<div dir="ltr"><br><br><div class="gmail_quote"><div dir="ltr">On Thu, Jul 13, 2017 at 11:02 PM arnaud gaboury <<a href="mailto:arnaud.gaboury@gmail.com">arnaud.gaboury@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_quote"><div dir="ltr">On Thu, Jul 13, 2017 at 2:27 PM arnaud gaboury <<a href="mailto:arnaud.gaboury@gmail.com" target="_blank">arnaud.gaboury@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><br></div><div>OS= Fedora 26</div><div>Linux container managed by machinectl</div><div><br></div><div><div> % systemctl --version</div><div>systemd 233<br>+PAM -AUDIT
-SELINUX -IMA -APPARMOR +SMACK -SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT
+GNUTLS +ACL +XZ +LZ4 -SECCOMP +BLKID +ELFUTILS +KMOD +IDN
default-hierarchy=hybrid</div><div><br></div></div>% machinectl list<br><div>MACHINE CLASS SERVICE OS VERSION ADDRESSES<br>poppy container systemd-nspawn fedora 26 192.168.1.94...</div><div><br></div>% machinectl show poppy <br><div>Name=poppy<br>Id=59b720b533834a4eafe07a62c2482266<br>Timestamp=Wed 2017-07-12 22:07:15 CEST<br>TimestampMonotonic=6928076<br>Service=systemd-nspawn<br>Unit=systemd-nspawn@poppy.service<br>Leader=648<br>Class=container<br>RootDirectory=/var/lib/machines/poppy<br>State=running<br><br></div><div><br><div>-----------------------------------------------------------------------------------------------------</div><div><br></div><div>After upgrade from Fedora 25 to 26, some services are broken.</div><div>Below are some broken service status<br></div><div><br></div><div><br></div><div>% systemctl status user@1000.service <br>● user@1000.service - User Manager for UID 1000<br> Loaded: loaded (/usr/lib/systemd/system/user@.service; static; vendor preset: disabled)<br> Active: failed (Result: protocol) since Wed 2017-07-12 22:09:45 CEST; 15h ago<br> Main PID: 257 (code=exited, status=237/KEYRING)<br><br>Jul 12 22:09:45 <a href="http://thetradinghall.com" target="_blank">thetradinghall.com</a> systemd[1]: Starting User Manager for UID 1000...<br>Jul 12 22:09:45 <a href="http://thetradinghall.com" target="_blank">thetradinghall.com</a> systemd[257]: user@1000.service: Failed at step KEYRING spawning /usr/lib/systemd/systemd: Permission denied<br>Jul 12 22:09:45 <a href="http://thetradinghall.com" target="_blank">thetradinghall.com</a> systemd[1]: Failed to start User Manager for UID 1000.<br>Jul 12 22:09:45 <a href="http://thetradinghall.com" target="_blank">thetradinghall.com</a> systemd[1]: user@1000.service: Unit entered failed state.<br>Jul 12 22:09:45 <a href="http://thetradinghall.com" target="_blank">thetradinghall.com</a> systemd[1]: user@1000.service: Failed with result 'protocol'.<br></div><div><br></div></div></div></blockquote></div></div><div dir="ltr"><div class="gmail_quote"><div><b>EDIT 1 </b>On container<b><br></b></div><div><b><br></b></div><div> # /usr/lib/systemd/systemd --user <br>Failed to create compat systemd cgroup /user.slice/user-1000.slice/session-c1.scope/init.scope: Permission denied<br>Failed to attach 338 to compat systemd cgroup /user.slice/user-1000.slice/session-c1.scope/init.scope: No such file or directory<br>Failed to attach 247 to compat systemd cgroup /user.slice/user-1000.slice/session-c1.scope/init.scope: No such file or directory<br>Failed to attach 249 to compat systemd cgroup /user.slice/user-1000.slice/session-c1.scope/init.scope: No such file or directory<br>Failed to attach 305 to compat systemd cgroup /user.slice/user-1000.slice/session-c1.scope/init.scope: No such file or directory<br>Failed to attach 306 to compat systemd cgroup /user.slice/user-1000.slice/session-c1.scope/init.scope: No such file or directory<br>Failed to create compat systemd cgroup /user.slice/user-1000.slice/session-c1.scope/dbus.socket: Permission denied<br>Failed to attach 342 to compat systemd cgroup /user.slice/user-1000.slice/session-c1.scope/dbus.socket: No such file or directory<br>Failed to create compat systemd cgroup /user.slice/user-1000.slice/session-c1.scope/sys-class.mount: Permission denied<br></div><div>.........................................</div><div><br></div></div></div></blockquote><div><b>EDIT 2 </b>on container<b><br></b></div><div><b><br></b></div><div># ls -al /sys/fs/cgroup/ <br>total 0<br>drwxr-xr-x 13 root root 340 Jul 13 22:52 ./<br>drwxr-xr-x 4 root root 80 Jul 13 22:52 ../<br>drwxr-xr-x 2 nobody nobody 0 Jul 13 22:52 blkio/<br>drwxr-xr-x 2 nobody nobody 0 Jul 13 22:52 cpu,cpuacct/<br>dr-xr-xr-x 2 nobody nobody 0 Jul 12 22:07 cpuset/<br>drwxr-xr-x 2 nobody nobody 0 Jul 13 22:52 devices/<br>dr-xr-xr-x 2 nobody nobody 0 Jul 12 22:07 freezer/<br>drwxr-xr-x 2 nobody nobody 0 Jul 13 22:52 memory/<br>dr-xr-xr-x 2 nobody nobody 0 Jul 12 22:07 net_cls,net_prio/<br>dr-xr-xr-x 2 nobody nobody 0 Jul 12 22:07 perf_event/<br>drwxr-xr-x 2 nobody nobody 0 Jul 13 22:52 pids/<br>drwxr-xr-x 2 nobody nobody 0 Jul 13 22:52 systemd/</div><div><b><br></b></div><div># chown root:root /sys/fs/cgroup/blkio <br>chown: changing ownership of '/sys/fs/cgroup/blkio': Operation not permitted</div><div><b><br></b></div><div>It seems again this nobody:nobody is causing troubles<br></div><div><b><br></b></div><div>On host</div><div># ls -al $POPPY/sys/ <br>total 0<br>dr-xr-xr-x 1 vu-poppy-0 vg-poppy-0 0 Aug 16 2014 ./<br>dr-xr-xr-x 1 vu-poppy-0 vg-poppy-0 236 Jul 13 14:21 ../<br><br></div><div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_quote"><div></div><div>THT<br></div></div></div><div dir="ltr"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div></div><div><br></div><div>% systemctl status user.slice <br>● user.slice - User and Session Slice<br> Loaded: loaded (/usr/lib/systemd/system/user.slice; static; vendor preset: disabled)<br> Active: active since Wed 2017-07-12 22:07:15 CEST; 15h ago<br> Docs: man:systemd.special(7)<br> CGroup: /user.slice<br> └─user-1000.slice<br> ├─session-c1.scope<br> │ ├─ 256 login -- poisonivy<br> │ ├─ 258 -zsh<br> │ ├─ 356 su<br> │ ├─ 357 zsh<br> │ ├─1553 systemctl status user.slice<br> │ └─1554 less<br> └─session-c2.scope<br> ├─449 login -- poisonivy<br> ├─450 -zsh<br> ├─494 su<br> ├─495 zsh<br> └─526 /usr/bin/python3 -O /usr/bin/ranger<br><br>Jul 12 22:09:45 <a href="http://thetradinghall.com" target="_blank">thetradinghall.com</a> systemd[1]: user.slice: Failed to set invocation ID on control group /user.slice, ignoring: Operation not permitted</div><div><br></div>% systemctl status opendkim.service <br><div>● opendkim.service - DomainKeys Identified Mail (DKIM) Milter<br> Loaded: loaded (/usr/lib/systemd/system/opendkim.service; enabled; vendor preset: disabled)<br> Drop-In: /etc/systemd/system/opendkim.service.d<br> └─override.conf<br> Active: failed (Result: exit-code) since Thu 2017-07-13 11:33:25 CEST; 2h 30min ago<br> Docs: man:opendkim(8)<br> man:opendkim.conf(5)<br> man:opendkim-genkey(8)<br> man:opendkim-genzone(8)<br> man:opendkim-testadsp(8)<br> man:opendkim-testkey<br> <a href="http://www.opendkim.org/docs.html" target="_blank">http://www.opendkim.org/docs.html</a><br><br>Jul 13 11:33:25 <a href="http://thetradinghall.com" target="_blank">thetradinghall.com</a> systemd[1]: Starting DomainKeys Identified Mail (DKIM) Milter...<br>Jul 13 11:33:25 <a href="http://thetradinghall.com" target="_blank">thetradinghall.com</a> systemd[1243]: opendkim.service: Failed at step KEYRING spawning /usr/sbin/opendkim: Permission denied</div><div><br></div><div><b>N.B:</b> I can manually start opendkim as root<br></div><div>------------------------------------------------------</div><div><br></div><div>I have no ideas why these new issues. The only hint is the following one.</div><div><br></div><div>I build my kernel with CONFIG_USER_NS=y since a while. I guess it is this setting which cause the following trouble with UID/GID</div><div><br></div><div>From host</div><div>root@hortensia ➤➤ ~aur # ls -al $POPPY/var/log/journal <br>total 0<br>drwxr-xr-x+ 1 vu-poppy-0 systemd-journal 64 Oct 4 2016 ./<br>drwxr-xr-x 1 vu-poppy-0 vg-poppy-0 1.3K Jul 12 20:20 ../<br>drwxr-sr-x+ 1 root systemd-journal 7.8K Mar 11 15:25 59b720b533834a4eafe07a62c2482266/</div><div><br></div><div>From container:</div><div>root@thetradinghall ➤➤ dovecot/conf.d # ls -al /var/log/journal <br>total 0<br>drwxr-xr-x+ 1 root nobody 64 Oct 4 2016 ./<br>drwxr-xr-x 1 root root 1.3K Jul 12 20:20 ../<br>drwxr-sr-x+ 1 nobody nobody 7.8K Mar 11 15:25 59b720b533834a4eafe07a62c2482266/<br><br></div><div>As you can see, on host, root:root is by default vu-poppy-0 vg-poppy-0 <br></div><div>On container, I am left with lots of files/folders owned by nobody.</div><div><br></div><div>---------------------------<br></div><div>When looking at the output of systemctl --failed, and verifying status, I can observe a commun failure, like the one below:<br></div><div><br></div><div> postgresql.service: Failed at step KEYRING spawning /usr/libexec/postgresql-check-db-dir: Permission denied<br></div><div><br></div><div>-----------------------------<br></div><div><br></div><div>When upgrading some package, I have again a permission issue.</div><div><br></div><div># dnf upgrade filesystem</div><div>......................<br></div><div>error: unpacking of archive failed on file /proc: cpio: chown<br><br></div><div># ls -al /proc/filesystems <br></div><div>.........<br></div><div>-r--r--r-- 1 nobody nobody 0 Jul 13 14:22 /proc/filesystems</div><div>.....................<br></div><div> # chown root:root /proc/filesystems <br>chown: changing ownership of '/proc/filesystems': Operation not permitted<br></div><div>-------------------------------------</div><div><br></div><div>Can anyone help me in debugging my system, as it starts to be difficult to use the container. Thank you<br></div><div><br></div></div></div></blockquote></div></div></blockquote></div></div>