Re: [systemd-devel] Failed to apply ACLs: Invalid argument

2017-07-19 Thread Matwey V. Kornilov 
2017-07-19 15:12 GMT+03:00 Matwey V. Kornilov :
> 2017-07-19 13:32 GMT+03:00 Matwey V. Kornilov :
>> 2017-07-19 13:10 GMT+03:00 Matwey V. Kornilov :
>>> 2017-07-19 12:47 GMT+03:00 Lennart Poettering :
 On Wed, 19.07.17 12:38, Matwey V. Kornilov (matwey.korni...@gmail.com) 
 wrote:

> This is all that is relevant to Invalid Argument errno in strace:
>
 [...]
> readlinkat(AT_FDCWD, "/sys/module/parport", 0x55d7a4d5d940, 99) = -1
> EINVAL (Invalid argument)

 realinkat() returns EINVAL when invoked on a non-symlinks. It's not a
 real error, just a way to report that mismatch.

> drwxr-xr-x 3 root root 0 июл 19 12:35 
> /sys/devices/virtual/input/input7/event7
> drwxr-xr-x 5 root root 0 июл 19 12:31 /sys/module/parport
> drwxr-xr-x 7 root root 0 июл 19 12:33 /sys/module/parport_pc
>
> It is brand-new openSUSE 42.2 installation. No selinux or something like 
> that.

 Not sure what else I can suggest then, except attaching gdb to logind
 and check what happens when you switch VTs... it should be sufficient
 to set a breakpoint onto devnode_acl_all() and wait until it gets
 triggered, and then follow the code until you see EINVAL thrown.

 Unless you know gdb well enough you shouldn't attempt that though...

>>>
>>> Ok, it is udev_enumerate_scan_devices who returns -22
>>
>> Now I see that something wrong happens inside
>>
>> enumerator_scan_devices_children
>>
>> at
>>
>> sd_device_get_syspath
>>
>
> k = sd_device_new_from_device_id(, dent->d_name);
>
> inside enumerator_scan_devices_tag() returns -22 for some entry.

I suspect 21d6220fe0bf24fda7df9833961e022cafa439bc will fix my issue.
I will check tomorrow.

>
>>
>>>
 Lennart

 --
 Lennart Poettering, Red Hat
>>>
>>>
>>>
>>> --
>>> With best regards,
>>> Matwey V. Kornilov
>>
>>
>>
>> --
>> With best regards,
>> Matwey V. Kornilov
>
>
>
> --
> With best regards,
> Matwey V. Kornilov



-- 
With best regards,
Matwey V. Kornilov
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

[systemd-devel] systemd-nspawn map UID/GID between cointainer and host

2017-07-19 Thread basti 
Hello,
I have some users inside container hat had the same uid/GID on host.
The files are bind to container and has rights "700" on host.
I can't access files inside container (permission denied).
so far so good.

Is there a way to map uid/gid from host to container or from container
to host,
that user with uid 1004 on container can access files owned by user with
uid 1004 on host?

there are multiple uid so that  --private-users option is not usable I
think.

Best regards,
basti
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] no user dbus session in container

2017-07-19 Thread arnaud gaboury 
On Wed, Jul 19, 2017 at 2:18 PM Simon McVittie  wrote:

> On Wed, 19 Jul 2017 at 09:31:36 +, arnaud gaboury wrote:
> > Do I really need a per user dbsu session in my container?
>
> I don't know. Do you? You haven't said anything about how you start the
> container,


With the systemd-nspawn@ default unit file with a small override

% cat /etc/systemd/system/systemd-nspawn@.service.d/override.conf


[Service]
ExecStart=
ExecStart=/usr/bin/systemd-nspawn --quiet --keep-unit --boot
--link-journal=try-guest --network-bridge=br0 -U --settings=override
--machine=%i --bind-ro=/home/gabx
--bind=/home/gabx/share:/home/poisonivy/share


how you log in to the container,


sudo machinectl login poppy


> what its purpose is, or how
> (if at all) its purpose interacts with the session bus.
>

the machine is a web server with http, ssh, ftp, postfix...

>
> Again, the only advice I can give you based on the information you
> provided is to read the system log and look for error messages.
>

I am on the journal

>
> If you believe you have found a bug in some component (systemd or dbus
> or your container manager), the first step in resolving that bug is
> to describe in detail how the bug can be reproduced, including all the
> steps taken and any error messages that result from them.
>
> Since the trigger for this regression was a Fedora upgrade, Fedora support
> channels might be a more useful source of help and information than the
> systemd upstream mailing list (but I suspect the first things they will
> ask you to do are to describe the steps to reproduce the issue and check
> the system log, so you might as well do those first, and include them
> in your request for help).
>

Thank you again for your patience and answers.

>
> S
>
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Failed to apply ACLs: Invalid argument

2017-07-19 Thread Matwey V. Kornilov 
2017-07-19 13:32 GMT+03:00 Matwey V. Kornilov :
> 2017-07-19 13:10 GMT+03:00 Matwey V. Kornilov :
>> 2017-07-19 12:47 GMT+03:00 Lennart Poettering :
>>> On Wed, 19.07.17 12:38, Matwey V. Kornilov (matwey.korni...@gmail.com) 
>>> wrote:
>>>
 This is all that is relevant to Invalid Argument errno in strace:

>>> [...]
 readlinkat(AT_FDCWD, "/sys/module/parport", 0x55d7a4d5d940, 99) = -1
 EINVAL (Invalid argument)
>>>
>>> realinkat() returns EINVAL when invoked on a non-symlinks. It's not a
>>> real error, just a way to report that mismatch.
>>>
 drwxr-xr-x 3 root root 0 июл 19 12:35 
 /sys/devices/virtual/input/input7/event7
 drwxr-xr-x 5 root root 0 июл 19 12:31 /sys/module/parport
 drwxr-xr-x 7 root root 0 июл 19 12:33 /sys/module/parport_pc

 It is brand-new openSUSE 42.2 installation. No selinux or something like 
 that.
>>>
>>> Not sure what else I can suggest then, except attaching gdb to logind
>>> and check what happens when you switch VTs... it should be sufficient
>>> to set a breakpoint onto devnode_acl_all() and wait until it gets
>>> triggered, and then follow the code until you see EINVAL thrown.
>>>
>>> Unless you know gdb well enough you shouldn't attempt that though...
>>>
>>
>> Ok, it is udev_enumerate_scan_devices who returns -22
>
> Now I see that something wrong happens inside
>
> enumerator_scan_devices_children
>
> at
>
> sd_device_get_syspath
>

k = sd_device_new_from_device_id(, dent->d_name);

inside enumerator_scan_devices_tag() returns -22 for some entry.

>
>>
>>> Lennart
>>>
>>> --
>>> Lennart Poettering, Red Hat
>>
>>
>>
>> --
>> With best regards,
>> Matwey V. Kornilov
>
>
>
> --
> With best regards,
> Matwey V. Kornilov



-- 
With best regards,
Matwey V. Kornilov
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] no user dbus session in container

2017-07-19 Thread Simon McVittie 
On Wed, 19 Jul 2017 at 09:31:36 +, arnaud gaboury wrote:
> Do I really need a per user dbsu session in my container?

I don't know. Do you? You haven't said anything about how you start the
container, how you log in to the container, what its purpose is, or how
(if at all) its purpose interacts with the session bus.

Again, the only advice I can give you based on the information you
provided is to read the system log and look for error messages.

If you believe you have found a bug in some component (systemd or dbus
or your container manager), the first step in resolving that bug is
to describe in detail how the bug can be reproduced, including all the
steps taken and any error messages that result from them.

Since the trigger for this regression was a Fedora upgrade, Fedora support
channels might be a more useful source of help and information than the
systemd upstream mailing list (but I suspect the first things they will
ask you to do are to describe the steps to reproduce the issue and check
the system log, so you might as well do those first, and include them
in your request for help).

S
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Failed to apply ACLs: Invalid argument

2017-07-19 Thread Matwey V. Kornilov 
2017-07-19 13:10 GMT+03:00 Matwey V. Kornilov :
> 2017-07-19 12:47 GMT+03:00 Lennart Poettering :
>> On Wed, 19.07.17 12:38, Matwey V. Kornilov (matwey.korni...@gmail.com) wrote:
>>
>>> This is all that is relevant to Invalid Argument errno in strace:
>>>
>> [...]
>>> readlinkat(AT_FDCWD, "/sys/module/parport", 0x55d7a4d5d940, 99) = -1
>>> EINVAL (Invalid argument)
>>
>> realinkat() returns EINVAL when invoked on a non-symlinks. It's not a
>> real error, just a way to report that mismatch.
>>
>>> drwxr-xr-x 3 root root 0 июл 19 12:35 
>>> /sys/devices/virtual/input/input7/event7
>>> drwxr-xr-x 5 root root 0 июл 19 12:31 /sys/module/parport
>>> drwxr-xr-x 7 root root 0 июл 19 12:33 /sys/module/parport_pc
>>>
>>> It is brand-new openSUSE 42.2 installation. No selinux or something like 
>>> that.
>>
>> Not sure what else I can suggest then, except attaching gdb to logind
>> and check what happens when you switch VTs... it should be sufficient
>> to set a breakpoint onto devnode_acl_all() and wait until it gets
>> triggered, and then follow the code until you see EINVAL thrown.
>>
>> Unless you know gdb well enough you shouldn't attempt that though...
>>
>
> Ok, it is udev_enumerate_scan_devices who returns -22

Now I see that something wrong happens inside

enumerator_scan_devices_children

at

sd_device_get_syspath


>
>> Lennart
>>
>> --
>> Lennart Poettering, Red Hat
>
>
>
> --
> With best regards,
> Matwey V. Kornilov



-- 
With best regards,
Matwey V. Kornilov
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Failed to apply ACLs: Invalid argument

2017-07-19 Thread Matwey V. Kornilov 
2017-07-19 12:47 GMT+03:00 Lennart Poettering :
> On Wed, 19.07.17 12:38, Matwey V. Kornilov (matwey.korni...@gmail.com) wrote:
>
>> This is all that is relevant to Invalid Argument errno in strace:
>>
> [...]
>> readlinkat(AT_FDCWD, "/sys/module/parport", 0x55d7a4d5d940, 99) = -1
>> EINVAL (Invalid argument)
>
> realinkat() returns EINVAL when invoked on a non-symlinks. It's not a
> real error, just a way to report that mismatch.
>
>> drwxr-xr-x 3 root root 0 июл 19 12:35 
>> /sys/devices/virtual/input/input7/event7
>> drwxr-xr-x 5 root root 0 июл 19 12:31 /sys/module/parport
>> drwxr-xr-x 7 root root 0 июл 19 12:33 /sys/module/parport_pc
>>
>> It is brand-new openSUSE 42.2 installation. No selinux or something like 
>> that.
>
> Not sure what else I can suggest then, except attaching gdb to logind
> and check what happens when you switch VTs... it should be sufficient
> to set a breakpoint onto devnode_acl_all() and wait until it gets
> triggered, and then follow the code until you see EINVAL thrown.
>
> Unless you know gdb well enough you shouldn't attempt that though...
>

Ok, it is udev_enumerate_scan_devices who returns -22

> Lennart
>
> --
> Lennart Poettering, Red Hat



-- 
With best regards,
Matwey V. Kornilov
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

[systemd-devel] permissions issues in systemd machine

2017-07-19 Thread arnaud gaboury 
Here is my environment:
Linux kernel 4.11.3 with usernamespace set to YES

 % systemctl --version
systemd 233
+PAM -AUDIT -SELINUX -IMA -APPARMOR +SMACK -SYSVINIT +UTMP +LIBCRYPTSETUP
+GCRYPT +GNUTLS +ACL +XZ +LZ4 -SECCOMP +BLKID +ELFUTILS +KMOD +IDN
default-hierarchy=hybrid

% machinectl list
MACHINE CLASS SERVICEOS VERSION ADDRESSES
poppy   container systemd-nspawn fedora 26  192.168.1.94...

% machinectl show poppy
Name=poppy
Id=59b720b533834a4eafe07a62c2482266
Timestamp=Wed 2017-07-12 22:07:15 CEST
TimestampMonotonic=6928076
Service=systemd-nspawn
Unit=systemd-nspawn@poppy.service
Leader=648
Class=container
RootDirectory=/var/lib/machines/poppy
State=running

Now first issue:
--

On container
% systemctl status user@1000.service
● user@1000.service - User Manager for UID 1000
   Loaded: loaded (/usr/lib/systemd/system/user@.service; static; vendor
preset: disabled)
   Active: failed (Result: protocol) since Wed 2017-07-19 01:59:29 CEST; 9h
ago
 Main PID: 264 (code=exited, status=237/KEYRING)

Jul 19 01:59:29 thetradinghall.com systemd[1]: Starting User Manager for
UID 1000...
Jul 19 01:59:29 thetradinghall.com systemd[264]: user@1000.service: Failed
at step KEYRING spawning /usr/lib/systemd/systemd: Permission denied
Jul 19 01:59:29 thetradinghall.com systemd[1]: Failed to start User Manager
for UID 1000.
Jul 19 01:59:29 thetradinghall.com systemd[1]: user@1000.service: Unit
entered failed state.
Jul 19 01:59:29 thetradinghall.com systemd[1]: user@1000.service: Failed
with result 'protocol'.

Everything looks OK when running systemd binary out from unit file:
% ls -al /usr/lib/systemd/systemd
-rwxr-xr-x 1 root root 1.2M Jun 27 23:49 /usr/lib/systemd/systemd*
% /usr/lib/systemd/systemd --v
systemd 233
+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP
+GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN
default-hierarchy=hybrid

Can anyone give me some hints why the unit file screams Permission denied?

Second issue:
-

on host : $ mkdir ~/share ; $ touch ~/share/toto
on container: $ mkdir ~/share ;

I start the container with unit file:
% cat /etc/systemd/system/systemd-nspawn@.service.d/override.conf


[Service]
ExecStart=
ExecStart=/usr/bin/systemd-nspawn --quiet --keep-unit --boot
--link-journal=try-guest --network-bridge=br0 -U --settings=override
--machine=%i --bind-ro=/home/gabx
--bind=/home/gabx/share:/home/poisonivy/share

Now on container:
 % ls -al share
total 4.0K
drwxr-xr-x 2 nobodynobody4.0K Jul 19 01:59 ./
drwx-- 1 poisonivy poisonivy  786 Jul 19 01:46 ../
-rw-r--r-- 1 nobodynobody   0 Jul 19 01:59 toto

Why this nobody ? I can see this behavior a lot on my container. Example:

$ ls -al /proc
...
-r--r--r--   1 nobody  nobody 0 Jul 19 11:47 devices
-r--r--r--   1 nobody  nobody 0 Jul 19 11:47 diskstats
-r--r--r--   1 nobody  nobody 0 Jul 19 11:47 dma
-r--r--r--   1 nobody  nobody 0 Jul 19 11:47 execdomains
-r--r--r--   1 nobody  nobody 0 Jul 19 11:47 fb
.

When looking at these folders from host:
# ls -al $POPPY/home/poisonivy/share
total 0
drwxrwxr-x 1 vu-poppy-1000 vg-poppy-1000   0 Jul 19 01:46 ./
drwx-- 1 vu-poppy-1000 vg-poppy-1000 786 Jul 19 01:46 ../
Please note that file toto is not seen

Same user:group for /proc

This comes certainly from my username space being set in Kernel. How can I
deal with nobody as I can't change it?
poisonivy@thetradinghall ➤➤ ~ % chown poisonivy:poisonivy share
chown: changing ownership of 'share': Operation not permitted


Thank you for help/hints with these permissions issues. It starts to be
difficult to run properly my container.
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Failed to apply ACLs: Invalid argument

2017-07-19 Thread Lennart Poettering 
On Wed, 19.07.17 12:38, Matwey V. Kornilov (matwey.korni...@gmail.com) wrote:

> This is all that is relevant to Invalid Argument errno in strace:
>
[...]
> readlinkat(AT_FDCWD, "/sys/module/parport", 0x55d7a4d5d940, 99) = -1
> EINVAL (Invalid argument)

realinkat() returns EINVAL when invoked on a non-symlinks. It's not a
real error, just a way to report that mismatch.

> drwxr-xr-x 3 root root 0 июл 19 12:35 /sys/devices/virtual/input/input7/event7
> drwxr-xr-x 5 root root 0 июл 19 12:31 /sys/module/parport
> drwxr-xr-x 7 root root 0 июл 19 12:33 /sys/module/parport_pc
> 
> It is brand-new openSUSE 42.2 installation. No selinux or something like that.

Not sure what else I can suggest then, except attaching gdb to logind
and check what happens when you switch VTs... it should be sufficient
to set a breakpoint onto devnode_acl_all() and wait until it gets
triggered, and then follow the code until you see EINVAL thrown.

Unless you know gdb well enough you shouldn't attempt that though...

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] no user dbus session in container

2017-07-19 Thread arnaud gaboury 
On Tue, Jul 18, 2017 at 3:09 PM Simon McVittie  wrote:

> On Fri, 14 Jul 2017 at 12:36:12 +, arnaud gaboury wrote:
> > After upgrade from Fedora 25 to 26, there is no more user dbus session
> for user
> > in container.
> ...
> > On container, user can't connect to dbus session, and I have no idea why.
> > May someone please give me some hints on how to debug this issue?
>
> Please start by reading the system log (the Journal).
>
> The chain of events that is meant to result in a D-Bus session bus is:
>
> * A user logging in (somehow) starts a login session
> * The login session starts an instance of `systemd --user`
> * `systemd --user` starts the dbus.socket user service, listening on
>   that user's $XDG_RUNTIME_DIR/bus
> * Some client in the login session interacts with the session bus
> * As a side-effect of connecting to $XDG_RUNTIME_DIR/bus,
>   `systemd --user` starts the dbus.service user service
>   (dbus-daemon --session --address=systemd:)
> * The dbus-daemon accepts the client's connection
>


I can't tell in the container the variable
 DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus. I have tried many
places (~/.pam_environment; /etc/systemd/system/user@.service.d/local.conf;
~/.config/systemd/user.conf).
Could it be at the root of my issue? Do I really need a per user dbsu
session in my container?

>
> The system log should tell you which step in that chain of events is
> no longer happening.
>
> S
> ___
> systemd-devel mailing list
> systemd-devel@lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/systemd-devel
>
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

[systemd-devel] sd-bus example code for SetLinkDNS()

2017-07-19 Thread Tilman Baumann 
Hi folks,

I'm trying to teach a vpn software (openfortivpn) how to properly set up
DNS in a systemd-resolve environment.

I'm trying to set up a equivalent to this in C.
busctl call org.freedesktop.resolve1 /org/freedesktop/resolve1
org.freedesktop.resolve1.Manager SetLinkDNS 'ia(iay)' 16 2 2 4 10 10 10
10 2 4 10 10 10 11
[https://gist.github.com/tbaumann/d484efb2e27613654a52dbe11cfe53b8]

I came up with this quick proof of concept code based on the example
code in the sd-bus docu.
Of course it segfaults. No surprise, I have done nothing to hint at the
length of the inner byte array. (ay)

I was unable to find any example code that would give me a hint on how
to pass such more complex data structures into sd_bus_call_method()

int SetLinkDNSv4(sd_bus *bus, int if_index, struct in_addr ns1, struct
in_addr ns2) {
  sd_bus_error error = SD_BUS_ERROR_NULL;
  sd_bus_message *m = NULL;
  int r;
  struct dns_address {
int sin_family;
struct in_addr ip_addr;
  };
  struct dns_address addresses[2];


  addresses[0].sin_family = AF_INET;
  addresses[0].ip_addr = ns1;
  addresses[1].sin_family = AF_INET;
  addresses[1].ip_addr = ns2;

  r = sd_bus_call_method(bus,
 "org.freedesktop.resolve1",   /*
service to contact */
 "/org/freedesktop/resolve1",  /* object
path */
 "org.freedesktop.resolve1.Manager",   /*
interface name */
 "SetLinkDNS", /* method
name */
 ,   /* object
to return error in */
 ,   /* return
message on success */
 "ia(iay)",/* input
signature */
 if_index,
 2,/* Array
size */
 addresses);
}

[Full code:
https://gist.github.com/tbaumann/0f466c984c858767c966458d53483697]

My guess is that I can have it easier if I somehow use
sd_bus_message_append() to assemble the message. But I don't see a clear
path either.

Also, the length of the array can be one or two. So that bit is variable
too.

Thanks for any hints
 Tilman Baumann
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Failed to apply ACLs: Invalid argument

2017-07-19 Thread Lennart Poettering 
On Tue, 18.07.17 16:28, Matwey V. Kornilov (matwey.korni...@gmail.com) wrote:

> Hello,
> 
> I am running systemd 228. And one one particular system installation
> there are messages 'Failed to apply ACLs: Invalid argument' from
> systemd-logind. Moreover, ACL on /dev/dri/* are not set correctly
> after user log in. How could I figure out which argument is invalid?
> Managing ACLs on /dev filesystem using setfacl works fine. I've tried
> using debug log_level, but nothing helpful here:

No idea, but I'd recommend strace'ing logind when this happens, and
tracking looking for relevant operations on the device nodes...

logind doesn't do anything particularly magic... We just invoke
libacl, and normally libacl should validate enough what we pass
there...

do you use any MAC or so? selinux? smack? apparmor?

Do you any non-standard UIDs? i.e. 65535 or so?

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel