-
-
Notifications
You must be signed in to change notification settings - Fork 3.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
systemd ignores RootDirectory option in .service units #22760
Comments
If RootDirectory= is set and we can't set up a mount namespace we should fail, and not attempt any fallbacks. |
Is this an apparmor specific issue? Can you set log level to debug |
@bluca It seems to be closely related to AppArmor, but I don't really have any level of expertise with that, the only thing I do to it is enable/disable, never fine-tune. That means I blindly use the AppArmor profiles Ubuntu ships for me. The host system that runs the container is Ubuntu 20.04 Focal Fossa. Here is the output. Interesting that now it mentions "
|
What's the exact unit you started? Full configuration |
Here it is:
Of course it's just a test service for proof of concept. Originally I had a service which would have started a PostgreSQL server within the chroot. |
This is very strange, I see no messages about setting up RootDirectory in the logs you posted, moreover the check that should make it fail is there in v249.10 ( Are you 100% sure that's the unit being used? And it's loaded (daemon-reload after adding/editing it, etc)? |
Actually it's even more bizzarre, it's clearly falling into this path with EPERM: https://github.com/systemd/systemd-stable/blob/v249.10/src/core/namespace.c#L2247 but then it's also clearly taking this path: https://github.com/systemd/systemd-stable/blob/v249.10/src/core/execute.c#L3274 which explicitly checks for ENOANO?? Are you sure it's running under v249.10?
|
Maybe there's confusion about the systemd version within the container, and 249.10 is the one outside the container? |
Version inside the container:
Version outside the container (host system):
Isn't it possible that Ubuntu added their own modifications that broke the logic? Sad that they don't reply on LaunchPad... I mean, I submitted the original report more than a month ago. There's a reason why I report downstream first. How can I help? Can you reproduce? Shall I build a VM image or perhaps Docker container which reproduces it? Or do you have a build of vanilla systemd to try? Would be best to have a compiled binary, or I hope systemd builds easily... |
It indeed is:
That is not good - I'll go prod |
It was added to support old versions of LXC/LXD https://git.launchpad.net/ubuntu/+source/systemd/tree/debian/patches/debian/UBUNTU-Revert-namespace-be-more-careful-when-handling-namespacin.patch?h=ubuntu/jammy |
Closing here because there's nothing we can do, it's a downstream patch. I've added details do the downstream ticket. |
systemd version the issue has been seen with
Used distribution
Linux kernel version used (
uname -a
)CPU architecture issue was seen on
Expected behaviour you didn't see
Unexpected behaviour you saw
Steps to reproduce the problem
Additional program output to the terminal or log subsystem illustrating the issue
See LaunchPad bug report for details:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1959047
Important note
Since then I discovered that the issue only affects LXC containers and a workaround is setting the container's AppArmor profile to unconfined. But for once I'd be more comfortable not having to set the container to unconfined for the sake of a chroot (though that's probably Ubuntu's fault); and if the chroot does fail, systemd should not attempt to start the program on the root file system, as this can even be dangerous.
The text was updated successfully, but these errors were encountered: