Bug#919259: systemd: (Security?) update breaks systemd (inside unprivileged container?)

matthijs matthijs at stdin.nl
Mon Jan 14 07:22:44 GMT 2019 

Package: systemd
Version: 232-25+deb9u7
Severity: important

Hi folks,

this morning, some lxc containers on my machine did an unattended upgrade from
systemd 232-25+deb9u1 to version 232-25+deb9u7. As part of that upgrade,
systemd was reexecuted, which resulted in systemd freezing:

systemd[1]: Reloading.
systemd[1]: Reexecuting.
systemd[1]: systemd 232 running in system mode. (+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +
systemd[1]: Detected virtualization lxc.
systemd[1]: Detected architecture x86-64.
systemd[1]: Failed to create /../../init.scope control group: Operation not permitted
systemd[1]: Failed to allocate manager object: Operation not permitted
systemd[1]: Freezing execution.

Looking in my logs, the last time systemd was reexeuted like this was in 2017,
and neither of the error messages show above were present then.

This problem occurred inside all lxc containers running on the machine that
upgraded systemd. I suspect that the problem is related to running inside a
container, but the host has not upgraded systemd yet, so I cannot compare.

My containers run in unprivileged mode (e.g. without CAP_SYS_ADMIN and
others, see config below), which has caused some problems with systemd
in the past, so I suspect this is relevant in this case as well.

After the above happened, systemd froze (and is no longer reachable through
systemctl), but the systems are still running normally otherwise. I
haven't investigated more closely yet (e.g. restarting containers,
downgrading systemd, etc.), since I'm on a mobile connection now and
don't want risk breaking it further just yet.

I looked through the changelog from deb9u1 to deb9u7, and nothing springs out
as an obvious cause. Only the last update was a security update (relating to
the journal only), so this might be caused by one of the previous non-security
updates as well (which I did not have installed yet).

I'll investigate further soon. If you have suggestions on what changes might be
causing this, I'm happy to hear them.

Gr.

Matthijs

lxc config for one container:

  lxc.utsname = login.local
  lxc.rootfs = /containers/login
  lxc.console.logfile = /var/log/lxc/login.console
  lxc.logfile = /var/log/lxc/login.log
  lxc.network.type = veth
  lxc.network.flags = up
  lxc.network.veth.pair = lxc-login
  lxc.network.name = eth0
  lxc.network.link = br-lxc
  lxc.network.ipv4 = 10.42.0.16/24
  lxc.network.ipv4.gateway = auto
  lxc.network.script.up = /etc/lxc/enable-hairpin
  lxc.tty = 4
  lxc.pts = 256
  lxc.kmsg = 0
  lxc.autodev = 1
  lxc.cgroup.devices.deny = a
  lxc.cgroup.devices.allow = c 1:3 rwm
  lxc.cgroup.devices.allow = c 1:5 rwm
  lxc.cgroup.devices.allow = c 5:1 rwm
  lxc.cgroup.devices.allow = c 5:0 rwm
  lxc.cgroup.devices.allow = c 4:0 rwm
  lxc.cgroup.devices.allow = c 4:1 rwm
  lxc.cgroup.devices.allow = c 1:9 rwm
  lxc.cgroup.devices.allow = c 1:8 rwm
  lxc.cgroup.devices.allow = c 136:* rwm
  lxc.cgroup.devices.allow = c 5:2 rwm
  lxc.cgroup.devices.allow = c 254:0 rwm
  lxc.mount.auto = proc:rw
  lxc.mount.auto = sys:rw
  lxc.mount.auto = cgroup:mixed
  lxc.mount.entry = tmpfs dev/shm tmpfs rw,nosuid,nodev,create=dir 0 0
  lxc.mount.entry = tmpfs run tmpfs rw,nosuid,nodev,mode=755,create=dir 0 0
  lxc.mount.entry = tmpfs run/lock tmpfs rw,nosuid,nodev,noexec,relatime,size=5120k,create=dir 0 0
  lxc.mount.entry = debugfs sys/kernel/debug debugfs rw,relatime 0 0
  lxc.mount.entry = mqueue dev/mqueue mqueue rw,relatime,create=dir 0 0
  lxc.mount.entry = hugetlbfs dev/hugepages hugetlbfs rw,relatime,create=dir 0 0
  lxc.cap.drop = sys_module
  lxc.cap.drop = sys_rawio
  lxc.cap.drop = sys_time
  lxc.cap.drop = net_admin
  lxc.cap.drop = audit_control
  lxc.cap.drop = sys_admin

-- Package-specific info:

-- System Information:
Debian Release: 9.3
  APT prefers stable
  APT policy: (990, 'stable'), (800, 'testing'), (700, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-8-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages systemd depends on:
ii  adduser         3.115
ii  libacl1         2.2.52-3+b1
ii  libapparmor1    2.11.0-3
ii  libaudit1       1:2.6.7-2
ii  libblkid1       2.29.2-1+deb9u1
ii  libc6           2.24-11+deb9u1
ii  libcap2         1:2.25-1
ii  libcryptsetup4  2:1.7.3-4
ii  libgcrypt20     1.7.6-2+deb9u3
ii  libgpg-error0   1.26-2
ii  libidn11        1.33-1
ii  libip4tc0       1.6.0+snapshot20161117-6
ii  libkmod2        23-2
ii  liblz4-1        0.0~r131-2+b1
ii  liblzma5        5.2.2-1.2+b1
ii  libmount1       2.29.2-1+deb9u1
ii  libpam0g        1.1.8-3.6
ii  libseccomp2     2.3.1-2.1
ii  libselinux1     2.6-3+b3
ii  libsystemd0     232-25+deb9u7
ii  mount           2.29.2-1+deb9u1
ii  procps          2:3.3.12-3+deb9u1
ii  util-linux      2.29.2-1+deb9u1

Versions of packages systemd recommends:
ii  dbus            1.10.24-0+deb9u1
ii  libpam-systemd  232-25+deb9u7

Versions of packages systemd suggests:
pn  policykit-1        <none>
pn  systemd-container  <none>
pn  systemd-ui         <none>

Versions of packages systemd is related to:
pn  dracut           <none>
pn  initramfs-tools  <none>
pn  udev             <none>

-- no debconf information
-------------- next part --------------
[REDIRECTED] /etc/systemd/system/default.target -> /lib/systemd/system/default.target
[EXTENDED]   /lib/systemd/system/getty at .service -> /etc/systemd/system/getty at .service.d/local.conf
[EXTENDED]   /lib/systemd/system/willie.service -> /etc/systemd/system/willie.service.d/local.conf
[EXTENDED]   /lib/systemd/system/systemd-resolved.service -> /lib/systemd/system/systemd-resolved.service.d/resolvconf.conf
[EXTENDED]   /lib/systemd/system/systemd-timesyncd.service -> /lib/systemd/system/systemd-timesyncd.service.d/disable-with-time-daemon.conf
[EXTENDED]   /lib/systemd/system/rc-local.service -> /lib/systemd/system/rc-local.service.d/debian.conf
[REDIRECTED] /etc/systemd/system/sigpwr.target -> /lib/systemd/system/sigpwr.target

7 overridden configuration files found.
-------------- next part --------------
Failed issue method call: Failed to activate service 'org.freedesktop.systemd1': timed out
-------------- next part --------------
==> /var/lib/systemd/deb-systemd-helper-enabled/redis-server.service.dsh-also <==
/etc/systemd/system/multi-user.target.wants/redis-server.service

==> /var/lib/systemd/deb-systemd-helper-enabled/rsync.service.dsh-also <==
/etc/systemd/system/multi-user.target.wants/rsync.service

==> /var/lib/systemd/deb-systemd-helper-enabled/avahi-daemon.service.dsh-also <==
/etc/systemd/system/multi-user.target.wants/avahi-daemon.service
/etc/systemd/system/sockets.target.wants/avahi-daemon.socket
/etc/systemd/system/dbus-org.freedesktop.Avahi.service

==> /var/lib/systemd/deb-systemd-helper-enabled/ssh.service.dsh-also <==
/etc/systemd/system/multi-user.target.wants/ssh.service
/etc/systemd/system/sshd.service

==> /var/lib/systemd/deb-systemd-helper-enabled/sshd.service <==

==> /var/lib/systemd/deb-systemd-helper-enabled/inetd.service.dsh-also <==
/etc/systemd/system/multi-user.target.wants/inetd.service

==> /var/lib/systemd/deb-systemd-helper-enabled/lxc.service.dsh-also <==
/etc/systemd/system/multi-user.target.wants/lxc.service

==> /var/lib/systemd/deb-systemd-helper-enabled/lxcfs.service.dsh-also <==
/etc/systemd/system/multi-user.target.wants/lxcfs.service

==> /var/lib/systemd/deb-systemd-helper-enabled/multi-user.target.wants/nullmailer.service <==

==> /var/lib/systemd/deb-systemd-helper-enabled/multi-user.target.wants/ssh.service <==

==> /var/lib/systemd/deb-systemd-helper-enabled/multi-user.target.wants/avahi-daemon.service <==

==> /var/lib/systemd/deb-systemd-helper-enabled/multi-user.target.wants/rsyslog.service <==

==> /var/lib/systemd/deb-systemd-helper-enabled/multi-user.target.wants/willie.service <==

==> /var/lib/systemd/deb-systemd-helper-enabled/multi-user.target.wants/inetd.service <==

==> /var/lib/systemd/deb-systemd-helper-enabled/multi-user.target.wants/redis-server.service <==

==> /var/lib/systemd/deb-systemd-helper-enabled/multi-user.target.wants/lxcfs.service <==

==> /var/lib/systemd/deb-systemd-helper-enabled/multi-user.target.wants/lxc.service <==

==> /var/lib/systemd/deb-systemd-helper-enabled/multi-user.target.wants/rsync.service <==

==> /var/lib/systemd/deb-systemd-helper-enabled/multi-user.target.wants/atd.service <==

==> /var/lib/systemd/deb-systemd-helper-enabled/multi-user.target.wants/bitlbee.service <==

==> /var/lib/systemd/deb-systemd-helper-enabled/multi-user.target.wants/lxc-net.service <==

==> /var/lib/systemd/deb-systemd-helper-enabled/multi-user.target.wants/cron.service <==

==> /var/lib/systemd/deb-systemd-helper-enabled/atd.service.dsh-also <==
/etc/systemd/system/multi-user.target.wants/atd.service

==> /var/lib/systemd/deb-systemd-helper-enabled/sockets.target.wants/avahi-daemon.socket <==

==> /var/lib/systemd/deb-systemd-helper-enabled/sockets.target.wants/bitlbee.socket <==

==> /var/lib/systemd/deb-systemd-helper-enabled/rsyslog.service.dsh-also <==
/etc/systemd/system/multi-user.target.wants/rsyslog.service
/etc/systemd/system/syslog.service

==> /var/lib/systemd/deb-systemd-helper-enabled/timers.target.wants/apt-daily-upgrade.timer <==

==> /var/lib/systemd/deb-systemd-helper-enabled/timers.target.wants/apt-daily.timer <==

==> /var/lib/systemd/deb-systemd-helper-enabled/apt-daily.timer.dsh-also <==
/etc/systemd/system/timers.target.wants/apt-daily.timer

==> /var/lib/systemd/deb-systemd-helper-enabled/bitlbee.service.dsh-also <==
/etc/systemd/system/multi-user.target.wants/bitlbee.service

==> /var/lib/systemd/deb-systemd-helper-enabled/avahi-daemon.socket.dsh-also <==
/etc/systemd/system/sockets.target.wants/avahi-daemon.socket

==> /var/lib/systemd/deb-systemd-helper-enabled/cron.service.dsh-also <==
/etc/systemd/system/multi-user.target.wants/cron.service

==> /var/lib/systemd/deb-systemd-helper-enabled/bitlbee.socket.dsh-also <==
/etc/systemd/system/sockets.target.wants/bitlbee.socket

==> /var/lib/systemd/deb-systemd-helper-enabled/apt-daily-upgrade.timer.dsh-also <==
/etc/systemd/system/timers.target.wants/apt-daily-upgrade.timer

==> /var/lib/systemd/deb-systemd-helper-enabled/syslog.service <==

==> /var/lib/systemd/deb-systemd-helper-enabled/lxc-net.service.dsh-also <==
/etc/systemd/system/multi-user.target.wants/lxc-net.service

==> /var/lib/systemd/deb-systemd-helper-enabled/dbus-org.freedesktop.Avahi.service <==

==> /var/lib/systemd/deb-systemd-helper-enabled/shutdown.target.wants/unattended-upgrades.service <==

==> /var/lib/systemd/deb-systemd-helper-enabled/unattended-upgrades.service.dsh-also <==
/etc/systemd/system/multi-user.target.wants/unattended-upgrades.service

==> /var/lib/systemd/deb-systemd-helper-enabled/ssh.socket.dsh-also <==
/etc/systemd/system/sockets.target.wants/ssh.socket

==> /var/lib/systemd/deb-systemd-helper-enabled/nullmailer.service.dsh-also <==
/etc/systemd/system/multi-user.target.wants/nullmailer.service

==> /var/lib/systemd/deb-systemd-helper-enabled/willie.service.dsh-also <==
/etc/systemd/system/multi-user.target.wants/willie.service
-------------- next part --------------
# UNCONFIGURED FSTAB FOR BASE SYSTEM

More information about the Pkg-systemd-maintainers mailing list