usage of /tmp during boot is not safe due to systemd-tmpfiles-clean
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
cloud-init |
Fix Released
|
High
|
Unassigned | ||
cloud-init (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
systemd (Ubuntu) |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
Earlier this week on Zesty on Azure I saw a cloud-init failure in its 'mount_cb' function.
That function esentially does:
a.) make a tmp directory for a mount point
b.) mount some filesystem to that mount point
c.) call a function
d.) unmount the directory
What I recall was that access to a file inside the mount point failed during 'c'.
This seems possible as systemd-
It seems that this service basically inhibits *any* other service from using tmp files.
It's ordering statements are only:
After=
Before=
So while in most cases only services that run early in the boot process like cloud-init will be affected, any service could have its tmp files removed. this service could take quite a long time to run if /tmp/ had been filled with lots of files in the previous boot.
Related branches
- Ryan Harper: Approve
- Chad Smith: Approve
- Server Team CI bot: Approve (continuous-integration)
-
Diff: 355 lines (+112/-46)10 files modifiedcloudinit/config/cc_bootcmd.py (+2/-1)
cloudinit/config/cc_chef.py (+2/-1)
cloudinit/config/cc_snappy.py (+2/-2)
cloudinit/net/dhcp.py (+2/-1)
cloudinit/sources/helpers/azure.py (+2/-2)
cloudinit/temp_utils.py (+93/-0)
cloudinit/util.py (+2/-34)
packages/bddeb (+3/-2)
tests/unittests/test_datasource/test_azure_helper.py (+2/-2)
tests/unittests/test_net.py (+2/-1)
Changed in cloud-init: | |
status: | Confirmed → Fix Committed |
systemd- tmpfiles- clean is racy, but only cleans things as per tmpfiles.d/ configs in /run /etc /usr/lib, for things that explicitely specify to clean themself older than some value.
For /tmp the affected paths are older than 10 days only:
d /tmp/.X11-unix 1777 root root 10d
d /tmp/.ICE-unix 1777 root root 10d
d /tmp/.XIM-unix 1777 root root 10d
d /tmp/.font-unix 1777 root root 10d
d /tmp/.Test-unix 1777 root root 10d
To figure out what actually happened, we need a reproducer or detailed logs, including journal, and contents of /run/tmpfiles.d /etc/tmpfiles.d /usr/lib/tmpfiles.d
I do not recommend using /tmp on security grounds, but I do recommend to set PrivateTmp=true in the systemd units to get a secure /tmp /var/tmp for your service.