Canonical Juju

Bug #1665160
Comment #8

Comment 8 for bug 1665160

Revision history for this message

James Henstridge (jamesh) wrote on 2017-04-20:

Anastasia asked me to take a look at this. I'm still not sure what the underlying cause is, but here is some of what I've discovered so far.

1. There has been a change in policykit-1 that sounds like it might be relevant. Namely:

  [ Martin Pitt ]
  * Use PAM's common-session-noninteractive modules for pkexec instead of
    common-session. The latter also runs pam_systemd (the only difference
    normally) which is a no-op under the classic session-centric
    D-BUS/graphical login model (as it won't start a new one if it is already
    running within a logind session), but very expensive when using
    dbus-user-session and being called from a service that runs outside the
    PAM session. This causes long delays in e. g. gnome-settings-daemon's
    backlight helpers. (LP: #1626651)

So if something is being run by pkexec, it is no longer executing pam_systemd.so. That module is responsible for registering with logind, setting up the user bus, etc.

So it seems possible that there is some code in the test suite that looked like it was running under an interactive user session on Xenial, but doesn't any more on Zesty.

2. The default policies for systemd1.manage-units haven't changed between versions. In both cases, it reads:

        <action id="org.freedesktop.systemd1.manage-units">
                <defaults>
                        <allow_any>auth_admin</allow_any>
                        <allow_inactive>auth_admin</allow_inactive>
                        <allow_active>auth_admin_keep</allow_active>
                </defaults>
        </action>

So it is possible that the test works on previous versions by piggy backing off a previous authorisation via auth_admin_keep. If we look like a non-interactive invocation on Zesty, we may need authentication every time now.

3. Maybe we can bypass all of this by configuring the polkit local authority to allow the test process to manage units unconditionally. This would work for all versions irrespective of whether we look like an interactive session.

This would involve placing a policy file under /etc/polkit-1/localauthority/50-local.d before running the tests.

Anastasia asked me to take a look at this.  I'm still not sure what the underlying cause is, but here is some of what I've discovered so far.

1. There has been a change in policykit-1 that sounds like it might be relevant.  Namely:

So if something is being run by pkexec, it is no longer executing pam_systemd.so.  That module is responsible for registering with logind, setting up the user bus, etc.

So it seems possible that there is some code in the test suite that looked like it was running under an interactive user session on Xenial, but doesn't any more on Zesty.

2. The default policies for systemd1.manage-units haven't changed between versions.  In both cases, it reads:

So it is possible that the test works on previous versions by piggy backing off a previous authorisation via auth_admin_keep.  If we look like a non-interactive invocation on Zesty, we may need authentication every time now.

3. Maybe we can bypass all of this by configuring the polkit local authority to allow the test process to manage units unconditionally.  This would work for all versions irrespective of whether we look like an interactive session.

This would involve placing a policy file under /etc/polkit-1/localauthority/50-local.d before running the tests.