Ubuntu
systemd package

nsswitch.conf "passwd" entry misses "systemd", breaking DynamicUser=yes systemd units

Bug #2073776 reported by Andrew Martin
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
systemd (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

The 321-1~bpo22.04.1 version of cockpit-ws calls the cockpit user "cockpit-wsinstance":
$ cat usr/lib/sysusers.d/cockpit-wsinstance.conf
u cockpit-wsinstance - "User for cockpit-ws instances" -

However the following systemd files still reference the old "cockpit-ws" username, so the service fails to start:
$ grep -r cockpit-ws$ lib/systemd/system
lib/systemd/system/cockpit-ws-user.service:Description=Dynamic user for cockpit-ws
lib/systemd/system/cockpit-ws-user.service:User=cockpit-ws
lib/systemd/system/cockpit-ws-user.service:Group=cockpit-ws
lib/systemd/system/cockpit-wsinstance-https@.socket:SocketUser=cockpit-ws
lib/systemd/system/cockpit-wsinstance-https-factory.socket:SocketUser=cockpit-ws
lib/systemd/system/cockpit.service:User=cockpit-ws
lib/systemd/system/cockpit.service:Group=cockpit-ws
lib/systemd/system/cockpit-wsinstance-http.socket:SocketUser=cockpit-ws

Can these systemd files be updated to use the new username? Thanks!

Revision history for this message
Martin Pitt (pitti) wrote :

That's not an "old" username. cockpit-ws really needs two. "cockpit-ws" uses DynamicUser=yes, while cockpit-wsinstance is a static user name (for technical reasons). Is anything not working?

Changed in cockpit (Ubuntu):
status: New → Incomplete
Revision history for this message
Andrew Martin (asmartin) wrote :

Yes, cockpit fails to start:
cockpit-wsinstance-https-factory.socket: Job cockpit-wsinstance-https-factory.socket/start failed with result 'dependency'.
cockpit.service: Job cockpit.service/start failed with result 'dependency'.
cockpit-wsinstance-https-factory.socket: Control process exited, code=exited, status=217/USER
cockpit-wsinstance-https-factory.socket: Failed to resolve user cockpit-ws: No such process
cockpit-wsinstance-http.socket: Failed with result 'exit-code'.
Failed to listen on Socket for Cockpit Web Service http instance.
Dependency failed for Cockpit Web Service.
Dependency failed for Socket for Cockpit Web Service https instance factory.

This is on Ubuntu 22.04.

Revision history for this message
Martin Pitt (pitti) wrote :

So can you please check `sudo journalctl -u cockpit-ws-user` ? That should have the root cause of the error.

Revision history for this message
Martin Pitt (pitti) wrote :

And can you pelase check that you have `libnss-systemd` installed (it's a dependency of cockpit-ws) and that /etc/nsswitch.conf "passwd" line includes "systemd"?

Revision history for this message
Andrew Martin (asmartin) wrote :

I checked and `libnss-systemd` was installed, however the "passwd" line in /etc/nsswitch.conf was missing the "systemd" part; once I added it, I was able to successfully start cockpit. Thank you for the help troubleshooting this issue; this bug report can be closed!

Revision history for this message
Martin Pitt (pitti) wrote :

Hmm.. Installing libnss-systemd is supposed to add that line automatically. Do you remember, did you happen to change nsswitch.cnf manually somehow? backup/restore, Ansible, etc?

summary: - cockpit-ws 321-1~bpo22.04.1 changes user to cockpit-wsinstance but
- systemd units still use cockpit-ws as the username
+ nsswitch.conf "passwd" entry misses "systemd", breaking DynamicUser=yes
+ systemd units
affects: cockpit (Ubuntu) → systemd (Ubuntu)
Revision history for this message
Andrew Martin (asmartin) wrote :

Yes, I had changed it with ansible

Revision history for this message
Martin Pitt (pitti) wrote :

OK, thanks for confirming!

Changed in systemd (Ubuntu):
status: Incomplete → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.