test-execute fails in LXD with failure in exec-privatenetwork-yes-privatemounts-yes.service

Bug #2046495 reported by Nick Rosbrook
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
systemd (Ubuntu)
Fix Released
High
Nick Rosbrook

Bug Description

This is in v255. This log snippet is taken from a local autopkgtest build:

exec-privatenetwork-yes-privatemounts-yes.service: Will spawn child (service_enter_start): /bin/sh
exec-privatenetwork-yes-privatemounts-yes.service: Failed to set 'trusted.invocation_id' xattr on control group /system.slice/test-execute-48e27182b3724b7.scope/99d288e6f11f869e/system.slice/exec-privatenetwork-yes-privatemounts-yes.service, ignoring: Operation not permitted
exec-privatenetwork-yes-privatemounts-yes.service: Failed to remove 'trusted.delegate' xattr flag on control group /system.slice/test-execute-48e27182b3724b7.scope/99d288e6f11f869e/system.slice/exec-privatenetwork-yes-privatemounts-yes.service, ignoring: Operation not permitted
exec-privatenetwork-yes-privatemounts-yes.service: Failed to remove 'trusted.survive_final_kill_signal' xattr flag on control group /system.slice/test-execute-48e27182b3724b7.scope/99d288e6f11f869e/system.slice/exec-privatenetwork-yes-privatemounts-yes.service, ignoring: Operation not permitted
exec-privatenetwork-yes-privatemounts-yes.service: Passing 0 fds to service
exec-privatenetwork-yes-privatemounts-yes.service: About to execute: /bin/sh -x -c "! ip link show dummy-test-exec"
Serializing sd-executor-state to memfd.
exec-privatenetwork-yes-privatemounts-yes.service: Forked /bin/sh as 5092
Closing set fd 21 (socket:[116840])
Closing set fd 19 (socket:[113527])
Closing set fd 20 (socket:[116839])
exec-privatenetwork-yes-privatemounts-yes.service: Changed dead -> start
Received SIGCHLD from PID 5092 (sh).
Child 5092 (sh) died (code=exited, status=0/SUCCESS)
exec-privatenetwork-yes-privatemounts-yes.service: Child 5092 belongs to exec-privatenetwork-yes-privatemounts-yes.service.
exec-privatenetwork-yes-privatemounts-yes.service: Main process exited, code=exited, status=0/SUCCESS (success)
exec-privatenetwork-yes-privatemounts-yes.service: Running next main command for state start.
exec-privatenetwork-yes-privatemounts-yes.service: Will spawn child (service_run_next_main): /bin/sh
exec-privatenetwork-yes-privatemounts-yes.service: Passing 0 fds to service
exec-privatenetwork-yes-privatemounts-yes.service: About to execute: /bin/sh -x -c "test ! -e /proc/sys/net/ipv4/conf/dummy-test-exec"
Serializing sd-executor-state to memfd.
exec-privatenetwork-yes-privatemounts-yes.service: Forked /bin/sh as 5094
Closing set fd 21 (socket:[116840])
Closing set fd 19 (socket:[113527])
Closing set fd 20 (socket:[116839])
Received SIGCHLD from PID 5094 (sh).
Child 5094 (sh) died (code=exited, status=0/SUCCESS)
exec-privatenetwork-yes-privatemounts-yes.service: Child 5094 belongs to exec-privatenetwork-yes-privatemounts-yes.service.
exec-privatenetwork-yes-privatemounts-yes.service: Main process exited, code=exited, status=0/SUCCESS (success)
exec-privatenetwork-yes-privatemounts-yes.service: Running next main command for state start.
exec-privatenetwork-yes-privatemounts-yes.service: Will spawn child (service_run_next_main): /bin/sh
exec-privatenetwork-yes-privatemounts-yes.service: Passing 0 fds to service
exec-privatenetwork-yes-privatemounts-yes.service: About to execute: /bin/sh -x -c "test ! -e /sys/class/net/dummy-test-exec"
Serializing sd-executor-state to memfd.
exec-privatenetwork-yes-privatemounts-yes.service: Forked /bin/sh as 5095
Closing set fd 21 (socket:[116840])
Closing set fd 19 (socket:[113527])
Closing set fd 20 (socket:[116839])
exec-privatenetwork-yes-privatemounts-yes.service: Control group is empty.
Received SIGCHLD from PID 5095 (sh).
Child 5095 (sh) died (code=exited, status=1/FAILURE)
exec-privatenetwork-yes-privatemounts-yes.service: Child 5095 belongs to exec-privatenetwork-yes-privatemounts-yes.service.
exec-privatenetwork-yes-privatemounts-yes.service: Main process exited, code=exited, status=1/FAILURE
exec-privatenetwork-yes-privatemounts-yes.service: Failed with result 'exit-code'.
exec-privatenetwork-yes-privatemounts-yes.service: Service will not restart (restart setting)
exec-privatenetwork-yes-privatemounts-yes.service: Changed start -> failed
exec-privatenetwork-yes-privatemounts-yes.service: Unit entered failed state.
exec-privatenetwork-yes-privatemounts-yes.service: Consumed 27ms CPU time.
src/test/test-execute.c:1109:test_exec_privatenetwork: exec-privatenetwork-yes-privatemounts-yes.service: can_unshare=yes: exit status 1, expected 0
(test-execute-root) terminated by signal ABRT.
Assertion 'r >= 0' failed at src/test/test-execute.c:1330, function prepare_ns(). Aborting.

Nick Rosbrook (enr0n)
Changed in systemd (Ubuntu):
importance: Undecided → High
assignee: nobody → Nick Rosbrook (enr0n)
Revision history for this message
Nick Rosbrook (enr0n) wrote :

The problem here is that the AppArmor policy prevents the private mount namespace from being setup, but systemd continues on after:

Jan 04 21:10:39 noble (sh)[565]: Applying namespace mount on /run/systemd/mount-rootfs/sys
Jan 04 21:10:39 noble (sh)[565]: Mounting sysfs (sysfs) on /run/systemd/namespace-SO6qp6 (MS_NOSUID|MS_NODEV|MS_NOEXEC "")...
Jan 04 21:10:39 noble (sh)[565]: Failed to mount sysfs (type sysfs) on /run/systemd/namespace-SO6qp6 (MS_NOSUID|MS_NODEV|MS_NOEXEC ""): Permission denied
Jan 04 21:10:39 noble sh[565]: + test ! -e /sys/class/net/dummy-test-exec

So the test fails, because a private sysfs was not mounted. NB the above snippet is take from debug level logs when running this test manually in a LXD container.

Revision history for this message
Nick Rosbrook (enr0n) wrote :

I think this test will just need to remain skipped. Since systemd gets -EPERM when trying to mount the private sysfs, it just takes some fallback code and re-uses the existing sysfs, which means that dummy-test-exec will still be accessible through sysfs. I can't currently think of a good way to generalize a patch for upstream, so we will probably just keep this in Ubuntu only.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package systemd - 255.2-3ubuntu2

---------------
systemd (255.2-3ubuntu2) noble; urgency=medium

  * test: skip test_exec_networknamespacepath if netns setup fails (LP: #2046498)
    Files:
    - debian/patches/lp2046498-test-skip-test_exec_networknamespacepath-if-netns-setup-f.patch
    - debian/patches/test-skip-failing-test-execute-tests-in-LXC.patch
    https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=de1fcf756e47858f4a206db97434bce4a71384d0
  * test: skip TEST-43-PRIVATEUSER-UNPRIV if unprivileged userns is restricted
    File: debian/patches/test-skip-TEST-43-PRIVATEUSER-UNPRIV-if-unprivileged-user.patch
    https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=2aba69874c83289c43d199ca360aa2fc451486a7
  * Drop debian/UBUNTU-src-test-test-execute.c-Skip-parts-of-test-execute-in-con.patch.
    This will be re-addressed with a different patch.
    File: debian/patches/debian/UBUNTU-src-test-test-execute.c-Skip-parts-of-test-execute-in-con.patch
    https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=c3cd814e028364fe0c641d4bacfce22aafd1b572
  * Drop test-skip-failing-test-execute-tests-in-LXC.patch.
    This will be re-addressed with different patches.
    File: debian/patches/test-skip-failing-test-execute-tests-in-LXC.patch
    https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=ab853707f4cc3e7e2d5993ff38998c3c2c789f62
  * test: temporarily skip credentials tests in LXC.
    This was already skipped in another patch, but now that we know what's
    going on with it, split it out.
    File: debian/patches/test-temporarily-skip-credentials-tests-in-LXC.patch
    https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=c71acb411d315267fe811f024cdab97e032453f3
  * test: skip test-execute in arhmf LXC containers
    File: debian/patches/test-skip-test-execute-in-arhmf-LXC-containers.patch
    https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=1cb1e3060822bfadddead564e779942e73e02f62
  * test: skip exec-privatenetwork-yes-privatemounts-yes.service in LXC (LP: #2046495)
    File: debian/patches/test-skip-exec-privatenetwork-yes-privatemounts-yes.servi.patch
    https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=3ab76fd2db4291ee0531a07085c72cee06cb0d12
  * test: skip a systemd-run test if unprivileged userns is restricted
    File: debian/patches/test-skip-a-systemd-run-test-if-unprivileged-userns-is-re.patch
    https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=c85f2b4e32ee8fd1c0dc58d23e7fabdb7590d3cc
  * test-execute: skip tests that are broken without unprivileged userns
    File: debian/patches/test-execute-skip-tests-that-are-broken-without-unprivile.patch
    https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=7a6573c4f5133a7fec11fb059dd215f7c8c2204e

 -- Nick Rosbrook <email address hidden> Wed, 24 Jan 2024 14:53:46 -0500

Changed in systemd (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.