When an application is started in a container with systemd-nspawn, the application cannot just call sd_notify() [1] from the container to notify systemd on the host because: 1. the processes in the container will be in a different cgroup than the process executing systemd-nspawn. I think even NotifyAccess=all will not work. 2. if the container uses a new network namespace, the notify socket will not work if it uses an abstract unix socket. An file socket will also not work because the container does not have access to the file socket on the host. Systemd uses either an abstract unix socket or a unix socket file, depending on its version [4]. Flannel would need that. To workaround this problem, flanneld.service [2] bind mount a proxy socket file and uses sdnotify-proxy [3] to proxy it. It is using Docker today but it is the same problem with systemd-nspawn. It would be nice if systemd-nspawn made sd_notify easier to use. [1] sd_notify http://www.freedesktop.org/software/systemd/man/sd_notify.html [2] flanneld.service https://github.com/coreos/coreos-overlay/blob/master/app-admin/flannel/files/flanneld.service [3] sdnotify-proxy https://github.com/coreos/sdnotify-proxy [4] socket types http://lists.freedesktop.org/archives/systemd-devel/2014-December/026129.html http://lists.freedesktop.org/archives/systemd-devel/2015-March/029096.html
I am moving this to https://github.com/systemd/systemd/issues/1369
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.