units with credentials fail in LXD containers
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
cloud-images |
Confirmed
|
Undecided
|
Unassigned | ||
lxd |
New
|
Unknown
|
|||
lxd (Ubuntu) |
Fix Committed
|
Undecided
|
Aleksandr Mikhalitsyn | ||
samba (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
systemd (Ubuntu) |
Triaged
|
High
|
Nick Rosbrook |
Bug Description
Many units shipped by systemd use credentials in some way by default now (in v256). So this issue is now about much more than the original test case failure.
For example,
root@oracular:~# apt policy systemd
systemd:
Installed: 256-1ubuntu1
Candidate: 256-1ubuntu1
Version table:
*** 256-1ubuntu1 100
100 http://
100 /var/lib/
255.4-1ubuntu8 500
500 http://
root@oracular:~# for service in $(find /usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
root@oracular:~# systemctl status systemd-
○ systemd-
Loaded: loaded (/usr/lib/
Active: inactive (dead)
Condition: start condition unmet at Mon 2024-06-24 18:58:48 UTC; 1min 0s ago
├─ ConditionNeedsU
└─ ConditionCreden
Docs: man:sysusers.d(5)
× systemd-
Loaded: loaded (/usr/lib/
Active: failed (Result: exit-code) since Mon 2024-06-24 18:58:49 UTC; 59s ago
Invocation: b1aaa662750f488
Docs: man:systemd-
https:/
https:/
Process: 258 ExecStart=
Main PID: 258 (code=exited, status=
○ systemd-
Loaded: loaded (/usr/lib/
Active: inactive (dead)
Condition: start condition unmet at Mon 2024-06-24 18:58:48 UTC; 59s ago
└─ ConditionFirstB
Docs: man:systemd-
○ systemd-
Loaded: loaded (/usr/lib/
Active: inactive (dead)
Docs: man:systemd-
× systemd-
Loaded: loaded (/usr/lib/
Drop-In: /usr/lib/
Active: failed (Result: exit-code) since Mon 2024-06-24 18:58:48 UTC; 1min 0s ago
Invocation: 7caace7a15c749f
TriggeredBy: × systemd-
× systemd-
○ systemd-
Docs: man:systemd-
Process: 124 ExecStart=
Main PID: 124 (code=exited, status=
FD Store: 0 (limit: 4224)
× systemd-
Loaded: loaded (/usr/lib/
Active: failed (Result: exit-code) since Mon 2024-06-24 18:58:48 UTC; 1min 0s ago
Invocation: 5e90310a27b043c
Docs: man:systemd-
Process: 97 ExecStart=
Main PID: 97 (code=exited, status=
× systemd-
Loaded: loaded (/usr/lib/
Active: failed (Result: exit-code) since Mon 2024-06-24 18:58:48 UTC; 1min 0s ago
Invocation: 78e3c68cfa9a4a7
Docs: man:tmpfiles.d(5)
Process: 73 ExecStart=
Main PID: 73 (code=exited, status=
× systemd-
Loaded: loaded (/usr/lib/
Active: failed (Result: exit-code) since Mon 2024-06-24 18:58:48 UTC; 1min 0s ago
Invocation: 46458c7b6e134ef
Docs: man:tmpfiles.d(5)
Process: 98 ExecStart=
Main PID: 98 (code=exited, status=
× systemd-
Loaded: loaded (/usr/lib/
Active: failed (Result: exit-code) since Mon 2024-06-24 18:58:48 UTC; 1min 0s ago
Invocation: f4e64afdc877417
Docs: man:tmpfiles.d(5)
Process: 147 ExecStart=
Main PID: 147 (code=exited, status=
× systemd-
Loaded: loaded (/usr/lib/
Active: failed (Result: exit-code) since Mon 2024-06-24 18:58:48 UTC; 1min 0s ago
Invocation: cb5a1f43cde248d
Docs: man:udevadm(8)
Process: 75 ExecStart=udevadm control --load-credentials (code=exited, status=
Main PID: 75 (code=exited, status=
○ systemd-
Loaded: loaded (/usr/lib/
Active: inactive (dead)
TriggeredBy: ● systemd-
Docs: man:tmpfiles.d(5)
× systemd-
Loaded: loaded (/usr/lib/
Active: failed (Result: exit-code) since Mon 2024-06-24 18:58:49 UTC; 59s ago
Invocation: 5d960369ea944d5
TriggeredBy: × systemd-
Docs: man:systemd-
Process: 280 ExecStart=
Main PID: 280 (code=exited, status=
FD Store: 0 (limit: 512)
[Original Description]
To demonstrate this, in an unprivileged LXD container, create the following unit (taken from the systemd test suite):
$ cat > /etc/systemd/
# SPDX-License-
[Unit]
Description=Test for SetCredential=
[Service]
ExecStart=/bin/sh -x -c 'test "$$(cat %d/test-
ExecStartPost=
ExecStop=/bin/sh -x -c 'test "$$(cat %d/test-
ExecStopPost=
Type=oneshot
SetCredential=
EOF
$ systemctl daemon-reload
$ systemctl start exec-set-
Job for exec-set-
See "systemctl status exec-set-
With debug logs enabled, we see:
$ journalctl -u exec-set-
Dec 14 19:24:24 noble systemd[1]: exec-set-
Dec 14 19:24:24 noble systemd[1]: exec-set-
Dec 14 19:24:24 noble systemd[1]: exec-set-
Dec 14 19:24:24 noble systemd[1]: exec-set-
Dec 14 19:24:24 noble systemd[1]: exec-set-
Dec 14 19:24:24 noble systemd[1]: exec-set-
Dec 14 19:24:24 noble systemd[1]: exec-set-
Dec 14 19:24:24 noble systemd[1]: exec-set-
Dec 14 19:24:24 noble systemd[1]: exec-set-
Dec 14 19:24:24 noble systemd[1]: exec-set-
Dec 14 19:24:24 noble (sh)[2183]: PR_SET_MM_ARG_START failed: Operation not permitted
Dec 14 19:24:24 noble (sh)[2183]: Found cgroup2 on /sys/fs/cgroup/, full unified hierarchy
Dec 14 19:24:24 noble (sh)[2183]: Found cgroup2 on /sys/fs/cgroup/, full unified hierarchy
Dec 14 19:24:24 noble systemd[1]: exec-set-
Dec 14 19:24:24 noble systemd[1]: Starting exec-set-
Dec 14 19:24:24 noble (sh)[2183]: Successfully forked off '(sd-mkdcreds)' as PID 2184.
Dec 14 19:24:24 noble (sd-[2184]: Changing mount propagation /dev (MS_REC|MS_SLAVE "")
Dec 14 19:24:24 noble (sd-[2184]: Mounting ramfs (ramfs) on /dev/shm (MS_NOSUID|
Dec 14 19:24:24 noble (sd-[2184]: Changing mount flags /dev/shm (MS_RDONLY|
Dec 14 19:24:24 noble (sd-[2184]: Failed to mount n/a (type n/a) on /dev/shm (MS_RDONLY|
Dec 14 19:24:24 noble (sh)[2183]: (sd-mkdcreds) failed with exit status 1.
Dec 14 19:24:24 noble (sh)[2183]: exec-set-
Dec 14 19:24:24 noble systemd[1]: exec-set-
Dec 14 19:24:24 noble systemd[1]: exec-set-
Dec 14 19:24:24 noble systemd[1]: exec-set-
Dec 14 19:24:24 noble systemd[1]: exec-set-
Dec 14 19:24:24 noble systemd[1]: exec-set-
Dec 14 19:24:24 noble systemd[1]: exec-set-
Dec 14 19:24:24 noble (sh)[2186]: PR_SET_MM_ARG_START failed: Operation not permitted
Dec 14 19:24:24 noble (sh)[2186]: Found cgroup2 on /sys/fs/cgroup/, full unified hierarchy
Dec 14 19:24:24 noble (sh)[2186]: Found cgroup2 on /sys/fs/cgroup/, full unified hierarchy
Dec 14 19:24:24 noble sh[2186]: + test 1031(cat /run/credential
Dec 14 19:24:24 noble systemd[1]: exec-set-
Dec 14 19:24:24 noble systemd[1]: exec-set-
Dec 14 19:24:24 noble systemd[1]: exec-set-
Dec 14 19:24:24 noble systemd[1]: exec-set-
Dec 14 19:24:24 noble systemd[1]: exec-set-
Dec 14 19:24:24 noble systemd[1]: exec-set-
Dec 14 19:24:24 noble systemd[1]: exec-set-
Dec 14 19:24:24 noble systemd[1]: Failed to start exec-set-
Dec 14 19:24:24 noble systemd[1]: exec-set-
Dec 14 19:24:24 noble systemd[1]: exec-set-
Dec 14 19:24:24 noble systemd[1]: exec-set-
Related branches
- Athos Ribeiro (community): Approve
- Canonical Server Core Reviewers: Pending requested
- Canonical Server Reporter: Pending requested
-
Diff: 3919 lines (+3470/-7)5 files modifieddebian/changelog (+2915/-0)
debian/control (+30/-6)
debian/tests/control (+4/-0)
debian/tests/samba-ad-dc-provisioning-internal-dns (+398/-0)
debian/tests/util (+123/-1)
- git-ubuntu bot: Approve
- Bryce Harrington (community): Approve
- Canonical Server Reporter: Pending requested
-
Diff: 3887 lines (+3438/-7) (has conflicts)5 files modifieddebian/changelog (+2886/-0)
debian/control (+27/-6)
debian/tests/control (+4/-0)
debian/tests/samba-ad-dc-provisioning-internal-dns (+398/-0)
debian/tests/util (+123/-1)
- Andreas Hasenack: Approve
-
Diff: 29 lines (+9/-1)2 files modifieddebian/changelog (+8/-0)
debian/tests/samba-ad-dc-provisioning-internal-dns (+1/-1)
Changed in systemd (Ubuntu): | |
status: | New → Confirmed |
status: | Confirmed → New |
importance: | Undecided → High |
assignee: | nobody → Nick Rosbrook (enr0n) |
Changed in systemd (Ubuntu): | |
status: | New → Triaged |
tags: | removed: block-proposed |
description: | updated |
description: | updated |
no longer affects: | systemd |
Changed in lxd: | |
status: | Unknown → New |
tags: | removed: update-excuse |
This is the apparmor denial:
audit: type=1400 audit(170429909 1.131:665) : apparmor="DENIED" operation="mount" class="mount" info="failed flags match" error=-13 profile= "lxd-noble_ </var/snap/ lxd/common/ lxd>" name="/dev/shm/" pid=71828 comm="( sd-mkdcreds) " flags="ro, nosuid, nodev, noexec, remount, bind"
which corresponds to:
Dec 14 19:24:24 noble (sd-[2184]: Failed to mount n/a (type n/a) on /dev/shm (MS_RDONLY| MS_NOSUID| MS_NODEV| MS_NOEXEC| MS_REMOUNT| MS_NOSYMFOLLOW| MS_BIND ""): Permission denied
from the journal output above. Taking a look at the AppArmor profile create by LXD, it seems that the problematic flag isMS_NOSYMFOLLOW; there is a rule in /var/snap/ lxd/common/ lxd/security/ apparmor/ profiles/ lxd-noble on my machine that allows the flags (ro,remount, bind,nosuid, noexec, nodev) for /dev/shm and others.
I think it probably makes the most sense to allow this flag combination in the AppArmor profile create by LXD.