Kernel Config Options:
CONFIG_DEVTMPFS
- CONFIG_CGROUPS (it's OK to disable all controllers)
+ CONFIG_CGROUPS (it is OK to disable all controllers)
CONFIG_INOTIFY_USER
CONFIG_SIGNALFD
CONFIG_TIMERFD
If systemd is compiled with libseccomp support on
architectures which do not use socketcall() and where seccomp
is supported (this effectively means x86-64 and ARM, but
- excludes 32bit x86!), then nspawn will now install a
+ excludes 32-bit x86!), then nspawn will now install a
work-around seccomp filter that makes containers boot even
with audit being enabled. This works correctly only on kernels
3.14 and newer though. TL;DR: turn audit off, still.
exist. During execution this network facing service will drop
privileges and assume this uid/gid for security reasons.
+ The NTP daemon requires the "systemd-timesync" system user and
+ group to exist. During execution this network facing service
+ will drop privileges (with the exception of CAP_SYS_TIME) and
+ assume this uid/gid for security reasons.
+
+ The network management daemon requires the "systemd-network"
+ system user and group to exist. During execution this network
+ facing service will drop privileges (with the exception of
+ CAP_NET_*) and assumed this uid/gid for security reasons.
+
+ The name resolution daemon requires the "systemd-resolve"
+ system user and group to exist. During execution this network
+ facing service will drop privileges and assume this uid/gid
+ for security reasons.
+
WARNINGS:
systemd will warn you during boot if /etc/mtab is not a
symlink to /proc/mounts. Please ensure that /etc/mtab is a
supported anymore by the basic set of Linux OS components.
systemd requires that the /run mount point exists. systemd also
- requires that /var/run is a a symlink → /run.
+ requires that /var/run is a a symlink to /run.
For more information on this issue consult
http://freedesktop.org/wiki/Software/systemd/separate-usr-is-broken
~ianmdlvl / elogind.git / blobdiff