[Pkg-mpd-maintainers] Bug#849726: mpd: On i686, RestrictNamespaces=yes in Systemd unit does not allow mpd to open sockets

Konstantin Khomoutov flatworm at users.sourceforge.net
Sat Dec 31 12:32:42 UTC 2016 

On Sat, 31 Dec 2016 09:29:18 +0100
Michael Biebl <biebl at debian.org> wrote:

Hi, Michael!

Thanks for cooperating!

> > After upgrading an i686 machine running mpd from Jessie to Stretch,
> > I noticed mpd won't start -- exiting with return code 1 early at
> > startup:
[...]
> > Finally this spotted the problem which is the
> > 
> >   RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK
> > 
[...]
> > option.  With it being commented out, mpd starts OK.
> > So it appears you'd better comment that option as well for now of
> > ship a dedicated unit files specifically for i686 systems if this is
> > possible.
> > 
> > OTOH, upstream appears to have some developments on [1], so maybe
> > asking systemd maintainers on whether it's possible to integrate
> > some upstream fix for this seccomp issue is worthwhile.
> 
> Your analysis seems to be correct. Until systemd is fixed, you should
> not use RestrictAddressFamilies=
> 
> I'm not sure whether we will get v233 for stretch and if backporting
> those upstream fixes for v232 is feasible.

Would it be possible then to temporarily patch systemd as will be
shipped in Stretch to just fail loading the unit with a descriptive
error message if it contains the RestrictAddressFamilies directive *and*
systemd is running on a 32-bit architecture (I think we have i686 and
x32 by now)?

I mean, it's easy to patch mpd package to exclude this directive, but
people routinely use the init subsystem to host their own stuff.
I think we can clearly state that this particular feature of systemd is
currently broken on 32-bit; while that's not a big deal in itself (this
feature is not critical for the functioning of system) using it can
mysteriously and silently break your setup.  (Please note that I'm a
professional software developer who understands what syscalls are,
knows about seccomp, is able to use certain debugging tools etc; we
can't expect this level of expertise from a conventional system
administrator or hobbyist.)

Failing to execute (or otherwise load for procesing) a unit which will
exhibit this bug for sure would make the problem apparent right away
for whoever wrote (or installed from a source outside of Debian) such a
unit.

More information about the Pkg-mpd-maintainers mailing list