 05:11:51 autopkgtest-lxc-bkpkiz systemd[1]: systemd-networkd.service: Failed with result 'exit-code'.
Sep 06 05:11:51 autopkgtest-lxc-bkpkiz systemd[1]: Failed to start Network Service.
Sep 06 05:11:51 autopkgtest-lxc-bkpkiz systemd[1]: systemd-networkd.service: Service has no hold-off time (RestartSec=0), scheduling restart.
Sep 06 05:11:51 autopkgtest-lxc-bkpkiz systemd[1]: systemd-networkd.service: Scheduled restart job, restart counter is at 4.
Sep 06 05:11:51 autopkgtest-lxc-bkpkiz systemd[1]: Stopped Network Service.
Sep 06 05:11:51 autopkgtest-lxc-bkpkiz systemd[1]: systemd-networkd.service: Failed to reset devices.list: Operation not permitted
Sep 06 05:11:51 autopkgtest-lxc-bkpkiz systemd[1]: Starting Network Service...
Sep 06 05:11:51 autopkgtest-lxc-bkpkiz systemd[1317]: systemd-networkd.service: Failed to set up mount namespacing: Permission denied
Sep 06 05:11:51 autopkgtest-lxc-bkpkiz systemd[1317]: systemd-networkd.service: Failed at step NAMESPACE spawning /lib/systemd/systemd-networkd: Permission denied
Sep 06 05:11:51 autopkgtest-lxc-bkpkiz systemd[1]: systemd-networkd.service: Main process exited, code=exited, status=226/NAMESPACE
Sep 06 05:11:51 autopkgtest-lxc-bkpkiz systemd[1]: systemd-networkd.service: Failed with result 'exit-code'.
Sep 06 05:11:51 autopkgtest-lxc-bkpkiz systemd[1]: Failed to start Network Service.
Sep 06 05:11:51 autopkgtest-lxc-bkpkiz systemd[1]: systemd-networkd.service: Service has no hold-off time (RestartSec=0), scheduling restart.
Sep 06 05:11:51 autopkgtest-lxc-bkpkiz systemd[1]: systemd-networkd.service: Scheduled restart job, restart counter is at 5.
Sep 06 05:11:51 autopkgtest-lxc-bkpkiz systemd[1]: Stopped Network Service.
Sep 06 05:11:51 autopkgtest-lxc-bkpkiz systemd[1]: systemd-networkd.service: Start request repeated too quickly.
Sep 06 05:11:51 autopkgtest-lxc-bkpkiz systemd[1]: systemd-networkd.service: Failed with result 'exit-code'.
Sep 06 05:11:51 autopkgtest-lxc-bkpkiz systemd[1]: Failed to start Network Service.

@yuwata
Copy link
Member Author

yuwata commented Sep 6, 2018

Ah, I found a mistake. I will update this.

@evverx
Copy link
Contributor

evverx commented Sep 6, 2018

I'm not sure the condition should be dropped altogether because, if I understand correctly, it's likely to reintroduce #9835. I hope @sourcejedi will correct me if I'm wrong.

@yuwata yuwata force-pushed the namespace-slave-remounting branch from 12af23c to b0038e0 Compare September 6, 2018 09:14
@yuwata
Copy link
Member Author

yuwata commented Sep 6, 2018

Updated. But not tested on any container environments. In the revised version, instead of simply dropping !context->dynamic_user, mount_namespace_is_critical() helper function is introduced.

@sourcejedi
Copy link
Contributor

sourcejedi commented Sep 6, 2018

My understanding of the last update to this PR, is it should let the current versions of systemd-{networkd,resolved}.service run when we cannot set up mount namespaces. It would not work for systemd-timesyncd, because that service uses StateDirectory=, but systemd-timesyncd would not start inside a container anyway. Because Linux containers cannot (yet?) have separate clocks :-).

I have written a test case to represent my understanding of @evverx 's idea in #10012 (comment) : #10025. This was a more general suggestion, that would work for services that have StateDirectory= as well.

IIRC, old-style DHCP clients save leases in a persistent file, and Macs use persistent information to speed up DHCP, they even wrote this up as an RFC. https://cafbit.com/post/rapid_dhcp_or_how_do/ . I am an outsider to systemd-networkd, and I would be wary of assuming that it does not need a StateDirectory= now or in the future.

But if I were using LXC, I think I might prefer to have an explicit drop-in file that disabled DynamicUser=yes. By setting DynamicUser=no, I would not need either the more complex check implemented in mount_namespace_is_critical(), nor an implementation of #10025 ("RFE: DynamicUser=yes breaks inside containers which block PID1 from setting up a mount namespace. Maybe allow a workaround, without having to modify the service?").

@evverx
Copy link
Contributor

evverx commented Sep 6, 2018

That comment was based on the idea of what the word "portable" means :-) As soon as the units are modified to fit the environment they're supposed to work in, they stop being really portable (though, I don't think they have ever been). I'll just repeat what I said earlier:

My opinion (which is very unpopular here, to say the least :-)) is that systemd shouldn't proceed to start services in this case and if services are supposed to be run everywhere, then the brittle security features shouldn't be used there in the first place.

Regarding LXC, another option would be to update the AppArmor policy in a way similar to https://git.launchpad.net/autopkgtest-cloud/tree/lxc-slave-admin/setup-adt-lxc.commands?id=b6f01a6fd1ce3478dd18f3962c5506e2eebe2eb6#n61 (which, by the way, the only reason the tests pass on Ubuntu CI). But in this case, it should be said explicitly that, say, DynamicUser isn't really portable and YMMV.

@evverx
Copy link
Contributor

evverx commented Sep 6, 2018

Just to be clear, I'm not saying that the security features shouldn't be used at all. They're actually useful in certain contexts. Anyway, I'd wait for @poettering and @keszybz to weigh in because while slowly reading all the issues related to DynamicUser I, frankly, kind of lost track of what we're trying to accomplish :-)

@yuwata yuwata force-pushed the namespace-slave-remounting branch from b0038e0 to ecea78e Compare September 7, 2018 04:56
@yuwata
Copy link
Member Author

yuwata commented Sep 7, 2018

I've tested this by inserting errno = EINVAL; r = -ENOANO; goto finish; just before or after unshare(). And test-execute now passes.
Also, now resolved works fine on nspawn container with --drop-capability CAP_SYS_ADMIN.

@mbiebl
Copy link
Contributor

mbiebl commented Sep 7, 2018

@yuwata resolved/networkd and thus networkd-test.py passes now. test-execute still fails for me, see attached log
log.txt

@yuwata
Copy link
Member Author

yuwata commented Sep 12, 2018

I've dropped the error handling about changing mount propagation flag, as it seems just a workaround for LXC with AppArmor, and I hope the issue can be avoidable by configuring AppArmor for LXC correctly.

So, now this PR only contains several cleanups about mount namespacing.

}

/* Use original errno */
return -errno;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

urks, i can't say i like this. we generally don't use errno to pass errors, and this way we make the fact that EANO means we called unshare() right before and it failed and set errno API of setup_namespace(). But to me that's too much internal behaviour of setup_namespace() becoming API... errno handling should be hidden in the function i think and not be relied upon from outsde...

can't we find a nicer way for this?

I mean, i see where you are coming from, but this at least needs an comment on the sending side (i.e. in setup_namespace where we return EANO) and on the receiveing side, about this special error passing

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I cannot find a nicer way... Of course, adding a pointer argument e.g., bool *failure_by_unshare or something can avoid using errno. But it seems ugly.

I will add comments about that on both sender and receiver.

@yuwata yuwata force-pushed the namespace-slave-remounting branch from aaa7aa3 to 0719ab6 Compare September 13, 2018 07:05
@yuwata
Copy link
Member Author

yuwata commented Sep 13, 2018

@poettering Updated. Comments are added.

@sourcejedi
Copy link
Contributor

sourcejedi commented Sep 13, 2018

errno handling should be hidden in the function i think and not be relied upon from outsde... can't we find a nicer way for this?

I've been wondering. Why don't we pass ignore_namespace_unavailable, like we pass in ignore_protect_paths? setup_namespace() wouldn't need to use -ENOANO in this case :-). Just return the real -errno or 0.

…turns -ENOANO

Without this, log shows meaningless error message 'No anode', e.g.,
===
Failed to unshare the mount namespace: Operation not permitted
foo.service: Failed to set up mount namespacing: No anode
foo.service: Failed at step NAMESPACE spawning /usr/bin/test: No anode
===

Follow-up for 1beab8b.
Setting DynamicUser= may introduce some bind mounts from
RuntimeDirectory= and request mount namespacing. However, such implied
bind mounts are not critical if creating mount namespace is failed.
@yuwata yuwata force-pushed the namespace-slave-remounting branch from 0719ab6 to 90c02d9 Compare September 14, 2018 08:21
@yuwata
Copy link
Member Author

yuwata commented Sep 14, 2018

I noticed that EILSEQ related to dynamic user is translated to EOPNOTSUPP.
So, now ENOANO is also translated to EOPNOTSUPP.

I've been wondering. Why don't we pass ignore_namespace_unavailable, like we pass in ignore_protect_paths? setup_namespace() wouldn't need to use -ENOANO in this case :-). Just return the real -errno or 0.

@sourcejedi Both ignore_namespace_unavailable and ignore_protect_paths may ignore something. But the impacts by the flags are quite different, one ignores entire mount namespacing, the other ignores only several mount failures...
I think the failure in unshare() should be propagated to the caller even if it can be negligible.

@sourcejedi
Copy link
Contributor

sourcejedi commented Sep 14, 2018

Both ignore_namespace_unavailable and ignore_protect_paths may ignore something. But the impacts by the flags are quite different, one ignores entire mount namespacing, the other ignores only several mount failures...
I think the failure in unshare() should be propagated to the caller even if it can be negligible.

Hi. I've been thinking about issue #9872. [*] I realized a second reason why ignore_namespace_unavailable might be useful.

Part of the problem I have with issue #9872, is we don't log the path where the error happened. All we tell the user is "Failed to set up mount namespacing: %m". But now we treat most namespace errors as fatal, we could upgrade all those individual log_debug() messages into proper log_error() messages...

This would change apply_mount_namespace() / setup_namespace() from functions that don't log, into ones that do. We would need ignore_namespace_unavailable, to know whether we want to skip the log_error() that complains when unshare() fails (ENOSYS / EPERM etc). ignore_namespace_unavailable == true would effectively turn that one error message back into a debug message.


[*] #9872 is about weird cases where setup_namespace() will fail the service. My original title complained it is "slightly too fragile". I felt there were too many things that might make it fail. Such a failure can happen if root made some very weird FUSE mounts. Or also, I think, some pretty weird NFS mounts. Or we can fail because SELinux is fighting a systemd change. The SELinux rule might not log itself, if the rule has dontaudit.

@mbiebl
Copy link
Contributor

mbiebl commented Sep 15, 2018

@brauner I'm using a default lxc/AppArmor setup on Debian sid.
What changes do I need to make to the AppArmor configuration specifically to make it possible to run the tests under LXC/AppArmor?

@brauner
Copy link
Contributor

brauner commented Sep 17, 2018

@mbiebl, so @stgraber told me that we turn off the AppArmor policy entirely for test-runs in autopkgtests. @stgraber has more input.

@mbiebl
Copy link
Contributor

mbiebl commented Sep 17, 2018

@brauner we = ?

@brauner
Copy link
Contributor

brauner commented Sep 17, 2018

@mbiebl, we == Ubuntu.

@mbiebl
Copy link
Contributor

mbiebl commented Sep 17, 2018

@brauner ok, thanks. Would you recommend that Debian, or rather the maintainers of https://ci.debian.net/, turn off AppArmor for LXC as well?

@brauner
Copy link
Contributor

brauner commented Sep 17, 2018

@stgraber, care to chime in for a second?

@evverx
Copy link
Contributor

evverx commented Sep 17, 2018

@mbiebl if the default AppArmor policy were used, then test-execute would never pass, which doesn't seem to be the case judging by https://ci.debian.net/data/autopkgtest/testing/amd64/s/systemd/1002348/log.gz, so it seems that AppArmor is either already turned off there or it's customized somehow.

Have you tried https://git.launchpad.net/autopkgtest-cloud/tree/lxc-slave-admin/setup-adt-lxc.commands?id=b6f01a6fd1ce3478dd18f3962c5506e2eebe2eb6#n56?

@mbiebl
Copy link
Contributor

mbiebl commented Sep 17, 2018

@evverx ci.debian.net currently runs the Debian stretch kernel, which does not have AA enabled by default, which is why the tests currently pass. This will change with buster kernel, where AA is enabled by default. Personally, I run Debian sid, so I do have a AA enabled kernel.

@evverx
Copy link
Contributor

evverx commented Sep 17, 2018

@mbiebl in this case a lot of tests will start to fail as soon as the kernel has been switched. The easiest way would be of course to turn it off. Though, a custom policy like https://git.launchpad.net/autopkgtest-cloud/tree/lxc-slave-admin/setup-adt-lxc.commands?id=b6f01a6fd1ce3478dd18f3962c5506e2eebe2eb6#n56 would probably be a little bit better in the sense that it's more or less real environment.

@evverx
Copy link
Contributor

evverx commented Sep 17, 2018

Regarding #10011, are we sure that relaxing the security policy to make the security features, that, strictly speaking, aren't even needed there, work again is the best way to deal with it?

@stgraber
Copy link
Contributor

As far as I know, the LXD/LXC test runners for autopkgtest in Ubuntu are using lxc.apparmor.profile=unconfined or a custom profile that's extremely close to unconfined.

@keszybz
Copy link
Member

keszybz commented Sep 17, 2018

Hmm, maybe we could merge the first two commits now? They are uncontroversial cleanups.

@yuwata
Copy link
Member Author

yuwata commented Sep 18, 2018

@keszybz OK. I will create new PRs.

@sourcejedi #9872 seems not related to unshare() failure. So, I think the error code is passed to the caller. Or am I missing something?
Anyway, Please create another PR for upgrading error in namespace.c or taking another boolean to ignore unshare() failure.

@yuwata yuwata closed this Sep 18, 2018
@yuwata yuwata deleted the namespace-slave-remounting branch September 18, 2018 05:37
@yuwata
Copy link
Member Author

yuwata commented Sep 18, 2018

Dear all,
I've split this into #10114 and #10115, and closed this PR.
Originally, this PR intends to give some workarounds for LXC. But it was dropped.
So, let's take a new place to discuss :-)

@keszybz
Copy link
Member

keszybz commented Sep 18, 2018

@yuwata thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Development

Successfully merging this pull request may close these issues.

test-execute fails under lxc

8 participants