Bug#966098: systemd: 'systemctl status' reports "access denied" after upgrade

Dima Kogan dkogan at debian.org
Sat Aug 1 05:53:18 BST 2020


Michael Biebl <biebl at debian.org> writes:

> Control: tags -1 + moreinfo unreproducible
>
> Am 23.07.20 um 03:13 schrieb Dima Kogan:
>> Package: systemd
>> Version: 245.6-3
>> Severity: grave
>> X-Debbugs-Cc: none, Dima Kogan <dkogan at debian.org>
>> 
>> Hi. I'm running Debian/sid. Updating all the packages on my system put
>> apt into a broken state:
>> 
>
> 239-15 is from 2 years ago.
> Why was systemd kept at version 239-15?

This is a laptop that I don't use very much. I guess I haven't done a
full-system update on it for a while. This was an "apt upgrade" not a
"dist-upgrade". This is sid.


> Is this inside a container?

No


> Is something like SELinux active?

I don't think so? I never purposely enabled it.


Alright. So I'm now at a state where apt is happy, the system is
up-to-date, except the systemd packages, which are old. I can get into a
similar broken state as before, but not identical by trying to upgrade,
installing these:

  libnss-systemd_245.6-3_amd64.deb
  libudev1_245.6-3_amd64.deb
  systemd-timesyncd_245.6-3_amd64.deb
  libsystemd0_245.6-3_amd64.deb
  udev_245.6-3_amd64.deb
  libpam-systemd_245.6-3_amd64.deb
  systemd-sysv_245.6-3_amd64.deb
  systemd_245.6-3_amd64.deb

It says this:

  dima at snarky:~/systemd-debugging$ sudo dpkg -i *245*

  (Reading database ... 208119 files and directories currently installed.)
  Preparing to unpack libnss-systemd_245.6-3_amd64.deb ...
  Unpacking libnss-systemd:amd64 (245.6-3) over (245.6-3) ...
  Preparing to unpack libpam-systemd_245.6-3_amd64.deb ...
  Unpacking libpam-systemd:amd64 (245.6-3) over (245.6-3) ...
  Preparing to unpack libsystemd0_245.6-3_amd64.deb ...
  Unpacking libsystemd0:amd64 (245.6-3) over (245.6-3) ...
  Preparing to unpack libudev1_245.6-3_amd64.deb ...
  Unpacking libudev1:amd64 (245.6-3) over (245.6-3) ...
  Preparing to unpack systemd-sysv_245.6-3_amd64.deb ...
  Unpacking systemd-sysv (245.6-3) over (245.6-3) ...
  Preparing to unpack systemd-timesyncd_245.6-3_amd64.deb ...
  Unpacking systemd-timesyncd (245.6-3) over (245.6-3) ...
  Failed to reload daemon: Access denied
  Preparing to unpack systemd_245.6-3_amd64.deb ...
  Unpacking systemd (245.6-3) over (245.6-3) ...
  Preparing to unpack udev_245.6-3_amd64.deb ...
  Unpacking udev (245.6-3) over (245.6-3) ...
  Setting up libsystemd0:amd64 (245.6-3) ...
  Setting up libudev1:amd64 (245.6-3) ...
  Setting up udev (245.6-3) ...
  Failed to reload daemon: Access denied
  Failed to reload daemon: Access denied
  Failed to retrieve unit state: Access denied
  Failed to restart udev.service: Access denied
  See system logs and 'systemctl status udev.service' for details.
  invoke-rc.d: initscript udev, action "restart" failed.
  Failed to get properties: Access denied
  dpkg: error processing package udev (--install):
   installed udev package post-installation script subprocess returned error exit status 4
  Setting up systemd-timesyncd (245.6-3) ...
  Failed to preset unit: Access denied
  /usr/bin/deb-systemd-helper: error: systemctl preset failed on systemd-timesyncd.service: No such file or directory
  Failed to reload daemon: Access denied
  Failed to get unit file state for systemd-timesyncd.service: Access denied
  Failed to retrieve unit state: Access denied
  systemd-timesyncd.service is a disabled or a static unit not running, not starting it.
  Setting up systemd (245.6-3) ...
  Failed to reload daemon: Access denied
  Failed to try-restart systemd-networkd.service: Access denied
  See system logs and 'systemctl status systemd-networkd.service' for details.
  Failed to try-restart systemd-resolved.service: Access denied
  See system logs and 'systemctl status systemd-resolved.service' for details.
  Failed to try-restart systemd-journald.service: Access denied
  See system logs and 'systemctl status systemd-journald.service' for details.
  Setting up libnss-systemd:amd64 (245.6-3) ...
  Setting up systemd-sysv (245.6-3) ...
  Setting up libpam-systemd:amd64 (245.6-3) ...
  Processing triggers for libc-bin (2.31-1) ...
  Processing triggers for man-db (2.9.3-2) ...
  Processing triggers for dbus (1.12.20-1) ...
  Processing triggers for initramfs-tools (0.137) ...
  update-initramfs: Generating /boot/initrd.img-5.7.0-1-amd64
  Errors were encountered while processing:
   udev

At this point udev is broken, and I can't fix it without downgrading:

  dima at snarky:~/systemd-debugging$ dpkg -l | grep 245

  ii  libnss-systemd:amd64                 245.6-3                                      amd64        nss module providing dynamic user and group name resolution
  ii  libpam-systemd:amd64                 245.6-3                                      amd64        system and service manager - PAM module
  ii  libsystemd0:amd64                    245.6-3                                      amd64        systemd utility library
  ii  libudev1:amd64                       245.6-3                                      amd64        libudev shared library
  ii  systemd                              245.6-3                                      amd64        system and service manager
  ii  systemd-sysv                         245.6-3                                      amd64        system and service manager - SysV links
  ii  systemd-timesyncd                    245.6-3                                      amd64        minimalistic service to synchronize local time with NTP servers
  iF  udev                                 245.6-3                                      amd64        /dev/ and hotplug management daemon


  dima at snarky:~/systemd-debugging$ sudo dpkg -i udev_245.6-3_amd64.deb 

  (Reading database ... 208119 files and directories currently installed.)
  Preparing to unpack udev_245.6-3_amd64.deb ...
  Unpacking udev (245.6-3) over (245.6-3) ...
  Setting up udev (245.6-3) ...
  Failed to reload daemon: Access denied
  Failed to reload daemon: Access denied
  Failed to retrieve unit state: Access denied
  Failed to restart udev.service: Access denied
  See system logs and 'systemctl status udev.service' for details.
  invoke-rc.d: initscript udev, action "restart" failed.
  Failed to get properties: Access denied
  dpkg: error processing package udev (--install):
   installed udev package post-installation script subprocess returned error exit status 4
  Processing triggers for initramfs-tools (0.137) ...
  update-initramfs: Generating /boot/initrd.img-5.7.0-1-amd64
  Processing triggers for systemd (245.6-3) ...
  Failed to reload daemon: Access denied
  Processing triggers for man-db (2.9.3-2) ...
  Errors were encountered while processing:
   udev

I can ask for the udev.service status, but NOT the networkd status:

  dima at snarky:~/systemd-debugging$ systemctl status udev.service                 

  Warning: The unit file, source configuration file or drop-ins of systemd-udevd.service changed on disk. Run 'systemctl daemon-reload' to reload units.
  * systemd-udevd.service - udev Kernel Device Manager
       Loaded: loaded (/lib/systemd/system/systemd-udevd.service; static; vendor preset: enabled)
       Active: active (running) since Fri 2020-07-31 21:20:25 PDT; 6min ago
  TriggeredBy: * systemd-udevd-kernel.socket
               * systemd-udevd-control.socket
         Docs: man:systemd-udevd.service(8)
               man:udev(7)
     Main PID: 26054 (systemd-udevd)
       Status: "Processing with 16 children at max"
        Tasks: 1
       Memory: 2.2M
       CGroup: /system.slice/systemd-udevd.service
               `-26054 /lib/systemd/systemd-udevd

  dima at snarky:~/systemd-debugging$ sudo systemctl status systemd-networkd.service
  Failed to get properties: Access denied

Not entirely clear why not. The systemctl process sends some stuff to
PID 1 on /run/systemd/private, and PID 1 barfs:

  14952 connect(3, {sa_family=AF_UNIX, sun_path="/run/systemd/private"}, 23) = 0
  14952 getsockopt(3, SOL_SOCKET, SO_PEERCRED, {pid=1, uid=0, gid=0}, [12]) = 0
  14952 getsockopt(3, SOL_SOCKET, SO_PEERSEC, 0x563b9ca093b0, [64]) = -1 ENOPROTOOPT (Protocol not available)
  14952 getsockopt(3, SOL_SOCKET, SO_PEERGROUPS, 0x563b9ca09400, [256->0]) = 0
  14952 fstat(3, {st_mode=S_IFSOCK|0777, st_size=0, ...}) = 0
  14952 getsockopt(3, SOL_SOCKET, SO_ACCEPTCONN, [0], [4]) = 0
  14952 getsockname(3, {sa_family=AF_UNIX}, [128->2]) = 0
  14952 sendmsg(3, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\0AUTH EXTERNAL\r\nDATA\r\n", iov_len=22}, {iov_base="NEGOTIATE_UNIX_FD\r\n", iov_len=19}, {iov_base="BEGIN\r\n", iov_len=7}], msg_iovlen=3, msg_controllen=0, msg_flags=0}, MSG_DONTWAIT|MSG_NOSIGNAL) = 48
  14952 getsockopt(3, SOL_SOCKET, SO_PEERCRED, {pid=1, uid=0, gid=0}, [12]) = 0
  14952 recvmsg(3,  <unfinished ...>
  ...
  14952 <... recvmsg resumed>{msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="REJECTED EXTERNAL ANONYMOUS\r\nERROR\r\nERROR\r\nERROR\r\n", iov_len=256}], msg_iovlen=1, msg_controllen=0, msg_flags=MSG_CMSG_CLOEXEC}, MSG_DONTWAIT|MSG_CMSG_CLOEXEC) = 50

>From PID 1's point of view (next invocation)

  recvmsg(12, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\0AUTH EXTERNAL\r\nDATA\r\nNEGOTIATE_UNIX_FD\r\nBEGIN\r\n", iov_len=256}], msg_iovlen=1, msg_controllen=0, msg_flags=MSG_CMSG_CLOEXEC}, MSG_DONTWAIT|MSG_CMSG_CLOEXEC) = 48
  epoll_ctl(4, EPOLL_CTL_ADD, 12, {0, {u32=3684448528, u64=94643288815888}}) = 0
  getrandom("\x35\x4a\x14\x46\x98\x60\x9c\x56\x54\xa6\x5b\x26\x83\x12\x5d\x34", 16, GRND_NONBLOCK) = 16
  getrandom("\x92\x5a\xa0\xb2\x0e\x85\xef\xcc\x2b\x1a\x50\x24\x3c\x5b\x5f\x17", 16, GRND_NONBLOCK) = 16
  getrandom("\xe2\x04\x24\x86\x39\xf8\x6b\xd6\x0e\x9d\x15\xd5\x4d\xb5\x3a\xbf", 16, GRND_NONBLOCK) = 16
  getrandom("\xd3\x2e\xc1\x87\x40\x5e\xae\x4a\x35\x4a\xf5\x01\x16\x50\xe1\x0b", 16, GRND_NONBLOCK) = 16
  getrandom("\x70\x2c\xbb\x0e\xf5\x39\x82\x59\x21\x1c\xeb\x7a\x33\x71\xac\xd9", 16, GRND_NONBLOCK) = 16
  getrandom("\xf0\x6c\x31\x35\xb7\x16\xfb\x41\x30\xf5\x31\xc6\x3d\x35\xfe\x89", 16, GRND_NONBLOCK) = 16
  getrandom("\xa2\xb0\x7c\xc1\x6b\x6d\x3c\x0b\xd3\xd3\x66\xaa\xba\x8a\x0c\x59", 16, GRND_NONBLOCK) = 16
  getrandom("\x37\xc1\x9d\x3e\x8b\xde\x69\x6a\x95\x6b\xa2\xdb\x85\xcd\x55\x87", 16, GRND_NONBLOCK) = 16
  getrandom("\xc8\x78\xf1\x00\x7a\x88\xc1\xb1\xce\xd4\xc0\x41\x31\x7e\xca\x8b", 16, GRND_NONBLOCK) = 16
  getrandom("\xbb\x4d\x6d\xaa\xd0\xc1\x7d\xd4\x0f\xa6\x07\xb0\xda\x0a\xb3\x40", 16, GRND_NONBLOCK) = 16
  getrandom("\x7e\xc6\x5d\x7f\x47\x6f\x02\x97\xc2\x17\x5d\xd8\xc1\x9d\x25\x7e", 16, GRND_NONBLOCK) = 16
  getrandom("\x49\xb9\x5a\xeb\x92\xb5\xaa\x5f\x06\xec\x2b\xbd\x6e\xba\x07\xe8", 16, GRND_NONBLOCK) = 16
  getrandom("\x9f\x45\xaa\x00\xa3\xb1\xa3\x56\xb1\xac\xc9\x4e\x73\xe4\x57\x15", 16, GRND_NONBLOCK) = 16
  epoll_ctl(4, EPOLL_CTL_MOD, 12, {EPOLLIN|EPOLLOUT, {u32=3684448528, u64=94643288815888}}) = 0
  epoll_wait(4, [{EPOLLOUT, {u32=3684448528, u64=94643288815888}}], 55, -1) = 1
  sendmsg(12, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="REJECTED EXTERNAL ANONYMOUS\r\nERROR\r\nERROR\r\nERROR\r\n", iov_len=50}, {iov_base=NULL, iov_len=0}, {iov_base=NULL, iov_len=0}], msg_iovlen=3, msg_controllen=0, msg_flags=0}, MSG_DONTWAIT|MSG_NOSIGNAL) = 50

Downgrading fixes it. And I can reproduce this sequence.


> If 245.6-3 does not work, what is the latest version that works (you
> can get them via snapshots.d.o)?

I haven't yet run this experiment.


> Does it make a difference if you install policykit-1 or not?

It is not installed. Should it be? Which version?

> Can you provide a journalctl -alb output from such a failing system.

There're some errors and/or warnings in there, but none during/after the
failing attempted upgrade. After the upgrades there're a number of
"dbus-daemon: Reloaded configuration" lines. Do you want more of this?

Thanks for the replies



More information about the Pkg-systemd-maintainers mailing list