cloud-images

Bug #2038894
Activity log

Activity log for bug #2038894

Date	Who	What changed	Old value	New value	Message
2023-10-10 08:01:35	Philip Roche	bug			added bug
2023-10-10 08:08:00	Andrew Cloke	bug			added subscriber Andrew Cloke
2023-10-10 17:12:09	Nick Rosbrook	bug task added		systemd (Ubuntu)
2023-10-10 17:12:21	Nick Rosbrook	systemd (Ubuntu): importance	Undecided	High
2023-10-10 17:12:39	Nick Rosbrook	tags		foundations-todo
2023-10-10 17:12:52	Nick Rosbrook	systemd (Ubuntu): assignee		Nick Rosbrook (enr0n)
2023-10-10 17:28:52	Steve Langasek	nominated for series		Ubuntu Mantic
2023-10-10 17:28:52	Steve Langasek	bug task added		systemd (Ubuntu Mantic)
2023-10-13 13:00:06	Launchpad Janitor	systemd (Ubuntu): status	New	Confirmed
2023-10-14 04:16:24	Birgit Edel	bug			added subscriber Birgit Edel
2023-10-17 14:07:23	Nick Rosbrook	description	In the latest Ubuntu 23.10 cloud images we are seeing unexpected UDP listening port 5353. By default and by policy, aside from port 22 there should be no other open ports on Ubuntu cloud images. Listening port 5353 is a regression. Ubuntu 23.10 debug ``` $ ss --listening --no-header --tcp --udp --numeric udp UNCONN 0 0 127.0.0.54:53 0.0.0.0:* udp UNCONN 0 0 127.0.0.53%lo:53 0.0.0.0:* udp UNCONN 0 0 10.154.0.17%ens4:68 0.0.0.0:* udp UNCONN 0 0 127.0.0.1:323 0.0.0.0:* udp UNCONN 0 0 0.0.0.0:5353 0.0.0.0:* udp UNCONN 0 0 [::1]:323 [::]:* udp UNCONN 0 0 [::]:5353 [::]:* tcp LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:* tcp LISTEN 0 4096 127.0.0.54:53 0.0.0.0:* tcp LISTEN 0 4096 :22 :* ``` This shows port 5353 open. To find out what is listening on this port: ``` $ sudo lsof -i -n -P COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME systemd 1 root 153u IPv6 17848 0t0 TCP :22 (LISTEN) systemd-r 321 systemd-resolve 11u IPv4 16159 0t0 UDP :5353 systemd-r 321 systemd-resolve 12u IPv6 16161 0t0 UDP :5353 systemd-r 321 systemd-resolve 15u IPv4 16164 0t0 UDP 127.0.0.53:53 systemd-r 321 systemd-resolve 16u IPv4 16165 0t0 TCP 127.0.0.53:53 (LISTEN) systemd-r 321 systemd-resolve 17u IPv4 16166 0t0 UDP 127.0.0.54:53 systemd-r 321 systemd-resolve 18u IPv4 16167 0t0 TCP 127.0.0.54:53 (LISTEN) systemd-n 431 systemd-network 18u IPv4 17227 0t0 UDP 10.154.0.17:68 google_os 566 root 3u IPv4 18555 0t0 TCP 10.154.0.17:60818->169.254.169.254:80 (ESTABLISHED) google_gu 739 root 13u IPv4 19822 0t0 TCP 10.154.0.17:35516->169.254.169.254:80 (ESTABLISHED) sshd 747 root 3u IPv6 17848 0t0 TCP :22 (LISTEN) chronyd 1720 _chrony 5u IPv4 21448 0t0 UDP 127.0.0.1:323 chronyd 1720 _chrony 6u IPv6 21449 0t0 UDP [::1]:323 sshd 1761 root 4u IPv6 22688 0t0 TCP 10.154.0.17:22->185.202.17.195:45142 (ESTABLISHED) sshd 1882 ubuntu 4u IPv6 22688 0t0 TCP 10.154.0.17:22->185.202.17.195:45142 (ESTABLISHED) ``` Shows that it is systemd-resolved that is listening and from https://www.freedesktop.org/software/systemd/man/systemd-resolved.service.html > The systemd-resolved service listens on the following IP ports: > Port 5353 on all local addresses, both IPv4 and IPv6 (0.0.0.0 and ::0), for MulticastDNS on UDP. Note that even though the socket is bound to all local interfaces via the selected "wildcard" IP addresses, the incoming datagrams are filtered by the network interface they are coming in on, and separate MulticastDNS link-local scopes are maintained for each, taking into consideration whether MulticastDNS is enabled for the interface or not. So listening on port 5353 is expected for systemd-resolved and MulticastDNS but we do not expect this to be enabled by default on cloud images. ``` $ dpkg -l systemd Desired=Unknown/Install/Remove/Purge/Hold \| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend \|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) \|\|/ Name Version Architecture Description +++-==============-==============-============-================================= ii systemd 253.5-1ubuntu6 amd64 system and service manager ``` Comparing the open ports on an Ubuntu 22.04 multipass VM ``` $ ss --listening --no-header --tcp --udp --numeric udp UNCONN 0 0 127.0.0.53%lo:53 0.0.0.0:* udp UNCONN 0 0 10.212.201.146%ens3:68 0.0.0.0:* tcp LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:* tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:* tcp LISTEN 0 128 [::]:22 [::]:* ``` ``` $ dpkg -l systemd Desired=Unknown/Install/Remove/Purge/Hold \| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend \|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) \|\|/ Name Version Architecture Description +++-==============-==================-============-================================= ii systemd 249.11-0ubuntu3.10 amd64 system and service manager ```	[Impact] In the latest Ubuntu 23.10 cloud images we are seeing unexpected UDP listening port 5353. By default and by policy, aside from port 22 there should be no other open ports on Ubuntu cloud images. Listening port 5353 is a regression. [Test Plan] Check that port 5353 is not open, and in particular that systemd-resolved is not listening on 5353. This is what it looks like when systemd-resolved is listening on 5353: ``` $ ss --listening --no-header --tcp --udp --numeric udp UNCONN 0 0 127.0.0.54:53 0.0.0.0:* udp UNCONN 0 0 127.0.0.53%lo:53 0.0.0.0:* udp UNCONN 0 0 10.154.0.17%ens4:68 0.0.0.0:* udp UNCONN 0 0 127.0.0.1:323 0.0.0.0:* udp UNCONN 0 0 0.0.0.0:5353 0.0.0.0:* udp UNCONN 0 0 [::1]:323 [::]:* udp UNCONN 0 0 [::]:5353 [::]:* tcp LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:* tcp LISTEN 0 4096 127.0.0.54:53 0.0.0.0:* tcp LISTEN 0 4096 :22 :* ``` ``` $ sudo lsof -i -n -P COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME systemd 1 root 153u IPv6 17848 0t0 TCP :22 (LISTEN) systemd-r 321 systemd-resolve 11u IPv4 16159 0t0 UDP :5353 systemd-r 321 systemd-resolve 12u IPv6 16161 0t0 UDP :5353 systemd-r 321 systemd-resolve 15u IPv4 16164 0t0 UDP 127.0.0.53:53 systemd-r 321 systemd-resolve 16u IPv4 16165 0t0 TCP 127.0.0.53:53 (LISTEN) systemd-r 321 systemd-resolve 17u IPv4 16166 0t0 UDP 127.0.0.54:53 systemd-r 321 systemd-resolve 18u IPv4 16167 0t0 TCP 127.0.0.54:53 (LISTEN) systemd-n 431 systemd-network 18u IPv4 17227 0t0 UDP 10.154.0.17:68 google_os 566 root 3u IPv4 18555 0t0 TCP 10.154.0.17:60818->169.254.169.254:80 (ESTABLISHED) google_gu 739 root 13u IPv4 19822 0t0 TCP 10.154.0.17:35516->169.254.169.254:80 (ESTABLISHED) sshd 747 root 3u IPv6 17848 0t0 TCP :22 (LISTEN) chronyd 1720 _chrony 5u IPv4 21448 0t0 UDP 127.0.0.1:323 chronyd 1720 _chrony 6u IPv6 21449 0t0 UDP [::1]:323 sshd 1761 root 4u IPv6 22688 0t0 TCP 10.154.0.17:22->185.202.17.195:45142 (ESTABLISHED) sshd 1882 ubuntu 4u IPv6 22688 0t0 TCP 10.154.0.17:22->185.202.17.195:45142 (ESTABLISHED) ``` [Where problems could occur] This patch reverts a change that enables MulticastDNS=resolve by default in systemd. Mantic is the first release where this is done, so it should not break existing users. If a user does want this behavior back, all they need to do is override the default /etc/systemd/resolved.conf. [Original Description] In the latest Ubuntu 23.10 cloud images we are seeing unexpected UDP listening port 5353. By default and by policy, aside from port 22 there should be no other open ports on Ubuntu cloud images. Listening port 5353 is a regression. Ubuntu 23.10 debug ``` $ ss --listening --no-header --tcp --udp --numeric udp UNCONN 0 0 127.0.0.54:53 0.0.0.0:* udp UNCONN 0 0 127.0.0.53%lo:53 0.0.0.0:* udp UNCONN 0 0 10.154.0.17%ens4:68 0.0.0.0:* udp UNCONN 0 0 127.0.0.1:323 0.0.0.0:* udp UNCONN 0 0 0.0.0.0:5353 0.0.0.0:* udp UNCONN 0 0 [::1]:323 [::]:* udp UNCONN 0 0 [::]:5353 [::]:* tcp LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:* tcp LISTEN 0 4096 127.0.0.54:53 0.0.0.0:* tcp LISTEN 0 4096 :22 :* ``` This shows port 5353 open. To find out what is listening on this port: ``` $ sudo lsof -i -n -P COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME systemd 1 root 153u IPv6 17848 0t0 TCP :22 (LISTEN) systemd-r 321 systemd-resolve 11u IPv4 16159 0t0 UDP :5353 systemd-r 321 systemd-resolve 12u IPv6 16161 0t0 UDP :5353 systemd-r 321 systemd-resolve 15u IPv4 16164 0t0 UDP 127.0.0.53:53 systemd-r 321 systemd-resolve 16u IPv4 16165 0t0 TCP 127.0.0.53:53 (LISTEN) systemd-r 321 systemd-resolve 17u IPv4 16166 0t0 UDP 127.0.0.54:53 systemd-r 321 systemd-resolve 18u IPv4 16167 0t0 TCP 127.0.0.54:53 (LISTEN) systemd-n 431 systemd-network 18u IPv4 17227 0t0 UDP 10.154.0.17:68 google_os 566 root 3u IPv4 18555 0t0 TCP 10.154.0.17:60818->169.254.169.254:80 (ESTABLISHED) google_gu 739 root 13u IPv4 19822 0t0 TCP 10.154.0.17:35516->169.254.169.254:80 (ESTABLISHED) sshd 747 root 3u IPv6 17848 0t0 TCP :22 (LISTEN) chronyd 1720 _chrony 5u IPv4 21448 0t0 UDP 127.0.0.1:323 chronyd 1720 _chrony 6u IPv6 21449 0t0 UDP [::1]:323 sshd 1761 root 4u IPv6 22688 0t0 TCP 10.154.0.17:22->185.202.17.195:45142 (ESTABLISHED) sshd 1882 ubuntu 4u IPv6 22688 0t0 TCP 10.154.0.17:22->185.202.17.195:45142 (ESTABLISHED) ``` Shows that it is systemd-resolved that is listening and from https://www.freedesktop.org/software/systemd/man/systemd-resolved.service.html > The systemd-resolved service listens on the following IP ports: > Port 5353 on all local addresses, both IPv4 and IPv6 (0.0.0.0 and ::0), for MulticastDNS on UDP. Note that even though the socket is bound to all local interfaces via the selected "wildcard" IP addresses, the incoming datagrams are filtered by the network interface they are coming in on, and separate MulticastDNS link-local scopes are maintained for each, taking into consideration whether MulticastDNS is enabled for the interface or not. So listening on port 5353 is expected for systemd-resolved and MulticastDNS but we do not expect this to be enabled by default on cloud images. ``` $ dpkg -l systemd Desired=Unknown/Install/Remove/Purge/Hold \| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend \|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) \|\|/ Name Version Architecture Description +++-==============-==============-============-================================= ii systemd 253.5-1ubuntu6 amd64 system and service manager ``` Comparing the open ports on an Ubuntu 22.04 multipass VM ``` $ ss --listening --no-header --tcp --udp --numeric udp UNCONN 0 0 127.0.0.53%lo:53 0.0.0.0:* udp UNCONN 0 0 10.212.201.146%ens3:68 0.0.0.0:* tcp LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:* tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:* tcp LISTEN 0 128 [::]:22 [::]:* ``` ``` $ dpkg -l systemd Desired=Unknown/Install/Remove/Purge/Hold \| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend \|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) \|\|/ Name Version Architecture Description +++-==============-==================-============-================================= ii systemd 249.11-0ubuntu3.10 amd64 system and service manager ```
2023-10-17 14:24:44	Nick Rosbrook	systemd (Ubuntu Mantic): status	Confirmed	In Progress
2023-10-17 15:46:57	Ubuntu Archive Robot	bug			added subscriber Nick Rosbrook
2023-10-17 17:21:27	Bart Groeneveld	bug			added subscriber Bart Groeneveld
2023-10-19 18:19:30	Andreas Hasenack	systemd (Ubuntu Mantic): status	In Progress	Incomplete
2023-10-19 19:16:54	Andreas Hasenack	bug			added subscriber Andreas Hasenack
2023-10-19 20:43:01	Steve Langasek	systemd (Ubuntu Mantic): status	Incomplete	New
2023-10-26 14:18:55	Andreas Hasenack	systemd (Ubuntu Mantic): status	New	Fix Committed
2023-10-26 14:18:56	Andreas Hasenack	bug			added subscriber Ubuntu Stable Release Updates Team
2023-10-26 14:19:12	Andreas Hasenack	bug			added subscriber SRU Verification
2023-10-26 14:19:18	Andreas Hasenack	tags	foundations-todo	foundations-todo verification-needed verification-needed-mantic
2023-10-31 17:04:10	Utkarsh Gupta	nominated for series		Ubuntu Noble
2023-10-31 17:04:10	Utkarsh Gupta	bug task added		systemd (Ubuntu Noble)
2023-10-31 18:14:38	Nick Rosbrook	systemd (Ubuntu Noble): status	New	Fix Committed
2023-10-31 22:20:38	Launchpad Janitor	systemd (Ubuntu Noble): status	Fix Committed	Fix Released
2023-11-01 17:44:13	Nick Rosbrook	tags	foundations-todo verification-needed verification-needed-mantic	foundations-todo verification-done verification-done-mantic
2023-11-20 17:08:49	Timo Aaltonen	removed subscriber Ubuntu Stable Release Updates Team
2023-11-20 17:08:49	Launchpad Janitor	systemd (Ubuntu Mantic): status	Fix Committed	Fix Released