Bug 88554

Summary: systemd-sysusers: should not log to host journal when bootstrapping a guest (e.g. in a chroot)
Product: systemd Reporter: Alain Kalker <a.c.kalker>
Component: generalAssignee: systemd-bugs
Status: RESOLVED NOTOURBUG QA Contact: systemd-bugs
Severity: normal    
Priority: medium    
Version: unspecified   
Hardware: x86-64 (AMD64)   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:

Description Alain Kalker 2015-01-18 12:59:32 UTC 
On host Arch Linux x86_64, when I bootstrap a guest using `pacstrap`, `systemd-sysusers` gets called during the installation of the systemd package in the chroot used by `pacstrap`.
The user / group setup done by `systemd-sysusers` works fine, except that messages about user and group creation end up being logged in the host's journal, which can be confusing (and might trip IDS systems which monitor the host's journal for signs of suspicious activity).

(Note that during bootstraps like this, certain 'API' directories, such as `/run`, are bind-mounted into the chroot. I guess that this is how `systemd-sysusers` running in the chroot manages to send log messages to the host.)


I see no reason for `systemd-sysusers` to log information like this to the journal except when run as part of a unit started during a "first boot", "out-of-box" experience or whatever. When started manually, output of messages to standard output / standard error should be sufficient.

Please consider implementing a commandline option to specify how and where `systemd-sysusers` should log its messages.
Comment 1 Lennart Poettering 2015-02-04 13:58:03 UTC 
I am really sure that we should always log when we do something. We should not suppress messages just because we assume that the chroot env might not have set up /dev properly.

This really sounds as if the chroot env you are using should be fixed to not make The host's /dev/log available inside the chroot env. That's the only way how you can ensure that no log messages from the chroot env leak into the host, regardless if it's sysusers that is logging or something else.

(Hint: nspawn sets up /dev properly, so that this issue goes away...)

Anyway, I am pretty sure this is nothing to fix in systemd, hence closing. Sorry!

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.