229-4ubuntu18: '+' command prefix does not work in ExecStart*= and ExecStop*=

Bug #1704677 reported by linuxball on 2017-07-16
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
systemd (Ubuntu)
Critical
Dimitri John Ledkov
Xenial
Critical
Dimitri John Ledkov

Bug Description

[Impact]
229-4ubuntu18 included changes irrelevant for xenial, which whilst harmless generates a lot of scary journal entries.

[Fix]
Drop the cherrypciked ExecStart|StopPost stanzas from the drop in snippet. Integration of the resolved stub resolver with resolvconf on xenial is not required, because resolved in xenial does not have stub resolver. Also xenial's systemd does not support '+' prefix on the Exec* lines.

[Testcase]
Upgrade to te new SRU, make sure testcase from https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1673860 still passes

Check that there is no extra journal warnings/errors about "Executable path is not absolute" from systemd reading /lib/systemd/system/systemd-resolved.service.d/resolvconf.con

[Original Descrption]

The systemd version 229-4ubuntu18 from xenial-proposed archive has a bug. The '+' prefix (see https://www.freedesktop.org/software/systemd/man/systemd.service.html) in ExecStart*= and ExecStop*= statements does not work any longer.

File /lib/systemd/system/systemd-resolved.service.d/resolvconf.conf of this version contains two commands prefixed with '+':

# When resolved is in use, it must be brought up before we consider networking
# available because otherwise there is a window where DNS resolution doesn't
# work.
[Unit]
Before=network-online.target

# tell resolvconf about resolved's builtin DNS server, so that DNS servers
# picked up via networkd are respected when using resolvconf, and that software
# like Chrome that does not do NSS (libnss-resolve) still gets proper DNS
# resolution
[Service]
ExecStartPost=+/bin/sh -c '[ ! -e /run/resolvconf/enable-updates ] || echo "nameserver 127.0.0.53" | /sbin/resolvconf -a systemd-resolved'
ExecStopPost=+/bin/sh -c '[ ! -e /run/resolvconf/enable-updates ] || /sbin/resolvconf -d systemd-resolved'

Those two statements in section [Service] lead to the following two error messages in dmesg:

[ 3.687475] systemd[1]: [/lib/systemd/system/systemd-resolved.service.d/resolvconf.conf:12] Executable path is not absolute, ignoring: +/bin/sh -c '[ ! -e /run/resolvconf/enable-updates ] || echo "nameserver 127.0.0.53" | /sbin/resolvconf -a systemd-resolved'
[ 3.687614] systemd[1]: [/lib/systemd/system/systemd-resolved.service.d/resolvconf.conf:13] Executable path is not absolute, ignoring: +/bin/sh -c '[ ! -e /run/resolvconf/enable-updates ] || /sbin/resolvconf -d systemd-resolved'
---
ApportVersion: 2.20.1-0ubuntu2.9
Architecture: amd64
CurrentDesktop: LXDE
DistroRelease: Ubuntu 16.04
MachineType: LENOVO 42406AG
Package: systemd 229-4ubuntu18
PackageArchitecture: amd64
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.4.0-85-lowlatency root=UUID=1756e76f-2b6c-479f-8ea3-e3b087b1922f ro quiet apparmor=0
ProcVersionSignature: Ubuntu 4.4.0-85.108-lowlatency 4.4.73
Tags: xenial package-from-proposed third-party-packages
Uname: Linux 4.4.0-85-lowlatency x86_64
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups: adm audio cdrom colord davfs2 dialout dip fax floppy libvirtd lpadmin netdev plugdev saned scanner sudo tape video wireshark
_MarkForUpload: True
dmi.bios.date: 09/20/2016
dmi.bios.vendor: LENOVO
dmi.bios.version: 8AET66WW (1.46 )
dmi.board.asset.tag: Not Available
dmi.board.name: 42406AG
dmi.board.vendor: LENOVO
dmi.board.version: Not Available
dmi.chassis.asset.tag: No Asset Information
dmi.chassis.type: 10
dmi.chassis.vendor: LENOVO
dmi.chassis.version: Not Available
dmi.modalias: dmi:bvnLENOVO:bvr8AET66WW(1.46):bd09/20/2016:svnLENOVO:pn42406AG:pvrThinkPadT520:rvnLENOVO:rn42406AG:rvrNotAvailable:cvnLENOVO:ct10:cvrNotAvailable:
dmi.product.name: 42406AG
dmi.product.version: ThinkPad T520
dmi.sys.vendor: LENOVO
mtime.conffile..etc.pam.d.systemd-user: 2017-03-09T13:47:30.332992

CVE References

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 1704677

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Steve Langasek (vorlon) on 2017-07-17
affects: linux (Ubuntu) → systemd (Ubuntu)
Changed in systemd (Ubuntu):
status: Incomplete → New
importance: Undecided → Critical
assignee: nobody → Dimitri John Ledkov (xnox)

apport information

tags: added: apport-collected package-from-proposed third-party-packages
description: updated

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

linuxball (linuxball) on 2017-07-17
Changed in systemd (Ubuntu):
status: New → Confirmed
Changed in systemd (Ubuntu):
status: Confirmed → Invalid
Changed in systemd (Ubuntu Xenial):
status: New → Triaged
importance: Undecided → Critical
assignee: nobody → Dimitri John Ledkov (xnox)
milestone: none → ubuntu-16.04.3
description: updated
Dimitri John Ledkov (xnox) wrote :

systemd (229-4ubuntu19) xenial; urgency=medium

  * debian/extra/units/systemd-resolved.service.d/resolvconf.conf: partially
    revert, by removing ExecStart|StopPost lines, as these are not needed on
    xenial and generate warnings in the journal. (LP: #1704677)

systemd (229-4ubuntu18) xenial; urgency=medium

  * debian/extra/units/systemd-resolved.service.d/resolvconf.conf: if resolved
    is going to be started, make sure this blocks network-online.target.
    (LP: #1673860)
  * networkd: cherry-pick support for setting bridge port's priority
    (LP: #1668347)
  * Cherrypick upstream commit to enable system use kernel maximum limit for
    RLIMIT_NOFILE isntead of hard-coded (low) limit of 65536. (LP: #1686361)
  * Cherrypick upstream patch for platform predictable interface names.
    (LP: #1686784)
  * resolved: fix null pointer dereference crash (LP: #1621396)
  * Cherrypick core/timer downgrade message about random time addition
    (LP: #1692136)
  * SECURITY UPDATE: Out-of-bounds write in systemd-resolved (LP: #1695546)
    - CVE-2017-9445
  * Cherry-pick subset of patches to introduce infinity value in logind.conf
    for UserTasksMax (LP: #1651518)

Date: Mon, 17 Jul 2017 17:00:42 +0100
Changed-By: Dimitri John Ledkov <email address hidden>
Maintainer: Ubuntu Developers <email address hidden>
https://launchpad.net/ubuntu/+source/systemd/229-4ubuntu19

==

 OK: systemd_229.orig.tar.gz
 OK: systemd_229-4ubuntu19.debian.tar.xz
 OK: systemd_229-4ubuntu19.dsc
     -> Component: main Section: admin

Upload Warnings:
Redirecting ubuntu xenial to ubuntu xenial-proposed.
This upload awaits approval by a distro manager

Changed in systemd (Ubuntu Xenial):
status: Triaged → In Progress

Hello linuxball, or anyone else affected,

Accepted systemd into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/systemd/229-4ubuntu19 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in systemd (Ubuntu Xenial):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-xenial
Dimitri John Ledkov (xnox) wrote :

Starting with systemd 229-4ubuntu17.
Observed:
No errors w.r.t. resolvconf snippet in journal.

Upgraded to systemd 229-4ubuntu19
Still no errors w.r.t. resolvconf snippet in the journal. Thus this regression-proposed has been resolved.

tags: added: verification-done verification-done-xenial
removed: verification-needed verification-needed-xenial
linuxball (linuxball) wrote :

I tested the proposed package (systemd 229-4ubuntu19) in my xenial system (see above apport info) and I can confirm that the committed fix works.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package systemd - 229-4ubuntu19

---------------
systemd (229-4ubuntu19) xenial; urgency=medium

  * debian/extra/units/systemd-resolved.service.d/resolvconf.conf: partially
    revert, by removing ExecStart|StopPost lines, as these are not needed on
    xenial and generate warnings in the journal. (LP: #1704677)

systemd (229-4ubuntu18) xenial; urgency=medium

  * debian/extra/units/systemd-resolved.service.d/resolvconf.conf: if resolved
    is going to be started, make sure this blocks network-online.target.
    (LP: #1673860)
  * networkd: cherry-pick support for setting bridge port's priority
    (LP: #1668347)
  * Cherrypick upstream commit to enable system use kernel maximum limit for
    RLIMIT_NOFILE isntead of hard-coded (low) limit of 65536. (LP: #1686361)
  * Cherrypick upstream patch for platform predictable interface names.
    (LP: #1686784)
  * resolved: fix null pointer dereference crash (LP: #1621396)
  * Cherrypick core/timer downgrade message about random time addition
    (LP: #1692136)
  * SECURITY UPDATE: Out-of-bounds write in systemd-resolved (LP: #1695546)
    - CVE-2017-9445
  * Cherry-pick subset of patches to introduce infinity value in logind.conf
    for UserTasksMax (LP: #1651518)

 -- Dimitri John Ledkov <email address hidden> Mon, 17 Jul 2017 17:00:42 +0100

Changed in systemd (Ubuntu Xenial):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for systemd has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

tags: added: id-596df10ca7021ce6e7899a19
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers