Hello Philip, or anyone else affected, Accepted systemd into mantic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/systemd/253.5-1ubuntu6.1 in a few hours, and then in the -proposed repository.
Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- mantic to verification-done-mantic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed-mantic. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: systemd (Ubuntu Mantic) Status: New => Fix Committed ** Tags added: verification-needed verification-needed-mantic -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/2038894 Title: Ubuntu 23.10 cloud images unexpected UDP listening port 5353 Status in cloud-images: New Status in systemd package in Ubuntu: New Status in systemd source package in Mantic: Fix Committed Bug description: [Impact] In the latest Ubuntu 23.10 cloud images we are seeing unexpected UDP listening port 5353. By default and by policy, aside from port 22 there should be no other open ports on Ubuntu cloud images. Listening port 5353 is a regression. [Test Plan] Check that port 5353 is not open, and in particular that systemd- resolved is not listening on 5353. This is what it looks like when systemd-resolved *is* listening on 5353: ``` $ ss --listening --no-header --tcp --udp --numeric udp UNCONN 0 0 127.0.0.54:53 0.0.0.0:* udp UNCONN 0 0 127.0.0.53%lo:53 0.0.0.0:* udp UNCONN 0 0 10.154.0.17%ens4:68 0.0.0.0:* udp UNCONN 0 0 127.0.0.1:323 0.0.0.0:* udp UNCONN 0 0 0.0.0.0:5353 0.0.0.0:* udp UNCONN 0 0 [::1]:323 [::]:* udp UNCONN 0 0 [::]:5353 [::]:* tcp LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:* tcp LISTEN 0 4096 127.0.0.54:53 0.0.0.0:* tcp LISTEN 0 4096 *:22 *:* ``` ``` $ sudo lsof -i -n -P COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME systemd 1 root 153u IPv6 17848 0t0 TCP *:22 (LISTEN) systemd-r 321 systemd-resolve 11u IPv4 16159 0t0 UDP *:5353 systemd-r 321 systemd-resolve 12u IPv6 16161 0t0 UDP *:5353 systemd-r 321 systemd-resolve 15u IPv4 16164 0t0 UDP 127.0.0.53:53 systemd-r 321 systemd-resolve 16u IPv4 16165 0t0 TCP 127.0.0.53:53 (LISTEN) systemd-r 321 systemd-resolve 17u IPv4 16166 0t0 UDP 127.0.0.54:53 systemd-r 321 systemd-resolve 18u IPv4 16167 0t0 TCP 127.0.0.54:53 (LISTEN) systemd-n 431 systemd-network 18u IPv4 17227 0t0 UDP 10.154.0.17:68 google_os 566 root 3u IPv4 18555 0t0 TCP 10.154.0.17:60818->169.254.169.254:80 (ESTABLISHED) google_gu 739 root 13u IPv4 19822 0t0 TCP 10.154.0.17:35516->169.254.169.254:80 (ESTABLISHED) sshd 747 root 3u IPv6 17848 0t0 TCP *:22 (LISTEN) chronyd 1720 _chrony 5u IPv4 21448 0t0 UDP 127.0.0.1:323 chronyd 1720 _chrony 6u IPv6 21449 0t0 UDP [::1]:323 sshd 1761 root 4u IPv6 22688 0t0 TCP 10.154.0.17:22->185.202.17.195:45142 (ESTABLISHED) sshd 1882 ubuntu 4u IPv6 22688 0t0 TCP 10.154.0.17:22->185.202.17.195:45142 (ESTABLISHED) ``` [Where problems could occur] This patch reverts a change that enables MulticastDNS=resolve by default in systemd. Mantic is the first release where this is done, so it should not break existing users. If a user does want this behavior back, all they need to do is override the default /etc/systemd/resolved.conf. [Original Description] In the latest Ubuntu 23.10 cloud images we are seeing unexpected UDP listening port 5353. By default and by policy, aside from port 22 there should be no other open ports on Ubuntu cloud images. Listening port 5353 is a regression. Ubuntu 23.10 debug ``` $ ss --listening --no-header --tcp --udp --numeric udp UNCONN 0 0 127.0.0.54:53 0.0.0.0:* udp UNCONN 0 0 127.0.0.53%lo:53 0.0.0.0:* udp UNCONN 0 0 10.154.0.17%ens4:68 0.0.0.0:* udp UNCONN 0 0 127.0.0.1:323 0.0.0.0:* udp UNCONN 0 0 0.0.0.0:5353 0.0.0.0:* udp UNCONN 0 0 [::1]:323 [::]:* udp UNCONN 0 0 [::]:5353 [::]:* tcp LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:* tcp LISTEN 0 4096 127.0.0.54:53 0.0.0.0:* tcp LISTEN 0 4096 *:22 *:* ``` This shows port 5353 open. To find out what is listening on this port: ``` $ sudo lsof -i -n -P COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME systemd 1 root 153u IPv6 17848 0t0 TCP *:22 (LISTEN) systemd-r 321 systemd-resolve 11u IPv4 16159 0t0 UDP *:5353 systemd-r 321 systemd-resolve 12u IPv6 16161 0t0 UDP *:5353 systemd-r 321 systemd-resolve 15u IPv4 16164 0t0 UDP 127.0.0.53:53 systemd-r 321 systemd-resolve 16u IPv4 16165 0t0 TCP 127.0.0.53:53 (LISTEN) systemd-r 321 systemd-resolve 17u IPv4 16166 0t0 UDP 127.0.0.54:53 systemd-r 321 systemd-resolve 18u IPv4 16167 0t0 TCP 127.0.0.54:53 (LISTEN) systemd-n 431 systemd-network 18u IPv4 17227 0t0 UDP 10.154.0.17:68 google_os 566 root 3u IPv4 18555 0t0 TCP 10.154.0.17:60818->169.254.169.254:80 (ESTABLISHED) google_gu 739 root 13u IPv4 19822 0t0 TCP 10.154.0.17:35516->169.254.169.254:80 (ESTABLISHED) sshd 747 root 3u IPv6 17848 0t0 TCP *:22 (LISTEN) chronyd 1720 _chrony 5u IPv4 21448 0t0 UDP 127.0.0.1:323 chronyd 1720 _chrony 6u IPv6 21449 0t0 UDP [::1]:323 sshd 1761 root 4u IPv6 22688 0t0 TCP 10.154.0.17:22->185.202.17.195:45142 (ESTABLISHED) sshd 1882 ubuntu 4u IPv6 22688 0t0 TCP 10.154.0.17:22->185.202.17.195:45142 (ESTABLISHED) ``` Shows that it is systemd-resolved that is listening and from https://www.freedesktop.org/software/systemd/man/systemd- resolved.service.html > The systemd-resolved service listens on the following IP ports: > Port 5353 on all local addresses, both IPv4 and IPv6 (0.0.0.0 and ::0), for MulticastDNS on UDP. Note that even though the socket is bound to all local interfaces via the selected "wildcard" IP addresses, the incoming datagrams are filtered by the network interface they are coming in on, and separate MulticastDNS link-local scopes are maintained for each, taking into consideration whether MulticastDNS is enabled for the interface or not. So listening on port 5353 is expected for systemd-resolved and MulticastDNS but we do not expect this to be enabled by default on cloud images. ``` $ dpkg -l systemd Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==============-==============-============-================================= ii systemd 253.5-1ubuntu6 amd64 system and service manager ``` Comparing the open ports on an Ubuntu 22.04 multipass VM ``` $ ss --listening --no-header --tcp --udp --numeric udp UNCONN 0 0 127.0.0.53%lo:53 0.0.0.0:* udp UNCONN 0 0 10.212.201.146%ens3:68 0.0.0.0:* tcp LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:* tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:* tcp LISTEN 0 128 [::]:22 [::]:* ``` ``` $ dpkg -l systemd Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==============-==================-============-================================= ii systemd 249.11-0ubuntu3.10 amd64 system and service manager ``` To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-images/+bug/2038894/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
