Overriding/modifying systemd unit file

tcurdt · May 17, 2024, 10:53pm

I am using this on NixOS to run docker containers:

virtualisation = {
    containers.enable = true;
    oci-containers.backend = "docker";
    docker = {
      enable = true;
    };
};

but I need to modify the systemd unit file to include

[Mount]
LogLevelMax=0

What I would have expected:

  systemd.services.docker = {
    overrides = ''
      [Mount]
      LogLevelMax=0
    '';
  };

Any pointers to get this working?

ElvishJerricco · May 17, 2024, 11:17pm

The way to do this on a service is with

systemd.services.docker.serviceConfig.LogLevelMax = 0;

nixos will handle turning that into a proper drop-in unit file.

But I’m guessing this isn’t really what you want. If you just want to stop all the run-docker-*.mount: Succeeded messages, this is going to be trickier. It’s not the docker unit you want to silence; it’s the mount units it’s causing by mounting stuff. That StackOverflow answer isn’t a full answer, because it’s not telling you that you have to create a drop-in unit like that for every one of these mounts. Not for the docker service. For every mount that you want to silence.

NixOS also makes this a little trickier because the systemd.mounts.* option is a list, the unit file name is derived from the where option, and the what option isn’t optional. Apparently whoever chose this design didn’t consider the possibility of wanting to make drop-ins for transient mount units… So while you can’t get the nice api we’d use for other unit types, you can use the lower level api to do it with raw unit text:

  systemd.units."foo.mount" = {
    overrideStrategy = "asDropin";
    text = ''                                                                                                                                                                                 
      [Mount]                                                                                                                                                                                 
      LogLevelMax=0                                                                                                                                                                           
    '';
  };

and again, you have to do this for every mount you want to silence.

tcurdt · May 17, 2024, 11:49pm

Uff

What creates all those the mount units?
Why couldn’t it be set there?

And why are they happening so often? The containers are not restarting.

ElvishJerricco · May 17, 2024, 11:54pm

Docker is doing its own mounts. It’s doing the equivalent of mount foo /bar. Systemd turns every single mountpoint created by other things into a transient mount unit. It’s not systemd creating these, so systemd doesn’t have a way to apply mount properties to all of them.

tcurdt · May 17, 2024, 11:55pm

Got it. But why would docker execute these mounts so often - not just on container startup?

ElvishJerricco · May 17, 2024, 11:56pm

You’d have to ask someone who knows more about docker than I do

tcurdt · May 18, 2024, 9:00am

From the systemd ticket it sounds like they made a change to support this very thing.

github.com/systemd/systemd

Filter mechanism for logs in journald

opened 08:54AM - 23 Jul 17 UTC

closed 09:02AM - 03 Jan 23 UTC

PhilippWendler

RFE 🎁 journal

### Submission type - Request for enhancement (RFE) ### systemd version t…he issue has been seen with > 234 ### Used distribution > irrelevant ### Description A possibility to filter logs in journald, i.e., before they are written to the journal, would be helpful in cases where some daemon spams the log with countless messages. Of course, it is better to fix the source instead of filtering away log messages, but for many users the former is not possible and the latter is a helpful workaround until the real problem is fixed. As an example, my concrete current problem is that I need to run snmpd for lack of alternatives and it spams the log with error messages (so just reducing the log level would mean I also do not see other errors), and this behavior exists for years but is not getting fixed ([Debian bug from 2015](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=792832), [Red Hat bug from 2016](https://bugzilla.redhat.com/show_bug.cgi?id=1314610)). This shows that in practice, a log-filter possibility would indeed be helpful. I know that journalctl can filter log messages, but for cases like this I do not want these messages to be written to the journal, because for example many such messages can lead to earlier-than-desired log truncation due to the `SystemMaxUse`/`SystemKeepFree` options. rsyslog has an equivalent feature (which I have been using until now), so I could solve this by ignoring the journal and using traditional syslog, but I really like the additional features of the journal and do not want to fall back to syslog just because of this. I do not have a full proposal how the syntax for log filters could look like. I suggest to start with an option in `journald.conf` that can take an expression similar to that of journalctl, but I assume that for such a feature to be most useful there would need to be the possibility to due regexp or at least substring matches on the message field, like [rsyslog has](http://www.rsyslog.com/doc/v8-stable/configuration/filters.html#compare-operations). Maybe a syntax inspired by [CSS attribute selectors](https://developer.mozilla.org/en-US/docs/Web/CSS/Attribute_selectors) could be used or something like Perl-style `=~` for regexp matches?

And to me it sounds like not every mount would need this - at least from systemd v249.

But now when trying this with systemd.services.docker.serviceConfig.LogLevelMax = 0; it ends up under [Service]. Which is wrong. And I don’t see a way to add a [Mount] as “serviceConfig” seems to be the wrong level. It probably should really be

systemd.services.docker.config.Mount.LogLevelMax = 0;

and

systemd.services.docker.config.Service.Whatever = 0;

But it seems like I would need to use a lower level API

  systemd.units.docker = {
    overrideStrategy = "asDropin"; # is there an append?
    text = ''
      [Mount]
      LogLevelMax=0
    '';
  };

but I just cannot find any docs on this and I was looking here for the systemd package sources but they must be somewhere else.

tcurdt · May 18, 2024, 3:32pm

It seems on an Ubuntu system this helped:

sudo vim /etc/systemd/journald.conf
Find, uncomment and change the parameters: MaxLevelStore=notice MaxLevelSyslog=notice
sudo systemctl restart systemd-journald

So on NixOS this translates to

services.journald.extraConfig = ''
  MaxLevelStore=notice
  MaxLevelSyslog=notice
''

ElvishJerricco · May 18, 2024, 9:19pm

You cannot put a [Mount] section in a service unit. A unit only has three sections; [Unit] for the options that can be applied to any unit, [<TYPE>] for options that apply to that specific unit type, and [Install] which is irrelevant on NixOS and to this problem.

You don’t apply a [Mount] section to a service. Some unit types share some of their options. For instance, mount and service units share all the options described in man systemd.exec, including LogLevelMax. So to use LogLevelMax on a service, you put it in the [Service] section.

But again, you do not need to apply any settings to the docker service unit whatsoever. That will not help. The problem is that systemd is logging when mounts succeed, which means you need something to apply to all those mount units.

Note that this applies to everything on the system.

tcurdt · May 19, 2024, 9:21am

The way I read it (and which seems wrong) was that the mounts originate from the service. And that in newer systemd versions the LogLevelMax gets inherited from the service to the mounts.

That said, setting it on the service - I cannot remember seeing it making a difference yet. Just as you suggested.

Changing it in journald itself was the only thing that helped to reduce the messy logs.

Note that this applies to everything on the system.

Indeed worth noting.

ElvishJerricco · May 19, 2024, 9:37am

Nothing in that stackoverflow thread implies any kind of inheritance from the service, and both answers are suggesting applying drop-ins to mount units and not a service. That said, the second answer suggests that a drop-in on run-docker-.mount (note the trailing -) would apply to all descendents, and in my limited testing, that appears to be the case. So maybe try this?

  systemd.units."run-docker-.mount" = {
    overrideStrategy = "asDropin";
    text = ''                                                                                                                                                                                 
      [Mount]                                                                                                                                                                                 
      LogLevelMax=0                                                                                                                                                                           
    '';
  };

Again, the trailing - in that name is important.