[systemd-devel] permissions issues in systemd machine
arnaud gaboury
arnaud.gaboury at gmail.com
Wed Jul 19 09:55:22 UTC 2017
Here is my environment:
Linux kernel 4.11.3 with usernamespace set to YES
% systemctl --version
systemd 233
+PAM -AUDIT -SELINUX -IMA -APPARMOR +SMACK -SYSVINIT +UTMP +LIBCRYPTSETUP
+GCRYPT +GNUTLS +ACL +XZ +LZ4 -SECCOMP +BLKID +ELFUTILS +KMOD +IDN
default-hierarchy=hybrid
% machinectl list
MACHINE CLASS SERVICE OS VERSION ADDRESSES
poppy container systemd-nspawn fedora 26 192.168.1.94...
% machinectl show poppy
Name=poppy
Id=59b720b533834a4eafe07a62c2482266
Timestamp=Wed 2017-07-12 22:07:15 CEST
TimestampMonotonic=6928076
Service=systemd-nspawn
Unit=systemd-nspawn at poppy.service
Leader=648
Class=container
RootDirectory=/var/lib/machines/poppy
State=running
Now first issue:
------------------
On container
% systemctl status user at 1000.service
● user at 1000.service - User Manager for UID 1000
Loaded: loaded (/usr/lib/systemd/system/user at .service; static; vendor
preset: disabled)
Active: failed (Result: protocol) since Wed 2017-07-19 01:59:29 CEST; 9h
ago
Main PID: 264 (code=exited, status=237/KEYRING)
Jul 19 01:59:29 thetradinghall.com systemd[1]: Starting User Manager for
UID 1000...
Jul 19 01:59:29 thetradinghall.com systemd[264]: user at 1000.service: Failed
at step KEYRING spawning /usr/lib/systemd/systemd: Permission denied
Jul 19 01:59:29 thetradinghall.com systemd[1]: Failed to start User Manager
for UID 1000.
Jul 19 01:59:29 thetradinghall.com systemd[1]: user at 1000.service: Unit
entered failed state.
Jul 19 01:59:29 thetradinghall.com systemd[1]: user at 1000.service: Failed
with result 'protocol'.
Everything looks OK when running systemd binary out from unit file:
% ls -al /usr/lib/systemd/systemd
-rwxr-xr-x 1 root root 1.2M Jun 27 23:49 /usr/lib/systemd/systemd*
% /usr/lib/systemd/systemd --v
systemd 233
+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP
+GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN
default-hierarchy=hybrid
Can anyone give me some hints why the unit file screams Permission denied?
Second issue:
-----------------
on host : $ mkdir ~/share ; $ touch ~/share/toto
on container: $ mkdir ~/share ;
I start the container with unit file:
% cat /etc/systemd/system/systemd-nspawn at .service.d/override.conf
[Service]
ExecStart=
ExecStart=/usr/bin/systemd-nspawn --quiet --keep-unit --boot
--link-journal=try-guest --network-bridge=br0 -U --settings=override
--machine=%i --bind-ro=/home/gabx
--bind=/home/gabx/share:/home/poisonivy/share
Now on container:
% ls -al share
total 4.0K
drwxr-xr-x 2 nobody nobody 4.0K Jul 19 01:59 ./
drwx------ 1 poisonivy poisonivy 786 Jul 19 01:46 ../
-rw-r--r-- 1 nobody nobody 0 Jul 19 01:59 toto
Why this nobody ? I can see this behavior a lot on my container. Example:
$ ls -al /proc
.......................
-r--r--r-- 1 nobody nobody 0 Jul 19 11:47 devices
-r--r--r-- 1 nobody nobody 0 Jul 19 11:47 diskstats
-r--r--r-- 1 nobody nobody 0 Jul 19 11:47 dma
-r--r--r-- 1 nobody nobody 0 Jul 19 11:47 execdomains
-r--r--r-- 1 nobody nobody 0 Jul 19 11:47 fb
.........................
When looking at these folders from host:
# ls -al $POPPY/home/poisonivy/share
total 0
drwxrwxr-x 1 vu-poppy-1000 vg-poppy-1000 0 Jul 19 01:46 ./
drwx------ 1 vu-poppy-1000 vg-poppy-1000 786 Jul 19 01:46 ../
Please note that file toto is not seen
Same user:group for /proc
This comes certainly from my username space being set in Kernel. How can I
deal with nobody as I can't change it?
poisonivy at thetradinghall ➤➤ ~ % chown poisonivy:poisonivy share
chown: changing ownership of 'share': Operation not permitted
Thank you for help/hints with these permissions issues. It starts to be
difficult to run properly my container.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20170719/c426f797/attachment.html>
More information about the systemd-devel
mailing list