[pkg-lxc-devel] Bug#1073815: DynamicUser=yes systemd unit: Failed to update dynamic user credentials: Permission denied

Martin Pitt mpitt at debian.org
Wed Jun 19 06:44:40 BST 2024 

Package: lxc
Version: 1:5.0.2-1+deb12u2

I recently changed cockpit-ws' systemd unit from a static `adduser` to
`DynamicUser=yes`. This works great by and large (on Debian 12 and testing and
also all currently supported Ubuntu releases). But there's a failure when
running the autopkgtest in debci [1] -- it runs into a bug between
LXC, the kernel, and possibly seccomp.

This can be reproduced on a Debian 12 VM:

  # create container as per https://ci.debian.net/doc/file.MAINTAINERS.html
  apt install lxc lxc-templates
  apt install -t bookworm-backports debci autopkgtest
  debci setup

  # start and enter container
  lxc-start autopkgtest-unstable-amd64
  lxc-attach -n autopkgtest-unstable-amd64 bash

  # inside the container:
  apt install libnss-systemd

  # create and run DynamicUser unit
  cat <<EOF > /lib/systemd/system/dynuser.service
  [Unit]
  Description=DynamicUser test

  [Service]
  DynamicUser=yes
  User=dynuser
  Group=dynuser
  Type=oneshot
  ExecStart=/bin/true
  RemainAfterExit=yes
  EOF

  systemctl daemon-reload
  systemctl start dynuser
  systemctl status dynuser

That will fail:

× dynuser.service - DynamicUser test
     Loaded: loaded (/usr/lib/systemd/system/dynuser.service; static)
     Active: failed (Result: exit-code) since Wed 2024-06-19 05:21:32 UTC; 6s ago
 Invocation: 587f9585324e4072920a246959a12334
    Process: 229 ExecStart=/bin/true (code=exited, status=217/USER)
   Main PID: 229 (code=exited, status=217/USER)

Jun 19 05:21:32 autopkgtest-unstable-amd64 systemd[1]: Starting dynuser.service - DynamicUser test...
Jun 19 05:21:32 autopkgtest-unstable-amd64 (true)[229]: dynuser.service: Failed to update dynamic user credentials: Permission denied
Jun 19 05:21:32 autopkgtest-unstable-amd64 (true)[229]: dynuser.service: Failed at step USER spawning /bin/true: Permission denied
Jun 19 05:21:32 autopkgtest-unstable-amd64 systemd[1]: dynuser.service: Main process exited, code=exited, status=217/USER
Jun 19 05:21:32 autopkgtest-unstable-amd64 systemd[1]: dynuser.service: Failed with result 'exit-code'.
Jun 19 05:21:32 autopkgtest-unstable-amd64 systemd[1]: Failed to start dynuser.service - DynamicUser test.

This does *not* affect Debian testing. I ran the same steps there, and it's
fine.

I worked around this in the package by deleting the DynamicUser= option and
creating a static user [2], but that's of course very intrusive -- it doesn't
test at all what's actually going to happen for real users. I manually tested
that DynamicUser= works fine *without* LXC (i.e. right on the host) on Debian
12.

Thanks,

Martin


[1] https://ci.debian.net/packages/c/cockpit/unstable/amd64/47401459/
[2] https://salsa.debian.org/utopia-team/cockpit/-/blob/master/debian/tests/smoke?ref_type=heads

More information about the Pkg-lxc-devel mailing list