-
-
Notifications
You must be signed in to change notification settings - Fork 3.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(f)sync missing when writing files #2619
Comments
Hmm, but this sounds like something to fix in ext4, no? I am really not keen on adding fsync()s all over systemd just to make ext4 work nicer... If they sync the other data on close, then they should really sync the xattrs too, no? |
This is is the expected behaviour of both systemd and kernel (which defers writes, this can be tuned with sysctl knobs) |
http://danluu.com/file-consistency/ relevant to filesystem consistency / weirdness |
I agree that this should better be fixed in the IMA subsystem. Enabling it for "normal" files considerably weakens filesystem semantics. I have a discussion on-going with the upstream developers here: https://sourceforge.net/p/linux-ima/mailman/message/34850685/ With this ticket here I wanted to find out what systemd's assumption about fs consistency are. I remember reading the http://danluu.com/file-consistency/ article and as pointed out there, getting this right in all cases (even without IMA) is hard. Sometimes, calling fsync() is necessary. I'm fine with getting this ticket here closed as "works as intended". My current solution (workaround for IMA?) is based on ExecStart/StopPost=/bin/sync in .d files for the two services. |
/etc/machine-id and /var/lib/systemd/random-seed easily become unreadable with a "Permission denied" error caused by IMA when powering off hard. That is because systemd creates the files without explicit fsync (partly intentional, see systemd/systemd#2619) and then the security.ima xattr created by the kernel does not get flushed to disk for surprisingly long periods of time (definitely longer than the usual 5 second commit timeout of ext4, see https://sourceforge.net/p/linux-ima/mailman/message/34850685/ for a discussion with the IMA developers about this). The current workaround while waiting for systemd or IMA developers to enhance crash resilience is to explicitly call /bin/sync after the commands responsible for creating resp. updating the files are. Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
I'd be fine with add the fsync() to the machine id case, after all that's a one-time thing, and really is a case where some identitiy is "burned into" the file system, hence an fsync() invocation might be OK (but cast to (void) please). But the random-seed case seems off... |
Why should random-seed be treated differently? It also writes to the filesystem. FWIW, here's the current version of the patch, with commit message and error handling:
|
the random seed file is a safety net (after all, normally, the kernel should be good enough at generating randomness, hopefully), and it's updated on every boot and shutdown. As such it is very different from the machine id, which is a one-time thing, has a very strict "commit" character, and where it is pretty important that the setting isn't lost (after all, it's about making the machine id stable, hence it better do it). hence, please, let's add the fsync to the machine-id, but not to the random stuff... |
In my experience, systemd did not recover from a "random-seed without security.ima xattr" failure well: opening the file then fails with "permission denied" and random-seed bails out early instead of doing anything. If the file content is considered non-essential, then a corruption issue of the failure should be dealt with by wiping it out and behaving as if it hadn't been present at all, while at most warning about the situation. Here's a corresponding patch which worked for me:
And here's the reduced machine-id patch:
|
The IMA thing should be fixed in IMA/ext4, systemd is not the place to work around problems in behaviour with that. I am OK with adding the machine-id fsync patch independently of the IMA thing, because it appears like something where "commiting" this reliably sounds like an OK idea. But could you please submit that part as PR? Also, the failure to sync should proably result in failure of the tool (i.e. a "return" is missing). |
…in/sync /etc/machine-id and /var/lib/systemd/random-seed easily become unreadable with a "Permission denied" error caused by IMA when powering off hard. That is because systemd creates the files without explicit fsync (partly intentional, see systemd/systemd#2619) and then the security.ima xattr created by the kernel does not get flushed to disk for surprisingly long periods of time (definitely longer than the usual 5 second commit timeout of ext4, see https://sourceforge.net/p/linux-ima/mailman/message/34850685/ for a discussion with the IMA developers about this). The current workaround while waiting for systemd or IMA developers to enhance crash resilience is to explicitly call /bin/sync after the commands responsible for creating resp. updating the files are. (From meta-intel-iot-security rev: 007cf0048f896eee6a6915c6d670a8134a6d7cf0) Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
As discussed here: systemd#2619 (comment) Explicitly syncing /etc/machine-id after writing it, is probably a good idea, since it has a strong "commit" character and is generally a one-time thing. Fixes systemd#2619.
As discussed here: systemd#2619 (comment) Explicitly syncing /etc/machine-id after writing it, is probably a good idea, since it has a strong "commit" character and is generally a one-time thing. Fixes systemd#2619.
I'm using systemd on a custom OS where IMA (https://sourceforge.net/p/linux-ima/wiki/Home/) is active with an IMA policy that allows locally created files. In that policy, the kernel adds the security.ima xattr when files get created. Without the proper security.ima, data cannot be read from these files after a reboot.
I found that files created by systemd are susceptible to a sudden power loss because ext4 creates the files, but their security.ima xattr does not get flushed to disk when powering off hard.
The following two changes make the system more resilient:
I'm aware of the missing error handling - this is just a proof-of-concept to check whether adding fsyncs() would help. It does, and it looks like the right thing to do in any case, so I'm wondering whether adding it to systemd would make sense.
The text was updated successfully, but these errors were encountered: