[Pkg-mpd-maintainers] Bug#849726: mpd: On i686, RestrictNamespaces=yes in Systemd unit does not allow mpd to open sockets

Konstantin Khomoutov flatworm at users.sourceforge.net
Fri Dec 30 07:26:30 UTC 2016 

Package: mpd
Version: 0.19.21-1
Severity: important

Hi!

After upgrading an i686 machine running mpd from Jessie to Stretch,
I noticed mpd won't start -- exiting with return code 1 early at
startup:

| Dec 30 10:16:52 jukebox systemd[1]: [/lib/systemd/system/mpd.service:25] Unknown lvalue 'RestrictNamespaces' in section 'Service'
| Dec 30 10:16:54 jukebox systemd[1]: Started Music Player Daemon.
| Dec 30 10:16:55 jukebox mpd[4936]: config_file: loading file /etc/mpd.conf
| Dec 30 10:16:55 jukebox systemd[1]: mpd.service: Main process exited, code=exited, status=1/FAILURE
| Dec 30 10:16:55 jukebox systemd[1]: mpd.service: Unit entered failed state.
| Dec 30 10:16:55 jukebox systemd[1]: mpd.service: Failed with result 'exit-code'.

Running

  /usr/bin/mpd --no-daemon -v /etc/mpd.conf

by hand as root worked OK, so I've changed the ExecStart parameted in
the Systemd unit to

  /usr/bin/strace -o /tmp/mpd.log -f /usr/bin/mpd --no-daemon -v $MPDCONF

commented out all the system protection options, then started to
uncomment them one by one -- attempting to start the unit each time
(with proper invocations of `systemctl daemon-reload` in between).

Finally this spotted the problem which is the

  RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK

option.  With it being commented out, mpd starts OK.

Analyzing the strace output for relevant problems brought up several
attempts at opening sockets -- of types AF_UNIX and AF_INET.
Several of such failed attempts apparently get ignored by mpd, but the
last one actually makes it exit (silently for whatever reason) but with
the result code of 1.
The last lines of the strace's output are:

| 4938  socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = -1 EPROTONOSUPPORT (Protocol not supported)
| 4938  exit_group(1)                     = ?
| 4938  +++ exited with 1 +++

and the result of grepping it for EPROTONOSUPPORT is:

| 4743  socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = -1 EPROTONOSUPPORT (Protocol not supported)
| 4743  socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = -1 EPROTONOSUPPORT (Protocol not supported)
| 4743  socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = -1 EPROTONOSUPPORT (Protocol not supported)
| 4743  socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = -1 EPROTONOSUPPORT (Protocol not supported)
| 4743  socket(AF_INET, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, IPPROTO_IP) = -1 EPROTONOSUPPORT (Protocol not supported)
| 4743  socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = -1 EPROTONOSUPPORT (Protocol not supported)


As to the essense of this but, it rather appears to affect Systemd v232
(as shipped by Stretch) specifically on i686 systems [1].

That bug's thread mentions [2], so I've added the unstable repository
and attempted to install systemd from there via

  apt install -t unstable systemd

but it told me the package I have installed is already the newest
version, and its changelog has the following snippet:

----------------8<----------------
systemd (232-2) unstable; urgency=medium

  * Drop RestrictAddressFamilies from service files.
    RestrictAddressFamilies= is broken on 32bit architectures and causes
    various services to fail with a timeout, including
    systemd-udevd.service.
    While this might actually be a libseccomp issue, remove this option for
    now until a proper solution is found. (Closes: #843160)

 -- Michael Biebl <biebl at debian.org>  Sat, 05 Nov 2016 22:43:27 +0100
----------------8<----------------

So it appears you'd better comment that option as well for now of ship
a dedicated unit files specifically for i686 systems if this is
possible.

OTOH, upstream appears to have some developments on [1], so maybe asking
systemd maintainers on whether it's possible to integrate some upstream
fix for this seccomp issue is worthwhile.


Thanks!


1. https://github.com/systemd/systemd/issues/4575
2. https://bugs.debian.org/843160


-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 4.8.0-2-686-pae (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages mpd depends on:
ii  adduser                   3.115
ii  init-system-helpers       1.46
ii  libadplug-2.2.1-0v5       2.2.1+dfsg3-0.3
ii  libao4                    1.2.2-1
ii  libasound2                1.1.2-1
ii  libaudiofile1             0.3.6-3
ii  libavahi-client3          0.6.32-1
ii  libavahi-common3          0.6.32-1
ii  libavcodec57              7:3.2.2-1
ii  libavformat57             7:3.2.2-1
ii  libavutil55               7:3.2.2-1
ii  libbz2-1.0                1.0.6-8
ii  libc6                     2.24-8
ii  libcdio-cdda1             0.83-4.2+b1
ii  libcdio-paranoia1         0.83-4.2+b1
ii  libcdio13                 0.83-4.2+b1
ii  libcurl3-gnutls           7.51.0-1
ii  libdbus-1-3               1.10.14-1
ii  libexpat1                 2.2.0-1
ii  libfaad2                  2.8.0~cvs20161113-1
ii  libflac8                  1.3.1-4
ii  libfluidsynth1            1.1.6-4
ii  libgcc1                   1:6.2.1-5
ii  libglib2.0-0              2.50.2-2
ii  libgme0                   0.6.0-4
ii  libicu57                  57.1-5
ii  libid3tag0                0.15.1b-12
ii  libiso9660-8              0.83-4.2+b1
ii  libjack0 [libjack-0.125]  1:0.125.0-2
ii  libmad0                   0.15.1b-8
ii  libmikmod3                3.3.10-1
ii  libmms0                   0.6.4-2
ii  libmodplug1               1:0.8.8.5-3
ii  libmp3lame0               1:3.99.5-dmo2
ii  libmpcdec6                2:0.1~r495-1
ii  libmpdclient2             2.9-1
ii  libmpg123-0               1.23.8-1
ii  libnfs8                   1.11.0-2
ii  libogg0                   1.3.2-1
ii  libopenal1                1:1.17.2-4
ii  libopus0                  1.1.3-1
ii  libpulse0                 9.0-5
ii  libroar2                  1.0~beta11-8
ii  libsamplerate0            0.1.8-8
ii  libshout3                 2.3.1-3
ii  libsidplayfp4             1.8.7-1
ii  libsmbclient              2:4.5.2+dfsg-2
ii  libsndfile1               1.0.27-1
ii  libsoxr0                  0.1.2-1
ii  libsqlite3-0              3.15.2-1
ii  libstdc++6                6.2.1-5
ii  libsystemd0               232-8
ii  libupnp6                  1:1.6.19+git20160116-1.2
ii  libvorbis0a               1.3.5-3
ii  libvorbisenc2             1.3.5-3
ii  libvorbisfile3            1.3.5-3
ii  libwavpack1               4.80.0-1
ii  libwildmidi2              0.4.0-2
ii  libwrap0                  7.6.q-25
ii  libyajl2                  2.1.0-2
ii  libzzip-0-13              0.13.62-3
ii  lsb-base                  9.20161125
ii  zlib1g                    1:1.2.8.dfsg-4

mpd recommends no packages.

Versions of packages mpd suggests:
pn  avahi-daemon        <none>
pn  icecast2            <none>
ii  mpc [mpd-client]    0.28-1
ii  ncmpc [mpd-client]  0.25-0.1
pn  pulseaudio          <none>

-- Configuration Files:
/etc/default/mpd changed:
MPDCONF=/etc/mpd.conf

/etc/mpd.conf [Errno 13] Permission denied: '/etc/mpd.conf'

-- no debconf information

More information about the Pkg-mpd-maintainers mailing list