[systemd-devel] systemd user instance

Kok, Auke-jan H auke-jan.h.kok at intel.com
Mon May 6 20:31:40 PDT 2013 

On Mon, May 6, 2013 at 2:44 PM, Kai Krakow <hurikhan77 at gmail.com> wrote:
> Hey list,
>
> I've built a server with systemd and it really worked out well. Fast booting
> (that means shorter maintenance times) and most important: Reliable service
> teardown and auto-restarts of crashed services. And yeah, I love the
> journal. I'm logging everything there.
>
> But now I want to (and need to) give some users cron-like abilities. I
> discovered that systemd supports user instances - perfect!
>
> So I enabled a session service for one user (actually, that's me):
>
> # sudo systemctl enable user at kakra.service
>
> But I cannot start it, and the user can neither. Starting it states in the
> journal:
>
> # sudo systemctl start user at kakra.service
>
> May 06 23:35:00 vweb002.jugendinfo.de systemd[1]: Starting User Manager for
> root...
> -- Subject: Unit user at kakra.service has begun with start-up
> -- Defined-By: systemd
> -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
> --
> -- Unit user at kakra.service has begun starting up.
> May 06 23:35:00 vweb002.jugendinfo.de systemd[4438]: Failed at step PAM
> spawning /usr/lib/systemd/systemd: Operation not permitted
> -- Subject: Process /usr/lib/systemd/systemd could not be executed
> -- Defined-By: systemd
> -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
> -- Documentation:
> http://www.freedesktop.org/wiki/Software/systemd/catalog/641257651c1b4ec9a8624d7a40a9e1e7
> --
> -- The process /usr/lib/systemd/systemd could not be executed and failed.
> --
> -- The error number returned while executing this process is 1.
> May 06 23:35:00 vweb002.xxxxxx.de systemd[1]: Started User Manager for root.
> -- Subject: Unit user at kakra.service has finished start-up
> -- Defined-By: systemd
> -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
> --
> -- Unit user at kakra.service has finished starting up.
> --
> -- The start-up result is done.
>
> Why does it say "Starting user manager for root" (and not my username) and
> why does it fail with pam? If I start "systemd --user &", then I can enable
> and run the user services defined in .config/systemd.
>
> The server is running Gentoo with systemd-201. Here's the systemd unit:
>
> kakra at vweb002 ~ $ cat /etc/systemd/system/user\@kakra.service
> #  This file is part of systemd.
> #
> #  systemd is free software; you can redistribute it and/or modify it
> #  under the terms of the GNU Lesser General Public License as published by
> #  the Free Software Foundation; either version 2.1 of the License, or
> #  (at your option) any later version.
>
> [Unit]
> Description=User Manager for %u
> After=systemd-user-sessions.service
>
> [Service]
> User=%I
> PAMName=systemd-shared

^^ this line is the cause of your problems, as the
/etc/pam.d/systemd-shared file does not exist.

> # in order to allow MEM_CG features to work, add "memory:/" here
> ControlGroup=%R/user/%u/shared cpu:/
> ControlGroupModify=yes
> Type=notify
> ExecStart=-/usr/lib/systemd/systemd --user
> Environment=DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/%U/dbus/user_bus_socket
>
> [Install]
> Alias=user@%i.service
>
>
> # as user:
> # systemctl start user at kakra.service
> Failed to issue method call: Access denied
>
>
> kakra at vweb002 ~ $ cat /etc/pam.d/system-auth
> auth            required        pam_env.so
> auth            required        pam_unix.so try_first_pass likeauth nullok
> auth            optional        pam_permit.so
>
> account         required        pam_unix.so
> account         optional        pam_permit.so
>
> password        required        pam_cracklib.so difok=2 minlen=8 dcredit=2
> ocredit=2 retry=3
> password        required        pam_unix.so try_first_pass use_authtok
> nullok sha512 shadow
> password        optional        pam_permit.so
>
> session         required        pam_limits.so
> session         required        pam_env.so
> session         required        pam_unix.so
> session         optional        pam_permit.so
>
> session         optional        pam_loginuid.so
> session         optional        pam_systemd.so


You can copy /etc/pam.d/login to /etc/pam.d/systemd-shared, and then
things should somewhat work. Additionally, you may want to copy the
dbus user session service files from
github.com/sofar/user-session-units to get user based dbus services
working.

Auke

More information about the systemd-devel mailing list