New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Units with DynamicUser=yes fail in lxc container #9493
Comments
are you using userns? how many users have you assigned to the container? |
can you run "strace -p1 -s500 -f" in the container, and check out what precisely fails? |
@brauner, maybe you have an idea? |
The host kernel has
The file |
See strace.log |
Well, but is LXC configured to use it?
Nah, the question is what the UID range is you assigned to the container. i.e. what does |
Hmm, |
Also, what does |
BTW, here is the downstream bug report: I have access to a number of machines on two proxmox hosts. I can't tell the details, will have to figure. Settings for these two differ, but the result is the same. The strace log shows EACCES for
|
is some MAC in effect on the host? i.e. apparmor or selinux or so? i understand proxmox is some commercial provider, and you have no access to the host side of things? i am not sure what "proxmox" precisely does, but if they disable posix file locking, then you'll always have trouble running non-trivial software inside such containers. Please contact their support, and ask them to correct their MAC/seccomp policies to allow posix file locks. There's little else we can do on this. systemd reuqires posix locks to work, and given that that's not precisely an exotic requirement I am very sure it#s proxmox who should fix their policies on this. |
Also, does your |
Also, I am pretty sure that blocked syscalls should return EPERM, not EACCES... That is for file access mostly, while EPERM is usually used for API access |
It all works fine with 238, userns, lxc and all. In this case the LXC host is a VPS with Virtualizor based on KVM 7.4.1 as hypervisor. The moment 239 introduces but perhaps an issue with apparmor, which is no issue with 238 however. From the lxc host kernel log only this denial is apparent and probably not relevant to the issue?
no MAC denials in the LXC host kernel log |
Did you actually run "systemd-run -p DynamicUser=1 /bin/true" on 238? |
No, that did not come up in the discourse of #9427 |
Proxmox by default uses the default lxc |
238
239
and since 239
with the details in the aforementioned downstream bug report and #9427 |
For whatever reason |
@eworm-de services default to I figure we could add a new Type= to systemd which would wait until systemd's own initializations in the child succeeded before considering the service up. This is not precisely trivial though, as conceptually here's already the problem that in order to know that the execve() is successful we'd have to ack the startup after the execve(), but the execve() means our code already got swapped out by the new process, hence we cannot ack it... |
Indeed the host logs messages similar to this:
So there is nothing we can do from systemd side, no? |
@eworm-de, what kernel is this on? Best to give |
That is what distro the host is running. |
I suspect that these are the socket mediation AppArmor patches that got merged upstream but then got reverted. If this is a distro kernel carrying these patches nonetheless this would explain it. |
we issue those posix locks on an AF_UNIX socketpair() socket btw. |
This is a proxmox distribution, based on Debian. Kernel is:
|
@eworm-de, can you try starting the container with |
So I suspect this is an actual AppArmor bug and actually an old one. Locks on fds only should be totally legal. I'm going to escalate this bug with the AppArmor people to get some motion on this. |
So, the good news is that this is all fixed upstream starting with I couldn't reproduce on a newer kernels but it would be good if someone other than me could confirm that it is indeed fixed (Looking at you @Blub ;).). |
I've requested the socket mediation patchset to be backported to the Ubuntu LTS kernels. This can be tracked here: |
Just updated the kernel of the lxc host (VPS on KVM 7._4.1 based hypervisor) to 4.17.4-041704 .
Just for completeness
However it did produce an output whilst previsouly with kernel 4.15 it would just time out. |
All these messages are about mounts being denied. The issue we discuss here is with POSIX file locks (
|
updated kernel 4.17.4-041704
No |
Given that this was fixed elsewhere by now, let's close this here. Hope that makes sense. |
systemd version the issue has been seen with
Though this has been reported for
systemd-networkd
, which switched to use a dynamic user lately. I think other units failed before.Used distribution
Expected behaviour you didn't see
Unexpected behaviour you saw
Unit fails:
Steps to reproduce the problem
systemd-run --property=DynamicUser=yes /usr/bin/true
The text was updated successfully, but these errors were encountered: