Re: [systemd-devel] inetd/chroot
From: Filipe Brandenburger [mailto:filbran...@google.com] > Hi, > Yes, I could reproduce this. > It happens while systemd tries to find the SELinux label of the binary. > I pushed a PR with a fix here: > https://github.com/systemd/systemd/pull/8405 > Once it's merged, you might want to ask the maintainers of your distro > to backport it... > Cheers! > Filipe Thank you most kindly for the fix! I am glad to have reported it. ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] inetd/chroot
I am running some inetd firewall components that came from the legacy FWTK (http://fwtk.org) under systemd socket activation on Oracle Linux 7.4. The author of this code has found bugs in later life. http://www.ranum.com/security/computer_security/editorials/codetools/index.html When I was using OpenBSD, I had inetd spawn these as nobody. With systemd, I go further and specify a RootDirectory, and this causes what appears to be an interesting systemd bug. These are the units in question: # cat /etc/systemd/system/yum.socket [Unit] Description=yum proxy [Socket] ListenStream=5865 Accept=yes [Install] WantedBy=sockets.target # cat /etc/systemd/system/yum@.service [Unit] Description=yum proxy [Service] RootDirectory=/home/fwjail ExecStart=-/usr/local/etc/http-gw StandardInput=socket User=nobody Group=nobody Placing the toolkit component in /home/fwjail/usr/local/etc/http-gw, and attempting to start the socket fails: # systemctl start yum.socket Job for yum.socket failed. See "systemctl status yum.socket" and "journalctl -xe" for details. However, if I place any file at the corresponding location *outside of the chroot* the service will start normally. # touch /usr/local/etc/http-gw # ll /usr/local/etc/http-gw -rw-r--r--. 1 root root 0 Mar 8 11:10 /usr/local/etc/http-gw # systemctl start yum.socket It seems to me that systemd is (pre)checking for the program before starting the socket, and the check is not relative to the chroot/RootDirectory parameter. Is this behavior correct? p.s. a) I'm not using the FWTK in a security capacity at all - this is for the isolation of a QA network containing a Unisys running OS2200/EXEC 8. I have hundreds of inetd rules that I've ported to busybox, launched by a systemd service. I am pumping a yum proxy back through here so I can get patches into the internal network. b) I have confirmed that systemd is launching the correct program, even though it is checking for the existence of the wrong one: # nc localhost 5865 GET / HTTP/1.0 200 OK Content-type: text/html HTTP-GW Internal Documentation http://dpwints.dpw.alcoa.com:5865/http://-internal-/-http-gw-internal-/logo.gif;> HTTP-GW Internal Documentation The HTTP-GW is part of the http://dpwints.dpw.alcoa.com:5865/http://www.tis.com/;>Trusted Information Systems Inc. firewall toolkitand http://dpwints.dpw.alcoa.com:5865/http://www.tis.com/Home/NetworkSecurity/Gauntlet/Gauntlet.html;>Gauntlet (TM) product. No Server You have accessed the HTTP-GW and the proxy has not been able to find any server information in your request and there is no default server configured to hand the request off to. You may be able to get your firewall administrator to configure the firewall to pass these requests off to a local HTTP server. http://dpwints.dpw.alcoa.com:5865/http://-internal-/-http-gw-internal-/version.html;>About HTTP-GW ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] xinetd REMOTE_IP (feature request)
The xinetd server from previous versions of RedHat defined a REMOTE_IP environment variable. I realize that I can extract that data with the following code: { struct sockaddr_in thisconn; int thislen = sizeof(thisconn); getpeername( /* STDIN */ 0, thisconn, thislen); printf(%s\n, inet_ntoa(thisconn.sin_addr)); } ...but it would be nice if the behavior matched xinetd. The environment that I see defined by systemd is: PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin PWD=/ LANG=en_US.utf8 SHLVL=1 _=/usr/bin/env ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] remount
When I start a container like this: [root@limsdev ~]# systemd-nspawn -bD /home/limsbox --bind-ro=/usr/lib64 --bind-ro=/home/oracle/Ora12c/db Is there any way I can stop the container root from being able to do this?: ~ # mount -o remount,rw /usr/lib64 ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] starting Oracle with systemd
-Original Message- How about: http://www.freedesktop.org/software/systemd/man/systemd.kill.html Would setting KillMode=process for the listener service have the required effect: on service stop, only kill the main process, leaving the child processes and cgroup running? Yes, that probably will work around this problem. No, that's not how it works. The listener is forked from the listener control utility, so a child process then spawns all database client children for all instances. This is the procedure (at the risk of infuriating those with heightened sensitivities): -bash-4.2$ export ORACLE_HOME=/home/oracle/Ora12c/db -bash-4.2$ $ORACLE_HOME/bin/lsnrctl LSNRCTL for Linux: Version 12.1.0.2.0 - Production on 31-OCT-2014 10:13:44 Copyright (c) 1991, 2014, Oracle. All rights reserved. Welcome to LSNRCTL, type help for information. LSNRCTL -bash-4.2$ ps -ef | grep lsnr oracle 24564 24491 0 10:13 pts/000:00:00 /home/oracle/Ora12c/db/bin/lsnrctl oracle 24585 24534 0 10:15 pts/100:00:00 grep --color=auto lsnr LSNRCTL start Starting /home/oracle/Ora12c/db/bin/tnslsnr: please wait... TNSLSNR for Linux: Version 12.1.0.2.0 - Production Log messages written to /home/oracle/Ora12c/diag/tnslsnr/localhost/listener/alert/log.xml Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=localhost)(PORT=1521))) Connecting to (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521)) STATUS of the LISTENER Alias LISTENER Version TNSLSNR for Linux: Version 12.1.0.2.0 - Production Start Date31-OCT-2014 10:15:34 Uptime0 days 0 hr. 0 min. 0 sec Trace Level off Security ON: Local OS Authentication SNMP OFF Listener Log File /home/oracle/Ora12c/diag/tnslsnr/localhost/listener/alert/log.xml Listening Endpoints Summary... (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=localhost)(PORT=1521))) The listener supports no services The command completed successfully LSNRCTL -bash-4.2$ ps -ef | egrep '(lsnr|tns)' root26 2 0 Oct30 ?00:00:00 [netns] oracle 24564 24491 0 10:13 pts/000:00:00 /home/oracle/Ora12c/db/bin/lsnrctl oracle 24599 1 0 10:15 ?00:00:00 /home/oracle/Ora12c/db/bin/tnslsnr LISTENER -inherit ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] starting Oracle with systemd
-Original Message- From: systemd-devel [mailto:systemd-devel-boun...@lists.freedesktop.org] On Behalf Of Reindl Harald For some reason, the iptables didn't happen. Maybe it needs to be fully qualified. yes it needs to be as any other path the documentation is very clear here No, [unix] user oracle doesn't have permission to run iptables. I either need to sudo something up, or put this elsewhere. Letting different commands run with different uids/gids would be a nice feature. ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] Minimal Userland
Posting just in case someone finds it of interest. I did this on Oracle Linux 7. mkdir /home/nifty mkdir /home/nifty/bin cp /your/busybox /home/nifty/bin cd /home/nifty/bin ln -s busybox sh chroot /home/nifty bin/busybox ls -l #so far, so good, any system can do this exit ./busybox --list | awk '{print ln -s busybox $0}' | sh mkdir /home/nifty/etc touch /home/nifty/etc/os-release cd /home/nifty ln -s bin sbin ln -s usr/bin bin echo 'root::0:0:root:/root:/bin/sh' /home/nifty/etc/passwd echo 'console::respawn:/bin/getty 38400 /dev/console' /home/nifty/etc/inittab tar cf - /usr/share/zoneinfo | (cd /home/nifty; tar xvpf -) systemd-nspawn -bD /home/nifty #login to the new userland you just built ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] starting Oracle with systemd
On Tue, 28.10.14 15:08, Fisher, Charles J. (Top Echelon) (charles.fis...@alcoa.com) wrote: Is this the best way to start Oracle? [Service] Environment=ORACLE_SID=foo ORACLE_HOME=/home/oracle/Ora12c/db ExecStart=/bin/ksh -c 'print connect / as sysdba \n startup \n quit | $ORACLE_HOME/bin/sqlplus -silent /nolog' ExecStop=/bin/ksh -c 'print connect / as sysdba \n shutdown immediate \n quit | $ORACLE_HOME/bin/sqlplus -silent /nolog' This looks quite suspicious as you spawn a shell and keep it running. It's fine to run shells and then finally exec the real binary, replacing the shell process, but keeping the shell around would tell systemd that the shell was the actual daemon process. It doesn't work like that. The ksh dies when sqlplus exits, after it forks the instance background processes. These are the binaries of interest: -bash-4.2$ ls -l $ORACLE_HOME/bin/sqlplus $ORACLE_HOME/bin/oracle $ORACLE_HOME/bin/tnslsnr -rwsr-s--x. 1 oracle dba 323649834 Aug 13 10:47 /home/oracle/Ora12c/db/bin/oracle -rwxr-x--x. 1 oracle dba 10525 Aug 13 10:46 /home/oracle/Ora12c/db/bin/sqlplus -rwxr-x--x. 1 oracle dba866455 Aug 13 10:46 /home/oracle/Ora12c/db/bin/tnslsnr The real problem is the tnslsnr. It can service multiple instances. If I run those instances in separate cgroups, and the listener can only be a member of one cgroup, then the listener's children die if the listener process is disturbed. This means all DB sessions are cut when the listener is stopped. It looks like systemd will force separate listeners for all Oracle instances, and the usual port number (1521) can't multiplex them (unless a single cgroup is used). -bash-4.2$ ps -ef | grep oracle root 1742 1 0 11:21 ?00:00:00 login -- oracle oracle1750 1742 0 11:21 tty2 00:00:00 -bash root 2285 1190 0 11:34 ?00:00:00 sshd: oracle [priv] oracle2301 2285 0 11:35 ?00:00:00 sshd: oracle@pts/0 oracle2302 2301 0 11:35 pts/000:00:00 -bash oracle3379 2302 0 12:13 pts/000:00:00 ps -ef oracle3380 2302 0 12:13 pts/000:00:00 grep --color=auto oracle -bash-4.2$ $ORACLE_HOME/bin/sqlplus /nolog SQL*Plus: Release 12.1.0.2.0 Production on Thu Oct 30 12:19:27 2014 Copyright (c) 1982, 2014, Oracle. All rights reserved. SQL connect / as sysdba Connected to an idle instance. SQL !ps -ef | grep oracle root 1742 1 0 11:21 ?00:00:00 login -- oracle oracle1750 1742 0 11:21 tty2 00:00:00 -bash root 2285 1190 0 11:34 ?00:00:00 sshd: oracle [priv] oracle2301 2285 0 11:35 ?00:00:00 sshd: oracle@pts/0 oracle2302 2301 0 11:35 pts/000:00:00 -bash oracle3431 2302 0 12:19 pts/000:00:00 /home/oracle/Ora12c/db/bin/sqlplus oracle3432 3431 0 12:19 ?00:00:00 oracleorcl (DESCRIPTION=(LOCAL=YES)(ADDRESS=(PROTOCOL=beq))) oracle3433 3431 0 12:19 pts/000:00:00 /bin/bash -c ps -ef | grep oracle oracle3434 3433 0 12:19 pts/000:00:00 ps -ef oracle3435 3433 0 12:19 pts/000:00:00 grep oracle SQL startup ORACLE instance started. Total System Global Area 834666496 bytes Fixed Size 2929888 bytes Variable Size 603982624 bytes Database Buffers 98112 bytes Redo Buffers5455872 bytes Database mounted. Database opened. SQL quit Disconnected from Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production With the Partitioning, OLAP, Advanced Analytics and Real Application Testing options ***the ora_ processes below are all actually the $ORACLE_HOME/bin/oracle binary -bash-4.2$ ps -ef | grep oracle root 1742 1 0 11:21 ?00:00:00 login -- oracle oracle1750 1742 0 11:21 tty2 00:00:00 -bash root 2285 1190 0 11:34 ?00:00:00 sshd: oracle [priv] oracle2301 2285 0 11:35 ?00:00:00 sshd: oracle@pts/0 oracle2302 2301 0 11:35 pts/000:00:00 -bash oracle3439 1 0 12:19 ?00:00:00 ora_pmon_orcl oracle3441 1 0 12:19 ?00:00:00 ora_psp0_orcl oracle3443 1 1 12:19 ?00:00:00 ora_vktm_orcl oracle3447 1 0 12:19 ?00:00:00 ora_gen0_orcl oracle3449 1 0 12:19 ?00:00:00 ora_mman_orcl oracle3453 1 0 12:19 ?00:00:00 ora_diag_orcl oracle3455 1 0 12:19 ?00:00:00 ora_dbrm_orcl oracle3457 1 0 12:19 ?00:00:00 ora_vkrm_orcl oracle3459 1 0 12:19 ?00:00:00 ora_dia0_orcl oracle3461 1 0 12:19 ?00:00:00 ora_dbw0_orcl oracle3463 1 0 12:19 ?00:00:00 ora_lgwr_orcl oracle3465 1 0 12:19 ?00:00:00 ora_ckpt_orcl oracle3467 1 0 12:19 ?00:00:00 ora_lg00_orcl oracle3469 1 0 12:19 ?00:00:00 ora_smon_orcl oracle3471 1 0 12:19 ?00:00:00 ora_lg01_orcl oracle3473 1 0 12:19 ?00:00:00 ora_reco_orcl oracle3475
Re: [systemd-devel] starting Oracle with systemd
-Original Message- From: systemd-devel [mailto:systemd-devel-boun...@lists.freedesktop.org] On Behalf Of Andrei Borzenkov Even in this case behavior is wrong. Currently stopping listener does not affect existing database connections. Killing all client processes on listener stop will be rather strong regression. How ssh does it? It is something similar - master service that need to spawn multiple independent children. Observe... [root@localhost bin]# systemctl start oracle-orcl.service [root@localhost bin]# systemctl start oracle-listener.service [root@localhost bin]# iptables -I INPUT -p tcp --dport 1521 --syn -j ACCEPT C:\ver Microsoft Windows [Version 6.1.7601] C:\sqlplus system@(description=(address=(protocol=tcp)(host=10.58.17.250)(port=1521))(connect_data=(sid=orcl))) SQL*Plus: Release 10.2.0.3.0 - Production on Thu Oct 30 12:46:35 2014 Copyright (c) 1982, 2006, Oracle. All Rights Reserved. Enter password: Connected to: Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production With the Partitioning, OLAP, Advanced Analytics and Real Application Testing options SQL select * from dual; D - X [root@localhost bin]# ps -ef | grep LOCAL oracle4292 1 0 12:46 ?00:00:00 oracleorcl (LOCAL=NO) root 4304 2687 0 12:47 pts/100:00:00 grep --color=auto LOCAL [root@localhost bin]# systemctl stop oracle-listener.service [root@localhost bin]# ps -ef | grep LOCAL root 4321 2687 0 12:47 pts/100:00:00 grep --color=auto LOCAL SQL select * from dual; select * from dual * ERROR at line 1: ORA-03113: end-of-file on communication channel It would be more sensible if the tnslsnr caused [one of] the oracle background process to fork off a client connection, so the cgroup is correct. This is not the case. I don't think Oracle supports anything running systemd as yet. I can see why. It's a disaster if incorrectly used. ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] starting Oracle with systemd
-Original Message- From: Lennart Poettering [mailto:lenn...@poettering.net] If you run those instances in separate cgroups? what's that supposed to mean? We do not expose cgroups as concept in systemd. Are you accessing cgroupfs directly? I have no idea how Oracle works, and the above it too cryptic to fully understand what point you are trying to make. Can you eloborate on this for somebody who doesn't know a thing about Oracle? And please don't paste tons of Oracle outputs here, they don't help, they make everything more cryptic and unintelligible... ...and I am rather weak on all the new systemd concepts. No, whatever cgroupfs is, I'm not using it. I think. Summary: systemd kills Oracle sessions, with severe prejudice, when a listener and instance(s) are started as separate services. This appears to be the key: -- [root@localhost system]# psc | grep lsnr 8619 oracle 1:name=systemd:/system.slic /home/oracle/Ora12c/db/bin/tnslsnr LISTENER -inherit [root@localhost system]# ps xawf -eo args,cgroup | tail ... ora_q002_orcl 1:name=systemd:/system.slice/oracle-orcl.service ora_q003_orcl 1:name=systemd:/system.slice/oracle-orcl.service oracleorcl (LOCAL=NO) 1:name=systemd:/system.slice/oracle-listener.service ora_j000_orcl 1:name=systemd:/system.slice/oracle-orcl.service ora_j001_orcl 1:name=systemd:/system.slice/oracle-orcl.service -- For the instance ORCL, the remote connections (LOCAL=NO) have the cgroup column above from the **LISTENER** (which is not associated with a specific instance), not from the background processes of the target instance in question. When I stop the listener, systemd kills *all* of the LOCAL=NO processes, for all instances. It is common for a single listener to spawn connections for multiple installations, versions, and instances. THEY ALL DIE when systemd goes on a listener stop rampage. If/when I install a new version of Oracle and configure the latest listener to serve all my past installed instances, I will have a machine outage in moving the listener, rather than a short period where new connections are rejected (while existing sessions are unmolested). This is not the fault of systemd. The tnslsnr process above is forking, not a background process. There is no reasonable way for system software to track this. I hope Oracle fixes this with the next release. ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] starting Oracle with systemd
Is this the best way to start Oracle? [root@localhost system]# cat oracle-foo.service [Unit] Description=oracle db - foo After=syslog.target [Service] Environment=ORACLE_SID=foo ORACLE_HOME=/home/oracle/Ora12c/db ExecStart=/bin/ksh -c 'print connect / as sysdba \n startup \n quit | $ORACLE_HOME/bin/sqlplus -silent /nolog' ExecStop=/bin/ksh -c 'print connect / as sysdba \n shutdown immediate \n quit | $ORACLE_HOME/bin/sqlplus -silent /nolog' Type=forking User=oracle Group=dba [Install] WantedBy=multi-user.target #This file should be placed in /etc/systemd/system #enable for start at boot by: systemctl enable oracle_db-foo.service I used to do it with an init.d script that grabbed the SID out of argv[0] with ORACLE_SID=${0##*-} - I'm assuming that a systemd service file can't grab anything similarly out of argv[0], and I can't hard-link them all together. I may have several instances on a machine; I'd like one service to start/stop everything if possible (maybe with dbstart/dbshut), but I also want granular control over each Oracle instance. ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] starting Oracle with systemd
Interestingly, placing the Oracle database listener in its own service propagates this cgroup to all client connections into all databases. Stopping the listener service kills these connections for all instances handled by the listener, which is not the normal/expected behavior. [root@localhost system]# psc | grep lsnr 8619 oracle 1:name=systemd:/system.slic /home/oracle/Ora12c/db/bin/tnslsnr LISTENER -inherit [root@localhost system]# ps xawf -eo args,cgroup | tail … ora_q002_orcl 1:name=systemd:/system.slice/oracle-orcl.service ora_q003_orcl 1:name=systemd:/system.slice/oracle-orcl.service oracleorcl (LOCAL=NO) 1:name=systemd:/system.slice/oracle-listener.service ora_j000_orcl 1:name=systemd:/system.slice/oracle-orcl.service ora_j001_orcl 1:name=systemd:/system.slice/oracle-orcl.service The dbstart script (supplied by Oracle) also likely should not be used, since it will place all instances in the same cgroup. From: systemd-devel [mailto:systemd-devel-boun...@lists.freedesktop.org] On Behalf Of Jóhann B. Guðmundsson Sent: Tuesday, October 28, 2014 2:43 PM To: systemd-devel@lists.freedesktop.org Subject: EXT: Re: [systemd-devel] starting Oracle with systemd On 10/28/2014 07:08 PM, Fisher, Charles J. (Top Echelon) wrote: Is this the best way to start Oracle? No and unfortunately for you Oracle is not open source and has a bad track record taking code submissions which is probably why nobody has written a proper systemd unit for it and pushed it upstream. snip ( you need to post to the original initscript along with any startup scripts in conjuction with that init script to so the proper course of action can be taken when migrating it to native systemd unit(s) use something like fpaste if you intent on doing that ) I may have several instances on a machine; I’d like one service to start/stop everything if possible (maybe with dbstart/dbshut), but I also want granular control over each Oracle instance. You would do so by creating an specific oracledb.target followed by new oracle instance units. I'm not sure how much we should be involved with migrating that since it's closed source and we cant be held countable if our migration breaks your support contract hence it's probably best that you requesting new units and targets from Oracle support directly. ( which is probably not what you want to hear but meh ) JBG ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel