Bug#838191: systemd user units do not honor resource limits set in /etc/security/limits.conf

2016-09-27 Thread Michael Biebl 
Control: tags -1 + pending

Am 27.09.2016 um 16:29 schrieb Antonio Ospite:
> Package: systemd
> Version: 231-7
> Followup-For: Bug #838191
> 
> Dear Maintainer,
> 
> I am attaching the patch to
> debian/patches/debian/Adjust-systemd-user-pam-config-file-for-Debian.patch

Committed as 9709b3

Thanks,
Michael


-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?



signature.asc
Description: OpenPGP digital signature

Bug#838191: systemd user units do not honor resource limits set in /etc/security/limits.conf

2016-09-27 Thread Antonio Ospite 
Package: systemd
Version: 231-7
Followup-For: Bug #838191

Dear Maintainer,

I am attaching the patch to
debian/patches/debian/Adjust-systemd-user-pam-config-file-for-Debian.patch

Thanks for the analysis about system-auth, I'll let you know what the
upstream devs think about documenting better the systemd-user
requirements.

Ciao ciao,
   Antonio

-- Package-specific info:

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (900, 'unstable'), (500, 'unstable-debug')
Architecture: amd64 (x86_64)

Kernel: Linux 4.7.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=it_IT.utf8, LC_CTYPE=it_IT.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)

Versions of packages systemd depends on:
ii  adduser 3.115
ii  libacl1 2.2.52-3
ii  libapparmor12.10.95-4+b1
ii  libaudit1   1:2.6.6-1
ii  libblkid1   2.28.2-1
ii  libc6   2.24-3
ii  libcap2 1:2.25-1
ii  libcryptsetup4  2:1.7.0-2
ii  libgcrypt20 1.7.3-1
ii  libgpg-error0   1.24-1
ii  libidn111.33-1
ii  libip4tc0   1.6.0-3
ii  libkmod222-1.1
ii  liblzma55.1.1alpha+20120614-2.1
ii  libmount1   2.28.2-1
ii  libpam0g1.1.8-3.3
ii  libseccomp2 2.3.1-2
ii  libselinux1 2.5-3
ii  libsystemd0 231-7
ii  mount   2.28.2-1
ii  util-linux  2.28.2-1

Versions of packages systemd recommends:
ii  dbus1.10.10-1
ii  libpam-systemd  231-7

Versions of packages systemd suggests:
ii  policykit-10.105-16
ii  systemd-container  231-7
pn  systemd-ui 

Versions of packages systemd is related to:
ii  udev  231-7

-- no debconf information
-- 
Antonio Ospite
https://ao2.it
https://twitter.com/ao2it

A: Because it messes up the order in which people normally read text.
   See http://en.wikipedia.org/wiki/Posting_style
Q: Why is top-posting such a bad thing?
>From d3d900a938200decaa5d4e2afbd6f81604bc30e9 Mon Sep 17 00:00:00 2001
From: Antonio Ospite 
Date: Tue, 27 Sep 2016 16:10:52 +0200
Subject: [PATCH] debian/patches: update systemd-user pam config to require
 pam_limits.so
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Face: z*RaLf`X<@C75u6Ig9}{oW$H;1_\2t5)({*|jhM/Vb;]yA5\I~93>J<_`<4)A{':UrE

Upstream loads pam_limits.so indirectly when launching systemd-user
because it is loaded from the included system-auth.

Debian does not include system-auth so, in order to honor the limits
specified in /etc/security/limits.conf for user units, load
pam_limits.so directly from /etc/pam.d/systemd-user.

Closes: #838191
Thanks: Mantas Mikulėnas for the suggestion
---
 .../debian/Adjust-systemd-user-pam-config-file-for-Debian.patch  | 9 -
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/debian/patches/debian/Adjust-systemd-user-pam-config-file-for-Debian.patch b/debian/patches/debian/Adjust-systemd-user-pam-config-file-for-Debian.patch
index c27a1de..979c975 100644
--- a/debian/patches/debian/Adjust-systemd-user-pam-config-file-for-Debian.patch
+++ b/debian/patches/debian/Adjust-systemd-user-pam-config-file-for-Debian.patch
@@ -5,14 +5,12 @@ Subject: Adjust systemd-user pam config file for Debian
 This pam config file is used by libpam-systemd/systemd-logind when
 launching systemd user instances.
 ---
- src/login/systemd-user.m4 | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
+ src/login/systemd-user.m4 |6 --
+ 1 file changed, 4 insertions(+), 2 deletions(-)
 
-diff --git a/src/login/systemd-user.m4 b/src/login/systemd-user.m4
-index f188a8e..ef544e3 100644
 --- a/src/login/systemd-user.m4
 +++ b/src/login/systemd-user.m4
-@@ -2,11 +2,12 @@
+@@ -2,11 +2,13 @@
  #
  # Used by systemd --user instances.
  
@@ -25,5 +23,6 @@ index f188a8e..ef544e3 100644
  )m4_dnl
  session  required pam_loginuid.so
 -session  include system-auth
++session  required pam_limits.so
 +@include common-session-noninteractive
 +session optional pam_systemd.so
-- 
2.9.3

Bug#838191: systemd user units do not honor resource limits set in /etc/security/limits.conf

2016-09-27 Thread Michael Biebl 
Am 27.09.2016 um 11:25 schrieb Michael Biebl:
> Am 18.09.2016 um 11:16 schrieb Antonio Ospite:
>> If so I will send a standalone patch which applies _before_
>> debian/Adjust-systemd-user-pam-config-file-for-Debian.patch this way it
>> will be easier to have it merged upstream.
> 
> The upstream pam config file is Redhat specific in this regard. It
> includes /etc/pam.d/system-auth, which in turn has
> 
> session required  pam_limits.so
> 
> We do use common-account and common-session-noninteractive in Debian,
> which do no include pam_limits.so. So I guess we will have to keep that
> as a downstream change.

Which means, this change should be merged into
debian/Adjust-systemd-user-pam-config-file-for-Debian.patch and not be
added via a separate patch.


-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?



signature.asc
Description: OpenPGP digital signature

Bug#838191: systemd user units do not honor resource limits set in /etc/security/limits.conf

2016-09-27 Thread Michael Biebl 
Am 18.09.2016 um 11:16 schrieb Antonio Ospite:
> After a precious suggestion by Mantas Mikulėnas (grawity in
> #debian-systemd) I verified that this is happening because
> /etc/pam.d/systemd-user does not load pam_limits.so.
> 
> The following change fixes the issue:
> ---
> --- /etc/pam.d/systemd-user.orig  2016-09-17 17:40:19.787522246 +0200
> +++ /etc/pam.d/systemd-user   2016-09-17 15:13:17.035405264 +0200
> @@ -7,5 +7,6 @@
>  session  required pam_selinux.so close
>  session  required pam_selinux.so nottys open
>  session  required pam_loginuid.so
> +session  required pam_limits.so
>  @include common-session-noninteractive
>  session optional pam_systemd.so
> ---
> 
> 
> After adding pam_limits and the settings in limits.conf, the units from
> above have the expected behavior.
> 

...

> I can send a patch for /etc/pam.d/systemd-user against the systemd
> Debian package to address the issue, but I have a doubt: can this also
> be considered a bug in the upstream src/login/systemd-user.m4?
> 
> If so I will send a standalone patch which applies _before_
> debian/Adjust-systemd-user-pam-config-file-for-Debian.patch this way it
> will be easier to have it merged upstream.

The upstream pam config file is Redhat specific in this regard. It
includes /etc/pam.d/system-auth, which in turn has

session required  pam_limits.so

We do use common-account and common-session-noninteractive in Debian,
which do no include pam_limits.so. So I guess we will have to keep that
as a downstream change.

That said, maybe upstream could document better, which pam modules are
supposed to be included for systemd-user. If you want to file an
upstream bug report for that, this would be appreciated.

Regards,
Michael
-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?



signature.asc
Description: OpenPGP digital signature

Bug#838191: systemd user units do not honor resource limits set in /etc/security/limits.conf

2016-09-18 Thread Antonio Ospite 
Package: systemd
Version: 231-6
Severity: normal

Dear Maintainer,

I wanted to set resource limits from a systemd _user_ unit, with:

  LimitRTPRIO=96
  LimitMEMLOCK=infinity


Raising resource limits with ulimit(3) or setrlimit(2) is a privileged
operation, however users are normally allowed to set resource limits
within the boundaries set by hard limits in /etc/security/limits.conf.

Currently this practice does not work with systemd user units.

For example, I have these settings in limits.conf:
---
*   hard  rtprio 96
*   hard  memlockunlimited
---


The output of running prlimit from a shell is as follows:
---
RESOURCE   DESCRIPTION SOFT  HARD UNITS
...
MEMLOCKmax locked-in-memory address space 65536 unlimited bytes
...
RTPRIO max real-time priority 096 
...
---


And users are able to change the soft limit with ulimit from the shell.

However "systemd --user" seems to ignore the hard limits, see the unit
below (copied to /usr/lib/systemd/user/prlimit_defaults.service):
---
[Unit]
Description=Test setting limits

[Service]
ExecStart=/usr/bin/prlimit
---


Starting the unit with "systemctl --user start prlimit_defaults.service"
results in this output:
---
Started Test setting limits.
RESOURCE   DESCRIPTION SOFT  HARD UNITS
...
MEMLOCKmax locked-in-memory address space 65536 65536 bytes
...
RTPRIO max real-time priority 0 0
...
---


The limits are ignored and of course raising them does not work either:
---
[Unit]
Description=Test setting limits

[Service]
ExecStart=/usr/bin/prlimit

# These work fine when running the unit as a system service,
# but they don't have effect when using "systemctl --user"
LimitRTPRIO=96
LimitMEMLOCK=infinity
---


After a precious suggestion by Mantas Mikulėnas (grawity in
#debian-systemd) I verified that this is happening because
/etc/pam.d/systemd-user does not load pam_limits.so.

The following change fixes the issue:
---
--- /etc/pam.d/systemd-user.orig2016-09-17 17:40:19.787522246 +0200
+++ /etc/pam.d/systemd-user 2016-09-17 15:13:17.035405264 +0200
@@ -7,5 +7,6 @@
 session  required pam_selinux.so close
 session  required pam_selinux.so nottys open
 session  required pam_loginuid.so
+session  required pam_limits.so
 @include common-session-noninteractive
 session optional pam_systemd.so
---


After adding pam_limits and the settings in limits.conf, the units from
above have the expected behavior.

The mechanism explained in systemd-user.conf(5) to set default limits
for all user units also works now; before it didn't.

For instance these values in /etc/systemd/user.conf were completely
ignored without the changes from above:
---
DefaultLimitMEMLOCK=infinity
DefaultLimitRTPRIO=96
---


I guess that too was because user.conf limits are meant to be within
some system-wide limits (see the P.S. below).

I can send a patch for /etc/pam.d/systemd-user against the systemd
Debian package to address the issue, but I have a doubt: can this also
be considered a bug in the upstream src/login/systemd-user.m4?

If so I will send a standalone patch which applies _before_
debian/Adjust-systemd-user-pam-config-file-for-Debian.patch this way it
will be easier to have it merged upstream.

Thanks,
   Antonio


P.S.

After I wrote the report above I found out that another way to solve the
problem is to set system-wide limits in /etc/systemd/system.conf (or
/lib/systemd/system.conf.d/nn_SOMETHING.conf), e.g.:

  [Manager]
  DefaultLimitMEMLOCK=65536:infinity
  DefaultLimitRTPRIO=0:96

and these limits will also apply to "systemd --user" (and so
/etc/systemd/user.conf will work too within these limits); maybe this is
even the "official" systemd way to solve the problem, but it does not
give the ability to set per-user or per-group limits, so I still think
that the report above is valid.


-- Package-specific info:

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  A