New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
launching aardvark-dns with systemd user on centos7 fails due to session dbus perms? #473
Comments
Yes we require systemd user session when systemd is booted and system-run exists. |
Oh yeah, I wasn't expecting you guys to debug this or anything, just was hoping for something pointing in the right direction. I think I've gotten all the centos7 stuff out of the way, and it's just down to this dbus netns uid thing...I assume my first recipe above is just supposed to work with dns enabled in there? |
Oh, and the other question is if you launch a namespace, is the user dbus (usually
I get a failed to connect due to the uid thing with dbus. What happens on a working system that launches aardvark? |
On my fedora 36 laptop:
Also |
Wait, busctl --user works in the unshare namespace but dbus-test-tool doesn't? That's odd if so... |
No |
Huh, when I run dbus-test-tool echo I get the name back, like:
|
As expected, commenting out the systemd-run part of the aardvark launch works and dns works, etc. I am very curious about this dbus in namespaces, maybe I'll launch a cheap vps with latest rocky or whatever and debug it to see how it's handling the uid thing, it's very curious where it could be going wrong... |
Okay, I am testing this on rocky 9...it works, but there's a couple interesting things. First, user systemd isn't enabled by default, podman warns and you have to The one difference between this setup and mine that I immediately notice is their dbus socket listener is dbus-broker and not dbus-daemon...I wonder if dbus-broker deals with container uid mismatch better...more debugging after dinner. |
Okay, I think I have finally figured out what's going on here. This isn't exactly a dbus issue, I mean it's a dbus issue, but it's not an issue with dbus-daemon or dbus-broker, because none of the podman stuff is calling the normal user dbus, and in fact I think normal dbus actually is busted going from inside a namespace to outside a namespace (on rocky 9 it doesn't work, and your error above on Fedora 36 for dbus-test-tool echo is not a successful run either). The problem is all happening with the private I guess the one remaining question is whether dbus is supposed to work from inside a netns to outside, and I don't think it is? Or, at least, it doesn't right now even on supported systems like rocky 9 and fedora 36. My guess is you'd have to do some user id preservation, or make the client dbus lib understand it needs to use the Chris |
OMG FINALLY. I knew there was no deep unresolvable mystery here, there had to be somebody doing the wrong thing. After a bunch of debugging of systemd and systemd-run, I found that on the rocky 9 version the uid simply isn't sent from the systemd-run client (because it comes on the SO_PEERCRED anyway and so it's just a waste and messes up namespaces), and so I found the changelist where they fixed it in the systemd project (systemd/systemd@1ed4723) and backported it to my 219 systemd, which I was building anyway because for some reason Red Hat patched out all the user/session stuff (Patch0004 for those interested, you also need dbus.socket and dbus.service for user space). Works perfectly, acts just exactly like rocky 9 now even with the unpatched systemd-run netavark, woot! For anybody in the future trying to get dbus working from inside to outside a rootless container even on a supported os, I assume a similar patch would need to be made to the dbus libs, since it looks like they always append the UID (at least as of the date of this post: https://gitlab.freedesktop.org/dbus/dbus/-/blob/master/dbus/dbus-auth.c#L1231), so if for some reason you're trying to tunnel dbus out of the rootless container to the user/session dbus, this is probably why it's failing (the Anyway, I think I'm really actually done now, mystery solved, phew. |
I assume centos7 is not a supported platform but please bear with me for a second, I've got it almost working well, I'm super close, and there's just one weird thing I could use some advice/help on...
Backstory: I gave up on docker years ago after I decided it was too much of a security risk, but when I checked back in on containers recently I saw podman was thing and was natively rootless and I wanted to give it a go since containers are cool but not so cool I want to run a root docker daemon. I played around with the centos7 version 1.x podman and it was great, but I wanted some of the newer podman features, specifically the better rootless network stuff.[1]
Anyway, I went about building and installing and updating things that seemed like they needed updating, and ended up with this:
(this is centos 7 original 😬 but I (un)patched it to support session/user systemd
and added user dbus.service and dbus.socket files)
I have basically everything working, including per user dbus launching with session systemd automatically and working as expected with
dbus-test-tool
anddbus-monitor
and whatnot.The only remaining problem is aardvark-dns won't launch properly in the containers, and it's due to a dbus authn issue.
Here's what happens:
Okay, so the
Failed to start transient scope unit: Operation not permitted
is obviously an issue. There used to be way more errors before I got systemd user dbus working, including the dbus-daemon leaking (containers/podman#4483, containers/podman#9727, etc.), andERRO[0000] failed to move the rootless netns slirp4netns process to the systemd user.slice: dbus: invalid bus address (no transport)
, but once I got session dbus working smoothly, all those went away.Debugging
Failed to start transient scope unit: Operation not permitted
let me to this in the--log-level trace
for therun
:so I set about debugging that. The command runs fine from a normal shell, but it turns out this command also fails in the same way inside a
podman unshare --rootless-netns
shell:which is nice because this is a lot easier to debug than a full container. I debugged systemd-run with gdb because I'd already built it to remove the centos patch to disable user systemd (which works fine, others have done it), and system-run was failing to talk on the
/run/users/1000/systemd/private
socket to the mothership. You can see that here:Turns out no dbus apps will run in the rootless-netns, here's the trace on
busctl --user
which tries to connect to/run/user/1000/bus
which is the normal (non-systemd/private dbus for users):It looks like the dbus sockets are available, but the dbus-daemon is using the peer credentials unix socket EXTERNAL authn and rejecting the connection maybe because of the uid mapping? But isn't root in my unshare --network-netns shell uid 1000 outside the namespace? Here is somebody else who hacked his dbus authn off to work around this.
So then I went and built and debugged the latest dbus-daemon, dbus-test-tool, etc. It is indeed failing the authn in
handle_server_data_external_mech
because the uid it gets off theSO_PEERCRED
is 1000 for the connection from the dbus app inside the netns but the app itself is passing 0 in the AUTH EXTERNAL greeting and so these fail_dbus_credentials_are_superset
. In debugging the daemon, I noticed a bunch of dbus connections as the unshare is set up, but those seem to work because they're not passing the uid the auth line, although it's hard to tell if they're happening before or after the namespace is set up.Then I tried launching a dbus-daemon inside the netns and I got that to work with aardvark-dns launching, but that seems like a weird thing to have to do.
The other hack I tried was renaming
/bin/systemd-run
to/bin/systemd-runx
so that netavark failed to find it herenetavark/src/dns/aardvark.rs
Line 86 in 90cccc1
which also allowed aardvark to launch in the container.
Okay, so questions:
Thanks for reading all this rambling, maybe somebody with more of a systemd/dbus/container/namespace clue than I have can help out!
Chris
[1] although this was working great (and still is): https://github.com/AkihiroSuda/podman-network-create-for-rootless-podman
The text was updated successfully, but these errors were encountered: