smbd failed in host when both lxd container and host have smbd
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
samba (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Trusty |
Fix Released
|
Low
|
Unassigned | ||
Xenial |
Fix Released
|
High
|
Unassigned |
Bug Description
[Impact]
* Issue: the current init script
* won't start samba related services on the host if there is a process
of the same binary in a container
* might on stop affect a process that it was not intended to stop
* Solution: Fix init scripts to
* start action to have a safer process detection with containers around
* stop action to not affect unintended processes due to stale pidfiles
[Test Case]
* 1. Start a container
* 2. Start samba in the Container (or winbind or nmbd)
* 3. Start samba in the host (or winbind or nmbd)
=> it will not start as such a binary is already running
* #2 and #3 can be switched, and then as 4. restart smbd in the host
=> it will shut down but not re-start
Fixed: The container process should have no influence
This also fixes issues where the pidfile would not be updated
* install and start smbd
* "Simulate" a corrupted pidfile by putting the PID of a different
process in it
* stop the sambd service
=> without the fixes this will drag down the other process you put in
the pidfile
Fixed: a stale pidfile entry should not let non-smbd (or winbind, nmbd) processes be affected
[Regression Potential]
* We tried to think of all edge cases of these start/stop actions but
didn't come up with one that is broken. Aside from missing one of those
cases there might be non-archive scripts that expect the old behavior.
But even for thse no critical ones came to my mind so far.
Worst case there'd be a combination that leads to the service
no(re-)starting after the SRU - so thinking about potential cases is
important.
[Other Info]
* n/a
---
Setup: install smbd in host and lxd-container.
Now restart smbd in host:
service smbd restart
All is OK.
Problem: nmap shows "closed" on ports 139 and 445. And users cannot use smbd server in host.
● smbd.service - LSB: start Samba SMB/CIFS daemon (smbd)
Loaded: loaded (/etc/init.d/smbd; bad; vendor preset: enabled)
Active: active (exited) since Die 2016-10-18 17:35:23 CEST; 2s ago
Docs: man:systemd-
Process: 24218 ExecStop=
Process: 21980 ExecReload=
Process: 25190 ExecStart=
Okt 18 17:35:22 speedy systemd[1]: Starting LSB: start Samba SMB/CIFS daemon (smbd)...
Okt 18 17:35:23 speedy smbd[25190]: * Starting SMB/CIFS daemon smbd
Okt 18 17:35:23 speedy smbd[25190]: ...done.
Okt 18 17:35:23 speedy systemd[1]: Started LSB: start Samba SMB/CIFS daemon (smbd).
ps axf | grep smbd:
25356 pts/2 S+ 0:00 | \_ grep --color=auto smbd
19915 ? Ss 0:08 \_ /usr/sbin/smbd -D
19919 ? S 0:00 \_ /usr/sbin/smbd -D
However, netstat -tpln | grep "smbd" returns nothing and also nmap shows "closed" on ports 139 and 445.
Workaround [1]:
change /etc/init.d/smbd:
if ! start-stop-daemon --start --quiet --oknodo --exec /usr/sbin/smbd -- -D ; then
to
if ! start-stop-daemon --start --quiet --oknodo --pidfile /var/run/
I reported this to:
https:/
apt-cache policy samba
samba:
Installed: 2:4.3.11+
Candidate: 2:4.3.11+
Version table:
2:
500 http://
*** 2:4.3.11+
500 http://
100 /var/lib/
2:
500 http://
Related branches
- Andreas Hasenack: Approve
- Canonical Server: Pending requested
- git-ubuntu developers: Pending requested
-
Diff: 107 lines (+20/-8)5 files modifieddebian/changelog (+12/-0)
debian/samba.nmbd.init (+2/-2)
debian/samba.samba-ad-dc.init (+2/-2)
debian/samba.smbd.init (+2/-2)
debian/winbind.init (+2/-2)
- Andreas Hasenack: Approve
- Robie Basak: Approve
- Canonical Server: Pending requested
- Canonical Server packageset reviewers: Pending requested
-
Diff: 106 lines (+19/-8)5 files modifieddebian/changelog (+11/-0)
debian/samba.nmbd.init (+2/-2)
debian/samba.samba-ad-dc.init (+2/-2)
debian/samba.smbd.init (+2/-2)
debian/winbind.init (+2/-2)
CVE References
description: | updated |
Changed in samba (Ubuntu Trusty): | |
status: | New → Triaged |
description: | updated |
description: | updated |
Changed in samba (Ubuntu Trusty): | |
status: | Fix Committed → Invalid |
Changed in samba (Ubuntu Trusty): | |
importance: | Undecided → Low |
Changed in samba (Ubuntu): | |
importance: | Undecided → High |
Changed in samba (Ubuntu Xenial): | |
importance: | Undecided → High |
Changed in samba (Ubuntu Trusty): | |
status: | Invalid → Won't Fix |
tags: | removed: verification-done |
This is "just one more" case of the common old init scripts didn't consider there could be more (=containers).
Interesting is that the stop already runs with the --pidfile so the stop will not kill it.
But the start will be blocked, as the existance of such a process will make --start be a no-op.
Man page:
Note: unless --pid or --pidfile are specified, start-stop-daemon behaves similar to killall(1). start-stop-daemon will scan the process table looking for any processes which match the process name, parent pid, uid, and/or gid (if specified). Any matching process will prevent --start from starting the daemon. All matching processes will be sent the TERM signal (or the one specified via --signal or --retry) if --stop is specified. For daemons which have long-lived children which need to live through a --stop, you must specify a pidfile.
-S, --start [--] arguments
Check for the existence of a specified process. If such a process exists, start-stop-daemon does nothing, and exits with error status 1 (0 if --oknodo is specified). If such a process does not exist, it starts an instance, using either the executable specified by --exec or, if specified, by --startas. Any arguments given after -- on the command line are passed unmodified to the program being started.
The --oknodo will make it a silent non fatal exit int hat case - as it is fine to run "start" if it is running already.
I'd recommend "--pidfile $SMBDPID" instead of the suggested path, but otherwise would agree to the fix.
It should be safe as that is essentially how later versions (Bionic) do it (via MAINPID tracking in systemd).