Discussion:
permissions issues in systemd machine
Add Reply
arnaud gaboury
2017-07-19 09:55:22 UTC
Reply
Permalink
Raw Message
Here is my environment:
Linux kernel 4.11.3 with usernamespace set to YES

% systemctl --version
systemd 233
+PAM -AUDIT -SELINUX -IMA -APPARMOR +SMACK -SYSVINIT +UTMP +LIBCRYPTSETUP
+GCRYPT +GNUTLS +ACL +XZ +LZ4 -SECCOMP +BLKID +ELFUTILS +KMOD +IDN
default-hierarchy=hybrid

% machinectl list
MACHINE CLASS SERVICE OS VERSION ADDRESSES
poppy container systemd-nspawn fedora 26 192.168.1.94...

% machinectl show poppy
Name=poppy
Id=59b720b533834a4eafe07a62c2482266
Timestamp=Wed 2017-07-12 22:07:15 CEST
TimestampMonotonic=6928076
Service=systemd-nspawn
Unit=systemd-***@poppy.service
Leader=648
Class=container
RootDirectory=/var/lib/machines/poppy
State=running

Now first issue:
------------------

On container
% systemctl status ***@1000.service
● ***@1000.service - User Manager for UID 1000
Loaded: loaded (/usr/lib/systemd/system/***@.service; static; vendor
preset: disabled)
Active: failed (Result: protocol) since Wed 2017-07-19 01:59:29 CEST; 9h
ago
Main PID: 264 (code=exited, status=237/KEYRING)

Jul 19 01:59:29 thetradinghall.com systemd[1]: Starting User Manager for
UID 1000...
Jul 19 01:59:29 thetradinghall.com systemd[264]: ***@1000.service: Failed
at step KEYRING spawning /usr/lib/systemd/systemd: Permission denied
Jul 19 01:59:29 thetradinghall.com systemd[1]: Failed to start User Manager
for UID 1000.
Jul 19 01:59:29 thetradinghall.com systemd[1]: ***@1000.service: Unit
entered failed state.
Jul 19 01:59:29 thetradinghall.com systemd[1]: ***@1000.service: Failed
with result 'protocol'.

Everything looks OK when running systemd binary out from unit file:
% ls -al /usr/lib/systemd/systemd
-rwxr-xr-x 1 root root 1.2M Jun 27 23:49 /usr/lib/systemd/systemd*
% /usr/lib/systemd/systemd --v
systemd 233
+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP
+GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN
default-hierarchy=hybrid

Can anyone give me some hints why the unit file screams Permission denied?

Second issue:
-----------------

on host : $ mkdir ~/share ; $ touch ~/share/toto
on container: $ mkdir ~/share ;

I start the container with unit file:
% cat /etc/systemd/system/systemd-***@.service.d/override.conf


[Service]
ExecStart=
ExecStart=/usr/bin/systemd-nspawn --quiet --keep-unit --boot
--link-journal=try-guest --network-bridge=br0 -U --settings=override
--machine=%i --bind-ro=/home/gabx
--bind=/home/gabx/share:/home/poisonivy/share

Now on container:
% ls -al share
total 4.0K
drwxr-xr-x 2 nobody nobody 4.0K Jul 19 01:59 ./
drwx------ 1 poisonivy poisonivy 786 Jul 19 01:46 ../
-rw-r--r-- 1 nobody nobody 0 Jul 19 01:59 toto

Why this nobody ? I can see this behavior a lot on my container. Example:

$ ls -al /proc
.......................
-r--r--r-- 1 nobody nobody 0 Jul 19 11:47 devices
-r--r--r-- 1 nobody nobody 0 Jul 19 11:47 diskstats
-r--r--r-- 1 nobody nobody 0 Jul 19 11:47 dma
-r--r--r-- 1 nobody nobody 0 Jul 19 11:47 execdomains
-r--r--r-- 1 nobody nobody 0 Jul 19 11:47 fb
.........................

When looking at these folders from host:
# ls -al $POPPY/home/poisonivy/share
total 0
drwxrwxr-x 1 vu-poppy-1000 vg-poppy-1000 0 Jul 19 01:46 ./
drwx------ 1 vu-poppy-1000 vg-poppy-1000 786 Jul 19 01:46 ../
Please note that file toto is not seen

Same user:group for /proc

This comes certainly from my username space being set in Kernel. How can I
deal with nobody as I can't change it?
***@thetradinghall ➀➀ ~ % chown poisonivy:poisonivy share
chown: changing ownership of 'share': Operation not permitted


Thank you for help/hints with these permissions issues. It starts to be
difficult to run properly my container.

Loading...