[Touch-packages] [Bug 1950787] Re: systemd-sysusers cannot mount /dev in privileged containers (to pass credentials)

Fri, 12 Nov 2021 07:26:51 -0800 

I've implemented the workaround in systemd's debian/test/tests-in-lxd.

** Changed in: systemd (Ubuntu)
       Status: New => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1950787

Title:
  systemd-sysusers cannot mount /dev in privileged containers (to pass
  credentials)

Status in lxd package in Ubuntu:
  Invalid
Status in systemd package in Ubuntu:
  Fix Committed

Bug description:
  systemd-sysusers.service/systemd.exec fails to start in privileged 
containers, due to being unable to properly mount /dev for passing credentials, 
caused by the following config in the .service unit:
  ```
  # Optionally, pick up a root password and shell for the root user from a
  # credential passed to the service manager. This is useful for importing this
  # data from nspawn's --set-credential= switch.
  LoadCredential=passwd.hashed-password.root
  LoadCredential=passwd.plaintext-password.root
  LoadCredential=passwd.shell.root
  ```

  Reproducer:
  $ lxc profile set default security.privileged "true"
  $ lxc launch ubuntu-daily:jammy test
  $ lxc exec test bash
  # add-apt-repository ppa:ci-train-ppa-service/4704
  # apt install systemd # install systemd 249.5-2ubuntu1
  # systemctl restart systemd-sysusers
  # systemctl status systemd-sysusers
  # system --status=failed
  $ lxc profile set default security.privileged "false"

  A workaround is to disable it via:
  $ cat /etc/systemd/system/systemd-sysusers.service.d/override.conf:
  [Service]
  LoadCredential=

  Interesting logs:
  Nov 12 12:09:44 test systemd[1]: systemd-journald.service: Added fd 42 (n/a) 
to fd store.
  Nov 12 12:09:44 test systemd[431]: Mounting /dev (MS_REC|MS_SLAVE "")...
  Nov 12 12:09:44 test systemd[431]: Failed to mount n/a (type n/a) on /dev 
(MS_REC|MS_SLAVE ""): Permission denied
  Nov 12 12:09:44 test systemd[430]: (sd-mkdcreds) failed with exit status 1.
  Nov 12 12:09:44 test systemd[430]: systemd-sysusers.service: Failed to set up 
credentials: Protocol error
  Nov 12 12:09:44 test systemd[430]: systemd-sysusers.service: Failed at step 
CREDENTIALS spawning

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxd/+bug/1950787/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to