Your message dated Wed, 21 Jan 2015 13:04:39 +0000
with message-id <e1yduxb-0005r3...@franck.debian.org>
and subject line Bug#775067: fixed in systemd 215-10
has caused the Debian Bug report #775067,
regarding systemd: journald doesn't forward messages to syslog w/o
CAP_SYS_ADMIN (LXC)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
775067: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775067
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: systemd
Version: 215-8
Severity: grave
Tags: upstream patch
Justification: causes non-serious data loss
Dear Maintainer,
when using LXC containers without CAP_SYS_ADMIN, journald fails to
forward any messages to syslog by default. Since the journal is not
persistent by default, no logs are stored at all, hence the
classification as 'data loss'. Also, this is a regression from Wheezy,
where a container without CAP_SYS_ADMIN and syslog did indeed store
persistent logs in /var/log/{syslog,messages,...}.
Note that there is NO other problem with systemd related to missing
CAP_SYS_ADMIN in a container (that I have found so far), provided all
required (pseudo-) file systems are mounted beforehand (which can be
done by configuration with Jessie's LXC version). I do know that
upstream claims that CAP_SYS_ADMIN-less containers are currently not
really supported, but they do intend to work towards that, and, from
what I can tell, apart from this journald problem, I have found no
issue whatsoever with a missing CAP_SYS_ADMIN (it actually works even
better than under sysvinit because it doesn't try to do some stuff
it's not supposed to do in containers that cause error messages with
sysvinit) - and since these kinds of containers were working in
Wheezy with its default init, I think this should be supported in
Jessie, too, especially if the fix is really easy, see below.
This bug is independent of the syslog implementation used, because no
syslog implementation in Jessie supports reading directly from the
journal, as far as I can tell (syslog-ng is too old, rsyslog is built
without imjournal support), so all rely on ForwardToSyslog=yes.
The reason why this problem occurs is that journald tries to fake
SCM_CREDENTIALS before sending a packet to the syslog daemon. With
CAP_SETUID and CAP_SETGID, faking uid/gid is not a problem, but to fake
the pid in struct ucred, one needs CAP_SYS_ADMIN (according to current
kernel source).
Also note that without activating debugging in journald, this problem
can not be diagnosed easily (it took me a while with strace to find the
problem).
Note, however, two things:
- journald does (and can) not guarantee that it can fake the pid,
because the process could have already exited. If you look at the
source, in case ESRCH is returned, it just fakes uid/gid and uses
its own pid
- both rsyslog and syslog-ng (haven't tried anything else yet) don't
rely on SCM_CREDENTIAL's pid anyway in their default configuration,
so at least in the default configuration there's no reason to fail
in that case.
I have created (and tested) an absolutely trivial patch that fixes this
by not only checking for ESRCH but also EPERM and then avoid faking the
pid.
I have tested this with both rsyslog and syslog-ng and it works and
both store (the same ;-)) persistent log messages in
/var/log/{messages,syslog,...}.
-- System Information:
Debian Release: 8.0
APT prefers testing
APT policy: (990, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages systemd depends on:
ii acl 2.2.52-2
ii adduser 3.113+nmu3
ii initscripts 2.88dsf-58
ii libacl1 2.2.52-2
ii libaudit1 1:2.4-1+b1
ii libblkid1 2.25.2-4
ii libc6 2.19-13
ii libcap2 1:2.24-6
ii libcap2-bin 1:2.24-6
ii libcryptsetup4 2:1.6.6-4
ii libgcrypt20 1.6.2-4+b1
ii libkmod2 18-3
ii liblzma5 5.1.1alpha+20120614-2+b3
ii libpam0g 1.1.8-3.1
ii libselinux1 2.3-2
ii libsystemd0 215-8
ii mount 2.25.2-4
ii sysv-rc 2.88dsf-58
ii udev 215-8
ii util-linux 2.25.2-4
Versions of packages systemd recommends:
ii dbus 1.8.12-3
ii libpam-systemd 215-8
Versions of packages systemd suggests:
pn systemd-ui <none>
-- no debconf information
Description: Make journald syslog fwd'ing work w/o CAP_SYS_ADMIN
In case CAP_SYS_ADMIN is missing, one cannot fake pid in struct ucred
(uid/gid are find if CAP_SETUID/CAP_SETGID are present), which is the
case in some container setups.
.
This patch makes sure that journald will try again to forward the
messages to syslog, without faking the SCM_CREDENTIALS pid this time
(which isn't guaranteed anyway, since it also does the same thing if
the process has already exited).
.
With this patch, journald will no longer silently discard messages
that are supposed to be sent to syslog in these situations.
Author: Christian Seiler <christ...@iwakd.de>
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
Index: systemd-215/src/journal/journald-syslog.c
===================================================================
--- systemd-215.orig/src/journal/journald-syslog.c
+++ systemd-215/src/journal/journald-syslog.c
@@ -85,12 +85,12 @@ static void forward_syslog_iovec(Server
return;
}
- if (ucred && errno == ESRCH) {
+ if (ucred && (errno == ESRCH || errno == EPERM)) {
struct ucred u;
/* Hmm, presumably the sender process vanished
- * by now, so let's fix it as good as we
- * can, and retry */
+ * by now, or we don't have CAP_SYS_AMDIN, so
+ * let's fix it as good as we can, and retry */
u = *ucred;
u.pid = getpid();
--- End Message ---
--- Begin Message ---
Source: systemd
Source-Version: 215-10
We believe that the bug you reported is fixed in the latest version of
systemd, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 775...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Martin Pitt <mp...@debian.org> (supplier of updated systemd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 21 Jan 2015 13:18:05 +0100
Source: systemd
Binary: systemd systemd-sysv libpam-systemd libsystemd0 libsystemd-dev
libsystemd-login0 libsystemd-login-dev libsystemd-daemon0 libsystemd-daemon-dev
libsystemd-journal0 libsystemd-journal-dev libsystemd-id128-0
libsystemd-id128-dev udev libudev1 libudev-dev udev-udeb libudev1-udeb
libgudev-1.0-0 gir1.2-gudev-1.0 libgudev-1.0-dev python3-systemd systemd-dbg
Architecture: source amd64
Version: 215-10
Distribution: unstable
Urgency: medium
Maintainer: Debian systemd Maintainers
<pkg-systemd-maintain...@lists.alioth.debian.org>
Changed-By: Martin Pitt <mp...@debian.org>
Description:
gir1.2-gudev-1.0 - libgudev-1.0 introspection data
libgudev-1.0-0 - GObject-based wrapper library for libudev
libgudev-1.0-dev - libgudev-1.0 development files
libpam-systemd - system and service manager - PAM module
libsystemd-daemon-dev - systemd utility library (transitional package)
libsystemd-daemon0 - systemd utility library (deprecated)
libsystemd-dev - systemd utility library - development files
libsystemd-id128-0 - systemd 128 bit ID utility library (deprecated)
libsystemd-id128-dev - systemd 128 bit ID utility library (transitional
package)
libsystemd-journal-dev - systemd journal utility library (transitional package)
libsystemd-journal0 - systemd journal utility library (deprecated)
libsystemd-login-dev - systemd login utility library (transitional package)
libsystemd-login0 - systemd login utility library (deprecated)
libsystemd0 - systemd utility library
libudev-dev - libudev development files
libudev1 - libudev shared library
libudev1-udeb - libudev shared library (udeb)
python3-systemd - Python 3 bindings for systemd
systemd - system and service manager
systemd-dbg - system and service manager (debug symbols)
systemd-sysv - system and service manager - SysV links
udev - /dev/ and hotplug management daemon
udev-udeb - /dev/ and hotplug management daemon (udeb)
Closes: 739676 775067 775404 775889
Changes:
systemd (215-10) unstable; urgency=medium
.
[ Martin Pitt ]
* sysv-generator: Handle .sh suffixes when translating Provides:.
(Closes: #775889)
* sysv-generator: Make real units overwrite symlinks generated by Provides:
from other units. Fixes failures due to presence of backup or old init.d
scripts. (Closes: #775404)
* Fix journal forwarding to syslog in containers without CAP_SYS_ADMIN.
(Closes: #775067)
.
[ Christian Kastner ]
* Use common-session-noninteractive in systemd-user's PAM config, instead of
common-session. The latter can include PAM modules like libpam-mount which
expect to be called just once and/or interactively, which already happens
for login, ssh, or the display-manager. Add pam_systemd.so explicitly, as
it's not included in -noninteractive, but is always required (and
idempotent). There is no net change on systemd which don't use manually
installed PAM modules. (Closes: #739676)
Checksums-Sha1:
9728db7422ab8c5f90211b5f16a505c39acac0c9 4107 systemd_215-10.dsc
7189cb4ae61cb837c6006bb6278875c793b48bae 190964 systemd_215-10.debian.tar.xz
94c5983a77b329d945f0cc7a74fdd449edd39dd6 2534470 systemd_215-10_amd64.deb
7d7fa5176b40c61f66b5821d48e0fe03e621a3a2 31514 systemd-sysv_215-10_amd64.deb
0ce0ccfb6d4bc1332968585026928f0013549ac9 120882 libpam-systemd_215-10_amd64.deb
295ad6d052b8d2ec1b0db9cdc197c7533d87992a 84284 libsystemd0_215-10_amd64.deb
b2eac8955b9fde19024f2f08233dea8440a54ad6 90466 libsystemd-dev_215-10_amd64.deb
1bfd5b82c5dc2efc8e8557b1deeb6fe05ab65a6a 44642
libsystemd-login0_215-10_amd64.deb
1399c9d9bd0565f13bc83f0e7d96d6737ea29324 27148
libsystemd-login-dev_215-10_amd64.deb
055260d5f28f1769ff1b73414bfdb74bd5308f3f 33752
libsystemd-daemon0_215-10_amd64.deb
099244fb2e710e5413188ac76a6d6bf3d27f0042 27162
libsystemd-daemon-dev_215-10_amd64.deb
4e941efe7c206338bb5c81471e907e143b0d1564 69840
libsystemd-journal0_215-10_amd64.deb
16fbf48e4e98792e5e388a4be6d399bd3dc51f92 27136
libsystemd-journal-dev_215-10_amd64.deb
8befc7723efb82efcbaca49ec4264ae19e7cbbe7 32728
libsystemd-id128-0_215-10_amd64.deb
4cb34c5e643c8a36e66e1cf5d43aa48ffa2abd16 27124
libsystemd-id128-dev_215-10_amd64.deb
653c238e15d1ea5208b53de19ab70f95bb3f5665 873308 udev_215-10_amd64.deb
d85bbcfcdad56a5e2885126572edf88169e02502 51646 libudev1_215-10_amd64.deb
5149d1ba422708b71c893f9210de76327f51c9d4 23112 libudev-dev_215-10_amd64.deb
59e9e11dcf109de56080152f2c566a002717c822 195164 udev-udeb_215-10_amd64.udeb
6af8b6ba9ee1e0bdfc592d2fcf1195efd23378a9 24724 libudev1-udeb_215-10_amd64.udeb
3d49dc576d13f8eddd581dff972fd63e69611742 37476 libgudev-1.0-0_215-10_amd64.deb
f4ba7f8f89786dfde93227842b04b63ec827b938 2830 gir1.2-gudev-1.0_215-10_amd64.deb
0bc82dd52d617a1b6d4d669a2f1dc2dbf9f52964 24530
libgudev-1.0-dev_215-10_amd64.deb
9cd92ef7f08f30a25c10c246c32d596923ed4abf 56944 python3-systemd_215-10_amd64.deb
1cb4e4fe2ae1e1ee9f07185f09c4dd7d00d1d6e1 15922570 systemd-dbg_215-10_amd64.deb
Checksums-Sha256:
80c5bcc313ee4c505a2a54d5501d59d3aebc1feb4db884ea81d0234cc8be5b49 4107
systemd_215-10.dsc
4dc14f8b24272607cd858a8fc2ac3c5dc971dd9ef302e121ab24c9738f24fe3f 190964
systemd_215-10.debian.tar.xz
d2fdb77b69d04ec055e2894c427160bd6c31ad3c8aec1359b9b19ef1d5cd5418 2534470
systemd_215-10_amd64.deb
e27dce011d66fd2cf06970fc37e8c5edaabf196e82e58af0f06f2e56534bf30b 31514
systemd-sysv_215-10_amd64.deb
2edb7d6494bec8bed79252c28daa8fca0bbf6267151fa569921d3d21f7de902d 120882
libpam-systemd_215-10_amd64.deb
f317b6df86f6995e88c9fd29972e352abf1717b6dc6c0919dd8c395f548cfa41 84284
libsystemd0_215-10_amd64.deb
4d214c5f3e7ba459630720fc24c04dfcaa5ddbab091e691d8868d7d3a9b241b4 90466
libsystemd-dev_215-10_amd64.deb
88120a00a7b2db207bbdf82fda46e3b53a71081bf090a8eded0d268a46d35351 44642
libsystemd-login0_215-10_amd64.deb
aaf5001fcea4aa8b2d1faa5ff2580f710ccd8ef6d4aaec62888cd3974e93ffc8 27148
libsystemd-login-dev_215-10_amd64.deb
aa111d2c374b9bbdf731f5954d62ab8389cda1d2b47329a4ff97f436ab763d41 33752
libsystemd-daemon0_215-10_amd64.deb
236bdf8acde9be16ff7b4a15987f2877c2421158cd6251b0689f06b77e270f60 27162
libsystemd-daemon-dev_215-10_amd64.deb
fca7deb8d1f8e1238f99b1f860b44fb98285068c2d13bc85347b18bbf7d04ae4 69840
libsystemd-journal0_215-10_amd64.deb
c7466d3873db2911eb9458a668bbb6fe42d05970f0f3b83f39076afa3ced927c 27136
libsystemd-journal-dev_215-10_amd64.deb
73c20c1d9b0734cf3716bc1af783f428565f14c00517aeb1800a7ed99b1a6287 32728
libsystemd-id128-0_215-10_amd64.deb
3fb57271684cf28def60e7528d4335bd12dd0e5c0d19ead5fc1a7b5d755ce70d 27124
libsystemd-id128-dev_215-10_amd64.deb
df6c54ad4ab78b2b7ca13993f8419b318a4c425138558cab3feeac2e31307b5d 873308
udev_215-10_amd64.deb
f58e731d4360bd453de12d47be8512dca525bd3a3864ba814c343bfce3f3dc95 51646
libudev1_215-10_amd64.deb
9a3c53381b167cf767079605fbda4b0e774a2204af14943ff4c11d7bcbcf33ec 23112
libudev-dev_215-10_amd64.deb
b2f2e604999e7dd77df493824cda804df9c05df2339a737b69a2e02df109e1a6 195164
udev-udeb_215-10_amd64.udeb
4f20b28f3fd98f25ee64c3682b9a4c38b1c229cf6c64e144f2a5612405403835 24724
libudev1-udeb_215-10_amd64.udeb
9404294e9e75760c1156278732660592a845207e09735ce48d03e73f1444dac5 37476
libgudev-1.0-0_215-10_amd64.deb
6587a50a911982e816047968a1b02842fa3d8d88a5de8bac8476f2608ebf02f9 2830
gir1.2-gudev-1.0_215-10_amd64.deb
a976a4438a84cf45156e975e279f5b5605b8fd00eff6dc4757c01c4c96094ee1 24530
libgudev-1.0-dev_215-10_amd64.deb
4ef59fad763fe1a3833da1876e3666a653026dbbf191b8f4fcb742075767df7e 56944
python3-systemd_215-10_amd64.deb
2c9b1b83307dc8bbb54c74a4718b5d72078c761b5980f020587ee5be1bdc5b65 15922570
systemd-dbg_215-10_amd64.deb
Files:
df4fc318d7e3fb82b3e004b340648ddd 4107 admin optional systemd_215-10.dsc
aad0c66854e65b6ea9ef98ef0a398bd3 190964 admin optional
systemd_215-10.debian.tar.xz
c0f764bbb35b21bb4404c9051b25274e 2534470 admin optional
systemd_215-10_amd64.deb
29f2e5da4614c21822ba9f627fae6b78 31514 admin extra
systemd-sysv_215-10_amd64.deb
b9cb9313d37874d5b2d86cb3e16f7f0b 120882 admin optional
libpam-systemd_215-10_amd64.deb
10638d9e7805a8d00d7d2e6d7807fb7d 84284 libs optional
libsystemd0_215-10_amd64.deb
32f9b320cfd0eb76c030eb9676eb0875 90466 libdevel optional
libsystemd-dev_215-10_amd64.deb
8a824f3f021b2cbe5767c6d7a1838f55 44642 oldlibs extra
libsystemd-login0_215-10_amd64.deb
b0ffaaed43baacb3441a0e862a865652 27148 oldlibs extra
libsystemd-login-dev_215-10_amd64.deb
2b378134b3bc8606b6ab8fcb5937968a 33752 oldlibs extra
libsystemd-daemon0_215-10_amd64.deb
14abfb44170e0d9b5178a2a3194fb902 27162 oldlibs extra
libsystemd-daemon-dev_215-10_amd64.deb
41f3f676cf3149fa2adc72fe52ea5dfe 69840 oldlibs extra
libsystemd-journal0_215-10_amd64.deb
0787443c88bf1ce431a8a75e7f99bfde 27136 oldlibs extra
libsystemd-journal-dev_215-10_amd64.deb
65626b0053917f416ed75176accfd20f 32728 oldlibs extra
libsystemd-id128-0_215-10_amd64.deb
bd27d8261fd51a6a35b8f453241dde85 27124 oldlibs extra
libsystemd-id128-dev_215-10_amd64.deb
c6209ff58b32e15405a684d59dfb6dd8 873308 admin important udev_215-10_amd64.deb
ab3a948bcad3a015648338351f6d182b 51646 libs important libudev1_215-10_amd64.deb
80d2e2a61f22a83dd89daa630ff47c10 23112 libdevel optional
libudev-dev_215-10_amd64.deb
c6555903ffe92461d3d09d958d0188bf 195164 debian-installer optional
udev-udeb_215-10_amd64.udeb
0bb395e001b3eeed981cb930e20276b3 24724 debian-installer optional
libudev1-udeb_215-10_amd64.udeb
a67baabfd51a4f1b0c16b28a7b7b4945 37476 libs optional
libgudev-1.0-0_215-10_amd64.deb
1faa4d074e4a119993755cc9a4961d76 2830 introspection optional
gir1.2-gudev-1.0_215-10_amd64.deb
23125b96b77dc6a92250e71b37e661ed 24530 libdevel optional
libgudev-1.0-dev_215-10_amd64.deb
652a4bd94b73224b4b7ed17cb72a0df8 56944 python optional
python3-systemd_215-10_amd64.deb
217f8ef5e6d51b402fd0a5ce4164f65a 15922570 debug extra
systemd-dbg_215-10_amd64.deb
Package-Type: udeb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJUv6JkAAoJENFO8V2v4RNHoXQQAI24B9kNfB/xdtZ814N4WZjI
cAE70rVVrxguuW8ZSBus1U7VdiilDFWMPkcnDx7EUAmPgpPyw3+00UsL20lEE7yu
+zpB5HUxlLRwBherPEtj0mSPv7cDA3zearuYGcZ9eqzBZ9aXJpseOM5JiLIYHPCM
SqJ+kK4aPfCArkQLAmdBfQ2lUM6+iPmu8RfKFCKgMYoGWX8kXwqS2ef2kNR/Y4WG
0KKWyBh8BiFYmWGfZ3gq5xNoNGP/S9LL6zpGgMqadHqxlMxpVVRcdv1IeTlGc/Jh
7MfaRb3exNFMIFUzbQYKxh/NSCYtz/FckzAOD7HtePoyCr0hLPAMP5BthqR37ojE
mxF//xGXiwIkIXnMeO/WByzr/2hdKvpW/aopeGaqIT/X8CWVVSsXRmkJPW0a3zy/
85+eISjnfxYnD1UJ2psy7BbXokuWOIqsXMccLjra8V38TkLIC5bCWBwz4VKWtwjT
Xaz1WjObgZ6IRi1C4hToYx6lY+crNmHFrgPVtG0a/ObPGIDnnhH7t1t/KjggFPfL
LeKjTTrxjRy+jZl4lGpivnBJh43Dsxg7PRSYtgD7JAU1+ORDuHUwReEoIV37FOjh
0KpfxDaK3Z4YYi1okomQB6BNIUxsh6B5K2qIYv9YUWxkLX6mRjH2piXogSZlDmzQ
KIlkN9rzmwpoX+i3BSxs
=aImO
-----END PGP SIGNATURE-----
--- End Message ---
