Your message dated Tue, 27 Feb 2024 19:54:33 +0000 with message-id <e1rf3x7-002qlc...@fasolo.debian.org> and subject line Bug#1063147: fixed in systemd 255.4-1 has caused the Debian Bug report #1063147, regarding 'telinit u' infinitely re-exec's itself inside containers to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1063147: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063147 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: systemd-sysv Version: 255.3-2 Running 'telinit u' within a podman container results in an infinite loop as telinit repeatedly re-exec's itself. This behaviour comes from systemctl.c which has this logic for handling 'telinit': if (sd_booted() > 0) { arg_action = _ACTION_INVALID; return telinit_parse_argv(argc, argv); } else { /* Hmm, so some other init system is running, we need to forward this request to it. */ arg_action = ACTION_TELINIT; return 1; } Inside a container 'sd_booted()' will (typically) indicate systemd is NOT running, thus the 'else' clause will be followed. ACTION_TELINIT instructs the caller to execve() the telinit binary belonging to any *non-systemd* init impl, if any. This binary is determined by the 'telinit-path' meson build option, which defaults to /lib/sysvinit/telinit. Debian used to override this to /usr/lib/sysvinit/telinit, but a few months ago in Sid, this was changed to point to /usr/sbin/telinit, which is a symlink back to /usr/bin/systemctl: https://salsa.debian.org/systemd-team/systemd/-/commit/da95bc801088a6ab454851cf01addf97dd2c1ab3 IOW, Debian dpkg build has told systemd that the non-systemd telinit binary is the systemd telinit binary. Hilarity now ensues as it ends up exec'ing itself for all eternity :-) You might ask why should anyone hit this scenario ? Well consider that the 'libc6' package will run 'telinit u' in its postinst script, if it sees it is in a non-systemd environment. Not immediately a problem, since libc6 will be pre-installed in any container or VM disk image and thus the 'postinst' script won't run [not sure if 'postinst' is run on upgrades too ?]. Debian containers are an execellent environment for testing cross compiles though, and thus people will install a foreign arch libc6 package in the container which does trigger the postinst script. The following hangs (well loops forever in execve()): $ podman run -it debian:sid-slim # dpkg --add-architecture i386 # apt-get update # apt-get install systemd-sysv # apt-get install libc6:i386 Simpler example $ podman run -it debian:sid-slim # dpkg --add-architecture i386 # apt-get update # apt-get install systemd-sysv strace # strace -e trace=execve telinit u strace: Process 232065 attached execve("/usr/sbin/telinit", ["telinit", "u"], 0x7ffd9b26ba00 /* 24 vars */) = 0 execve("/usr/sbin/telinit", ["telinit", "u"], 0x7ffdab55f1d0 /* 24 vars */) = 0 execve("/usr/sbin/telinit", ["telinit", "u"], 0x7ffe79152400 /* 24 vars */) = 0 ....1000000's more times.... Even then though, most people won't (knowingly) install the systemd-sysv dpkg, so won't hit this problem. A few packages will pull in systemd-sysv behind the scenes, so you can unwittingly hit the problem. For libvirt CI, we install the open-iscsi and policykit-1 packages which both pull in systemd-sysv, so this hangs: $ podman run -it debian:sid-slim # dpkg --add-architecture i386 # apt-get update # apt-get install systemd-sysv # apt-get install open-iscsi:i386 Our foreign arch CI jobs that use Sid are thus suffering broken container builds right now. The simple solution appears to be to just remove the '-Dtelinit-path' option from debian/rules, and leave it on systemd's built-in defaults. The binary at this default path won't exist, and thus on a non-systemd execution environment 'telinit u' will simply exit with an error: # telinit u Couldn't find an alternative telinit implementation to spawn. which is a sensible behaviour and what has happened in containers with Debian until recent Sid. Other distros (eg Fedora) leave the telinit binary on systemd's default (non-existant) path too. Possibly the upstream systemctl.c code should be made to protect itself against such a mis-configuration by setting an env variable it can look at to detect re-exec of itself. Possibly libc6 package postinst script should skip running its 'telinit u' action if it detects it is inside a container, though that could possibly break something if people do have a real in-systemd init running ? Seems fairly low probability. With regards, Daniel
--- End Message ---
--- Begin Message ---Source: systemd Source-Version: 255.4-1 Done: Luca Boccassi <bl...@debian.org> We believe that the bug you reported is fixed in the latest version of systemd, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1063...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Luca Boccassi <bl...@debian.org> (supplier of updated systemd package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 27 Feb 2024 17:43:55 +0000 Source: systemd Architecture: source Version: 255.4-1 Distribution: sid Urgency: medium Maintainer: Debian systemd Maintainers <pkg-systemd-maintain...@lists.alioth.debian.org> Changed-By: Luca Boccassi <bl...@debian.org> Closes: 1061960 1063147 1063393 Changes: systemd (255.4-1) sid; urgency=medium . [ Luca Boccassi ] * Drop override for deprecated package-supports-alternative-init-but-no- init.d-script warning * Build-depend on pkgconf pkg-config is deprecated * Move kernel-install initrd script to slightly later prefix afea8e1a35e15382977d459241e8c56c180c862d moved it from 85 to 50, but this conflicts with the upstream mkosi job, which also runs at 50 and needs to run first. Move it back up slightly to 55 to fix the mkosi builds, eg: https://github.com/systemd/systemd- stable/actions/runs/7863691120/job/21454589626?pr=366 * Mark python3-pefile build dependency as native. As suggested in #1063393 * Skip python3-pefile build dependency only if both nocheck and noinsttests are set (Closes: #1063393) * Build with -Dtests=false if nocheck and noinsttest profiles are set. The required build dependencies will not be installed, so the tests won't build. * systemd-binfmt: use restart instead of try-restart on upgrade. It's not a long-running service so it doesn't matter, and it fixes installing a new binfmt provider (Closes: #1061960) * d/e/checkout-upstream: do not rebase when building on systemd-stable repo. We do rebase only pulls in the stable repo, and it's too much hassle to figure out the right parent branch, given the webhook is configured per repository rather than per branch, so just skip it * d/e/checkout-upstream: build with default-timeout-sec=180. Helps with slow daemon-reload on some CI runs. As requested by: https://github.com/systemd/systemd/pull/27182 * d/e/checkout-upstream: enable log-trace by default. Its abscence appears to cause TEST-10-ISSUE-2467 to reliably fail. Enable it while we figure it out. Also probably it is helpful to have it always turned on for the CI, to get more info out of test runs. See: https://github.com/systemd/systemd/issues/19154 * d/e/checkout-upstream: do not install userdbd sshd config drop-in. Breaks booting testbed in Jammy. Can be dropped after rebasing to Noble. * d/t/upstream: add dependencies on openssh, gnutls-bin, opensc and softhsm2. Required for https://github.com/systemd/systemd/pull/28658 and https://github.com/systemd/systemd/pull/30777 * d/t/upstream: fix shellcheck warning. SC2086 (info): Double quote to prevent globbing and word splitting. * Add dependency on libkmod2 on udev, and suggestion on systemd dlopen() dependency since https://github.com/systemd/systemd/pull/31131 but the system can't boot without it, so add it as a dependency on udev which is also needed outside of containers * Update tzdata build dependency constraint to 2024a-1 * Drop libarchive-dev build dependency. Not useful for now, we'll re-add it after the next release * New upstream version 255.4 * Drop patches merged upstream . [ Daan De Meyer ] * Fix libtss2-mu dependency. This package recently changed name so let's update the Suggests to account for that. * Add Suggests for libtss2-tcti-device systemd wants to use this library when tpm2 support is enabled so let's make sure we list it in Suggests. (https://github.com/systemd/systemd/blob/db11bab38ccf1ed257f 310d29070843d4c58ea01/meson.build#L1341) * Make sure awk only matches PROJECT|PACKAGE_VERSION * Use DEB_BUILD_MAINT_OPTIONS instead of meson options. * Don't put debian revision in version tag when building for upstream. * Allow users to configure DH_MISSING. . [ Frantisek Sumsal ] * d/t/storage: ignore credential mounts when checking /proc/mounts. . [ Daniel P. Berrangé ] * debian/rules: don't override default telinit-path. The 'telinit-path' meson option is to be used to point to a non-systemd telinit binary path. When systemctl is invoked as 'telinit', it will exec this binary when it detects the current environment is not running under systemd. If 'telinit-path' points back to 'systemctl', that would result in an infinite re-execve() loop. (Closes: #1063147) Checksums-Sha1: 2b67277884231ec2bac420e8b0ef92ad3739893f 7133 systemd_255.4-1.dsc c8d0e2e79a137bcace2550bb792cebcc42c98352 14952427 systemd_255.4.orig.tar.gz 7b238ab035f8d57be253af9b3e8c5d4d3bc42da9 172068 systemd_255.4-1.debian.tar.xz 3e22c34fa55edec880fd54a05fc84d1206877b08 12617 systemd_255.4-1_source.buildinfo Checksums-Sha256: d161f791833ede65dd861262509d2fbbb7ff02771969493b04472ad2994e3c07 7133 systemd_255.4-1.dsc 96e75bd08c57ad401677456fb88ef54a9f05bb1695693013bc6ecce839640fd5 14952427 systemd_255.4.orig.tar.gz 16cc8104b8f2c5fd598218d48bb1b107719ce25e94055d5dd18ae551bd90a012 172068 systemd_255.4-1.debian.tar.xz a2196c703725aa72f42033abd8eb696e0c8883dffa8c3d9d6aaf9492c5143898 12617 systemd_255.4-1_source.buildinfo Files: 69a88676db56eb7d46e4916e33879850 7133 admin optional systemd_255.4-1.dsc fda0291dffa4a3255b99be184d13e710 14952427 admin optional systemd_255.4.orig.tar.gz 7b2acf9bd36cb45aa276ed7515c6d05b 172068 admin optional systemd_255.4-1.debian.tar.xz b084eab6c17f669a90398110ceeda762 12617 admin optional systemd_255.4-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJFBAEBCgAvFiEErCSqx93EIPGOymuRKGv37813JB4FAmXeN2oRHGJsdWNhQGRl Ymlhbi5vcmcACgkQKGv37813JB7kLA/+P59VWeQcfGn6rnbCoJJepdI3sL1ifnQt bcLiuEuzqzF0avad1Bu+EvOXJnZ5do7m9kgVGIWWeDQjDp/RjpC31oHDX2eU76oE DzBLoVKRZNlC4ps/qRHQL5CXXROpZD3ddKOgLxeTtq2zpSdDCN2O3MA7ClJRndfG kiy6HHg+HdxFU7A9HA82W9AskMSY/wsR90VDtKbX/bis/TW2fAyLAwjVDAQ6PebS oj2hJ8iUzu/E+Pxc+dg9EZdCyyfTAKH/t1zjd3AlgcisXlooCRoI8JvgEg60M4Xf MMzhUMsSBRxlLKXUQR/IVqJwdCvcOffKHqszM9qajVbQD2bUVRO7nRb40d2IpTS7 bcKRmHZV4HoONMSPQv8aIgPL0AQaXv+s5nzJMvuqKgKvrjDOq/RrjTBrqacwa+Q2 2rssHHoloVvEZAiGCmsF9TcT//dnAuEU8V50R6xZwcfuK8xqmnTvCBzjN5LrQw9K iEsiejXHkx54t9n96Pka96epl+39YNTz4DgVMNK1Tai1cpaKegDOr8vqhX6NFzlN QaKhGxgjk6FzrpMQ58+RVfkDObTts/Ynv2vsYE2gDnkhcdJlrbMoXgGgy9/ebOPV gN3+LXQM13kiYVxWFE+cnP2leXHT5cxPHE1borTeYNqjlYahOjkItWwNw8GMZbU+ 4tKFXIM//1U= =WpYL -----END PGP SIGNATURE-----
pgpVHv9EOyK7z.pgp
Description: PGP signature
--- End Message ---
