libpolkit requires files from policykit for polkit_context_init to work

Hi,

I wonder if this was just a temporary thing caused by the upgrade.
Does this message show up only once? If you reboot does it
appear again?

Thanks,

James

I just read the syslog for today and I noticed that the message is appearing approximately every 10 minutes.

Hi,

I assume you've rebooted since the upgrade?

Are you able to use policykit from other applications? Does
polkit-auth work for you? System->Administration->Users and Groups?

Thanks,

James

I should have mentioned earlier in the summary that I'm running Ubuntu Server, so I'm not entirely sure where policykit is used (if at all). As for the first question, I have rebooted many times since the upgrade and see the message every time.

Hi,

Thanks for the clarification, could you please find out which policykit
packages you have installed?

  dpkg -l \*polkit\* \*policykit\*

Thanks,

James

$ dpkg -l \*polkit\* \*policykit\*
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Cfg-files/Unpacked/Failed-cfg/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad)
||/ Name Version Description
+++-==============-==============-============================================
ii libpolkit2 0.9-1ubuntu2 library for accessing PolicyKit
No packages found matching *policykit*.

apt-get install policy-kit will fix that up for you. Not sure why intrepid needs it and hardy does not. Also running server edition on my end.

I can confirm that installing "policykit" appears to resolve the issue. I haven't noticed the error since installing this package. If the policykit package is required by Intrepid, it should be added as a dependency to one of the metapackages.

Hardy has the console-kit-daemon installed by default but does not need the policykit to run without errors in the syslog. With Intrepid, it has the console-kit-daemon installed by default and writes errors to the syslog WITHOUT policykit installed. I do not believe policykit is a dependency of console-kit-daemon, it may just be a library it needs. When I get to work monday, I will look into it more, since I have a hardy and intrepid server up and running now.

Hi,

Can you kill any running console-kit-daemon processes and
then launch one with

  POLKIT_DEBUG=1

in the environment (bear in mind that sudo will strip this, so
doing it from a "sudo -s" shell would be better).

This should help pinpoint the problem.

In Intrepid consolekit now depends on policykit, but I would
assume that libpolkit would be sufficient. I'm interested why
it doesn't seem to be.

Thanks,

James

With a fresh new installation of Intrepid today, console-kit is installed and policykit is not, so how is policykit a dependency of console-kit?

Also, libpolkit is not installed by default on Intrepid, nor is it installed by default on Hardy.

I ran console-kit-daemon with POLKIT_DEBUG=1 but I get nothing extra in my syslog or daemon.log but syslog:Oct 6 16:53:55 ubuntu console-kit-daemon[18563]: CRITICAL: cannot initialize libpolkit

Something else you would like me to try?

I noticed that I had a console-kit-daemon process running so I killed
that. This was before I uninstalled policykit for this test. After
uninstalling policykit (libpolkit2 still installed), I was unable to
start the console-kit-daemon process from a "sudo -s" shell. The same
error message was appearing in syslog each time I tried to start the
process.

Oct 7 09:26:53 ubuntu console-kit-daemon[20399]: CRITICAL: cannot
initialize libpolkit

After reinstalling policykit, the console-kit-daemon process started fine.

Matt,

  apt-cache show consolekit | grep Depends
  Depends: ..., libpolkit2 (>= 0.7), ...

I meant that it depends on "policykit" the project, the software,
the abstract, the package depends on libpolkit2, as you can see.

Thanks both of you for trying to debug this. I don't have any
more suggestions at this moment.

Thanks,

James

OK, I understand now. When you have more suggestions, let me know.

Hi,

We can narrow down which part of policykit makes this work by installing
it a bit at a time.

Please uninstall policykit such that you have just libpolkit2 installed and
you get the error. Then please find which of the following packages (or
combination thereof) makes consolekit work:

libpolkit-dbus2
libpolkit-grant2
policykit

That will hopefully give us a clue as to what is going on here.

Thanks,

James

Hi,

Don't worry about testing, I think I've got it. If you were to perform that test
I think you would find that only installing policykit would fix it.

The problem appears to be this:

src/polkit/polkit-context.c has this:

                /* Watch the /etc/PolicyKit/PolicyKit.conf file */
                pk_context->inotify_config_wd = inotify_add_watch (pk_context->inotify_fd,
                                                                   PACKAGE_SYSCONF_DIR "/PolicyKit/PolicyKit.conf",
                                                                   IN_MODIFY | IN_CREATE | IN_ATTRIB);
                if (pk_context->inotify_config_wd < 0) {
                        polkit_debug ("failed to add watch on file '" PACKAGE_SYSCONF_DIR "/PolicyKit/PolicyKit.conf': %s",
                                   strerror (errno));
                        /* TODO: set error */
                        goto error;
                }

and similar for /var/lib/misc/Policykit.reload.

You can't set an inotify watch on a non-existent file, and these files
are shipped as part of the policykit package.

Therefore currently libpolkit2 requires files from the policykit file to operate,
but doesn't depend on the package.

The inotify_add_watch calls have IN_CREATE, hinting to me that it intends it
to work if they don't exist, but this doesn't have the intended effect. Therefore
I will report this issue upstream.

As well as fixing this in that fashion we can fix it in the packaging, at least
temporarily. However, I can't really think of a way of doing that that doesn't have
headaches.

I'll notify the server team of this.

Thanks,

James

I just checked fedora's packaging of this (the packaging was originally done
by the policykit author), and they just have one big policykit package, rather
than the split we have.

Perhaps we should follow suit, though I don't know if this would suit the server
team.

Thanks,

James

Tomas, Matt,

I'm interested in how you ended up with consolekit installed, do you know?

"aptitude why consolekit" should help with that.

Thanks,

James

I can tell you what it told me but I know it's wrong.

root@:~# aptitude why consolekit
i policykit Depends consolekit

I didn't install policykit until after I got these errors in my syslog. Consolekit came installed with ubuntu server. When I installed it, I did not tell it to install anything extra. I did the bare minimum it would let me.

I seem to be getting the same results as Matt. I didn't install the
policykit package until after I noticed these errors. My install of
Intrepid was upgraded from a new install of 8.04.

On Tue, 2008-10-07 at 22:32 +0000, TomasCassidy wrote:
> I seem to be getting the same results as Matt. I didn't install the
> policykit package until after I noticed these errors. My install of
> Intrepid was upgraded from a new install of 8.04.
>

Yeah, sorry guys, I'm assuming you ran the "why" command with
"policykit" installed. Un-installing that once more may give
a better answer.

Thanks,

James

with policy kit uninstalled...

root:~# aptitude why consolekit
i dbus Depends consolekit (>= 0.2.3-3ubuntu2)

On Wed, 2008-10-08 at 00:13 +0000, Matt Jamison wrote:
> with policy kit uninstalled...
>
> root:~# aptitude why consolekit
> i dbus Depends consolekit (>= 0.2.3-3ubuntu2)
>

Thanks. It doesn't give a reason for dbus, suggesting that you
installed it yourself, is that the case? Does it give one
if you ask it why dbus is installed?

Thanks,

James

tom@ubuntu:~$ aptitude why consolekit
i dbus-x11 Depends dbus
i A dbus Depends consolekit (>= 0.2.3-3ubuntu2)
tom@ubuntu:~$ aptitude why dbus
i dbus-x11 Depends dbus
tom@ubuntu:~$ aptitude why dbus-x11
i libdbus-1-3 Recommends dbus
i A dbus Recommends dbus-x11
tom@ubuntu:~$ aptitude why libdbus-1-3
i wpasupplicant Depends libdbus-1-3 (>= 1.1.1)
tom@ubuntu:~$ aptitude why wpasupplicant
i ubuntu-minimal Depends wpasupplicant

I can't seem to recall whether I manually installed dbus myself when
the system was on 8.04.

After searching through the output of "apt-cache rdepends dbus", it looks like it was installed when I installed the 'avahi-daemon' package in 8.04.

On Wed, 2008-10-08 at 02:20 +0000, TomasCassidy wrote:
> tom@ubuntu:~$ aptitude why consolekit
> i dbus-x11 Depends dbus
> i A dbus Depends consolekit (>= 0.2.3-3ubuntu2)
> tom@ubuntu:~$ aptitude why dbus
> i dbus-x11 Depends dbus
> tom@ubuntu:~$ aptitude why dbus-x11
> i libdbus-1-3 Recommends dbus
> i A dbus Recommends dbus-x11
> tom@ubuntu:~$ aptitude why libdbus-1-3
> i wpasupplicant Depends libdbus-1-3 (>= 1.1.1)
> tom@ubuntu:~$ aptitude why wpasupplicant
> i ubuntu-minimal Depends wpasupplicant
>
>
> I can't seem to recall whether I manually installed dbus myself when
> the system was on 8.04.
>

Thanks, this seems to be the case of libdbus-1-3 recommending
dbus, causing ubuntu-minimal to install dbus, which has been
fixed in later versions.

Thanks,

James

Just another data-point:

I performed a clean install of 8.10 Beta server.

Used aptitude to 'update' installed packages, and then installed some additional packages: autofs, nfs, ldap client pkgs, ntp, tftpd
Then, I noticed the log msg ".... console-kit-daemon[13695]: CRITICAL: cannot initialize libpolkit"

aptitude why consolekit --> dbus depends
aptitude why dbus --> dbus-x11 depends
aptitude why dbus-x11 --> dbus recommends

Seems circular to me... I was able to remove dbus-x11, dbus, and consolekit without issue.

Hi,

After talking with Michael Biebl, the Debian maintainer, for a while about
the issue it seems like the current situation may well be ok, and the
warning reasonable.

I'll hopefully have a concrete answer in the next few days.

Does anyone use consolekit for anything on their server installs?
Does that still work with this warning?

Thanks,

James

I was searching around about the error mentioned above and found this bug report. I went and did the research and came across alot of the same initiatives. I did a clean cli only based install of Ubuntu 8.10 Server (released version) and also added the OpenSSH server option during install. Afterwards several packages were installed however I do not remember ever installing dbus. For the developers and maintainers I'm sure you all have this but I will post this here. These seem to be pretty critical packages to me and probably installed when I setup the distro.

dbus - simple interprocess messaging system
dbus-x11 - simple interprocess messaging system (X11 deps)
consolekit - framework for defining and tracking users, sessions and seats

I also have libpolkit2 installed but do not know why. If any functions were to be broken what would they be? I can add and remove users or groups via commandline just fine and all my stuff is done on the console. More specifically what does the policykit package provide?

I have the same problem with a fresh install of 8.10 server. Selected to install openssh and apache during install and thats all. Did a apt-get upgrade nothing else. Error appears every 10 mins in syslog.

Ah, should wait for upstream's feedback.

Hi Martin,

What feedback are you waiting for from upstream?

Moving these files into libpolkit would cause problems (file conflicts) whenever the libpolkit soname changes, so should be avoided if possible.

The code James cites uses a function named 'polkit_debug' - perhaps if this is for debugging only, it should not log anything by default? Or perhaps we should not log debug-priority messages to /var/log/syslog by default.

Either way, from the log it doesn't sound like this functionally impairs the use of the library, is this really an SRU candidate or should we 'wontfix' the per-release tasks?

If this becomes 'wontfix' then someone please open a bug about the error messages in the log files. The problem, if nothing else, is the many hours people waste trying to diagnose this issue.

I have a plain install of Ubuntu 8.10 Server. As ClarkTucker wrote on 2008-10-08, "aptitude why <x>" yields:

consolekit: dbus Depends consolekit (>=0.2.3-3ubuntu2)
dbus: dbus-x11 Depends dbus
dbus-x11: dbus Recommends dbus-x11

I don"t have an X server installed. Can anyone confirm that I may remove consolekit, dbus, and dbus-x11 without any trouble?

This also affects 9.04 server. I've just done a fresh install and selected just Openssh Server as a package.

Mar 25 10:10:01 PowerEdge6300 console-kit-daemon[3264]: CRITICAL: cannot initialize libpolkit

root@PowerEdge6300:~# aptitude why consolekit
i dbus Depends consolekit (>= 0.2.3-3ubuntu2)
root@PowerEdge6300:~# aptitude why dbus
i dbus-x11 Depends dbus
root@PowerEdge6300:~# aptitude why dbus-x11
i dbus Recommends dbus-x11

Although fixing PolicyKit for this case should be possible, it would be a rather intrusive patch, and given its security sensitive nature, I'd rather remove its defences.

I think it is more appropriate to make ConsoleKit work if PolityKit initialization fails. In that case it should just disable the reboot/halt functionality, just as if it would have been compiled without PK support in the first place.

I updated the upstream bugs accordingly and sent my CK patch to upstream.

Fixed consolekit uploaded.

This bug was fixed in the package consolekit - 0.3.0-2ubuntu3

---------------
consolekit (0.3.0-2ubuntu3) jaunty; urgency=low

  * Add 13-work-without-policykit.patch: If PolicyKit cannot be initialized,
    just disable support for it, do not fail completely. (LP: #275432)

 -- Martin Pitt <email address hidden> Thu, 26 Mar 2009 10:42:26 +0100