mpd: On i686, RestrictNamespaces=yes in Systemd unit does not allow mpd to open sockets
Konstantin Khomoutov
flatworm at users.sourceforge.net
Sat Dec 31 12:32:42 GMT 2016
On Sat, 31 Dec 2016 09:29:18 +0100
Michael Biebl <biebl at debian.org> wrote:
Hi, Michael!
Thanks for cooperating!
> > After upgrading an i686 machine running mpd from Jessie to Stretch,
> > I noticed mpd won't start -- exiting with return code 1 early at
> > startup:
[...]
> > Finally this spotted the problem which is the
> >
> > RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK
> >
[...]
> > option. With it being commented out, mpd starts OK.
> > So it appears you'd better comment that option as well for now of
> > ship a dedicated unit files specifically for i686 systems if this is
> > possible.
> >
> > OTOH, upstream appears to have some developments on [1], so maybe
> > asking systemd maintainers on whether it's possible to integrate
> > some upstream fix for this seccomp issue is worthwhile.
>
> Your analysis seems to be correct. Until systemd is fixed, you should
> not use RestrictAddressFamilies=
>
> I'm not sure whether we will get v233 for stretch and if backporting
> those upstream fixes for v232 is feasible.
Would it be possible then to temporarily patch systemd as will be
shipped in Stretch to just fail loading the unit with a descriptive
error message if it contains the RestrictAddressFamilies directive *and*
systemd is running on a 32-bit architecture (I think we have i686 and
x32 by now)?
I mean, it's easy to patch mpd package to exclude this directive, but
people routinely use the init subsystem to host their own stuff.
I think we can clearly state that this particular feature of systemd is
currently broken on 32-bit; while that's not a big deal in itself (this
feature is not critical for the functioning of system) using it can
mysteriously and silently break your setup. (Please note that I'm a
professional software developer who understands what syscalls are,
knows about seccomp, is able to use certain debugging tools etc; we
can't expect this level of expertise from a conventional system
administrator or hobbyist.)
Failing to execute (or otherwise load for procesing) a unit which will
exhibit this bug for sure would make the problem apparent right away
for whoever wrote (or installed from a source outside of Debian) such a
unit.
More information about the Pkg-systemd-maintainers
mailing list