search

NixOS / nixpkgs

Nix Packages collection & NixOS
MIT License
17.28k stars 13.53k forks source link

DynamicUser services can not access dbus since systemd 255 #297756

Open yu-re-ka opened 5 months ago

yu-re-ka commented 5 months ago

there is an issue with DynamicUser services accessing dbus since systemd 255 was merged

old:

$ init --version
systemd 254 (254.6)
+PAM +AUDIT -SELINUX +APPARMOR +IMA +SMACK +SECCOMP +GCRYPT -GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 -PWQUALITY +P11KIT -QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD +BPF_FRAMEWORK -XKBCOMMON +UTMP -SYSVINIT default-hierarchy=unified

$ sudo systemd-run -p DynamicUser=1 --collect --pty systemctl is-system-running
Running as unit: run-u57.service
Press ^] three times within 1s to disconnect TTY.
degraded

$

new:

$ init --version
systemd 255 (255.2)
+PAM +AUDIT -SELINUX +APPARMOR +IMA +SMACK +SECCOMP +GCRYPT -GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 +PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD +BPF_FRAMEWORK -XKBCOMMON +UTMP -SYSVINIT default-hierarchy=unified

$ sudo systemd-run -p DynamicUser=1 --collect --pty systemctl is-system-running
Running as unit: run-u3393.service
Press ^] three times within 1s to disconnect TTY.
Failed to query system state: Transport endpoint is not connected
unknown

$

@NixOS/systemd

arianvp commented 5 months ago

Could you run with log level set to debug?

yu-re-ka commented 5 months ago 
$ sudo systemd-run -E SYSTEMD_LOG_LEVEL=debug -p DynamicUser=1 --collect --pty systemctl is-system-running
Running as unit: run-u63.service
Press ^] three times within 1s to disconnect TTY.
Cannot stat /proc/1/root: No such file or directory
Bus n/a: changing state UNSET → OPENING
sd-bus: starting bus by connecting to /run/dbus/system_bus_socket...
Bus n/a: changing state OPENING → AUTHENTICATING
Bus n/a: changing state AUTHENTICATING → HELLO
Sent message type=method_call sender=n/a destination=org.freedesktop.DBus path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=Hello cookie=1 reply_cookie=0 signature=n/a error-name=n/a error-message=n/a
Got message type=method_return sender=org.freedesktop.DBus destination=:1.64 path=n/a interface=n/a member=n/a  cookie=1 reply_cookie=1 signature=s error-name=n/a error-message=n/a
Bus n/a: changing state HELLO → RUNNING
Sent message type=method_call sender=n/a destination=org.freedesktop.systemd1 path=/org/freedesktop/systemd1 interface=org.freedesktop.DBus.Properties member=Get cookie=2 reply_cookie=0 signature=ss error-name=n/a error-message=n/a
Got message type=method_return sender=:1.3 destination=:1.64 path=n/a interface=n/a member=n/a  cookie=15023 reply_cookie=2 signature=v error-name=n/a error-message=n/a
degraded
Bus n/a: changing state RUNNING → CLOSED


$ sudo systemd-run -E SYSTEMD_LOG_LEVEL=debug -p DynamicUser=1 --collect --pty systemctl is-system-running
Running as unit: run-u3649.service; invocation ID: 7f3ad242197f4876b40cfa8fc047b1e7
Press ^] three times within 1s to disconnect TTY.
Cannot stat /proc/1/root: Permission denied
Bus n/a: changing state UNSET → OPENING
sd-bus: starting bus by connecting to /run/dbus/system_bus_socket...
Bus n/a: changing state OPENING → AUTHENTICATING
Bus n/a: changing state AUTHENTICATING → HELLO
Sent message type=method_call sender=n/a destination=org.freedesktop.DBus path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=Hello cookie=1 reply_cookie=0 signature=n/a error-name=n/a error-message=n/a
Bus n/a: changing state HELLO → CLOSING
Failed to query system state: Transport endpoint is not connected
unknown
Bus n/a: changing state CLOSING → CLOSED
r-vdp commented 5 months ago

FWIW, this seems to work for me. I'm using dbus-broker, which might make a difference.

$ sudo systemd-run -E SYSTEMD_LOG_LEVEL=debug -p DynamicUser=1 --collect --pty systemctl is-system-running
Running as unit: run-u47.service
Press ^] three times within 1s to disconnect TTY.
Cannot stat /proc/1/root: Permission denied
Bus n/a: changing state UNSET → OPENING
sd-bus: starting bus by connecting to /run/dbus/system_bus_socket...
Bus n/a: changing state OPENING → AUTHENTICATING
Bus n/a: changing state AUTHENTICATING → HELLO       
Sent message type=method_call sender=n/a destination=org.freedesktop.DBus path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=Hello cookie=1 reply_cookie=0 signature=n/a error-name=n/a error-message=n/a
Got message type=method_return sender=org.freedesktop.DBus destination=:1.48 path=n/a interface=n/a member=n/a  cookie=4294967295 reply_cookie=1 signature=s error-name=n/a error-message=n/a
Bus n/a: changing state HELLO → RUNNING
Sent message type=method_call sender=n/a destination=org.freedesktop.systemd1 path=/org/freedesktop/systemd1 interface=org.freedesktop.DBus.Properties member=Get cookie=2 reply_cookie=0 signature=ss error-name=n/a error-message=n/a
Got message type=method_return sender=:1.3 destination=:1.48 path=n/a interface=n/a member=n/a  cookie=6177 reply_cookie=2 signature=v error-name=n/a error-message=n/a
running
Bus n/a: changing state RUNNING → CLOSED
$ init --version
systemd 255 (255.2)
+PAM +AUDIT -SELINUX +APPARMOR +IMA +SMACK +SECCOMP +GCRYPT -GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 +PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD +BPF_FRAMEWORK -XKBCOMMON +UTMP -SYSVINIT default-hierarchy=unified
flokli commented 4 months ago

Peeking at the dbus NixOS module, dbus-broker seems to set LD_LIBRARY_PATH = config.system.nssModules.path, but is configured to never restart, so it also won't be able to make use of newly configured NSS modules.

It's also still trying to talk to nsncd, in addition of having a (possibly outdated) nssModules path set.

I'm currently working on teaching nsncd socket activation, I think I want to move it to DefaultDependencies=no land and start it alongside dbus-broker, hopefully alleviating some of the issues.

flokli commented 4 months ago

Apparently there's other regressions with the switch to dbus-broker too, I opened a PR with a revert for now in https://github.com/NixOS/nixpkgs/pull/307731.

SuperSandro2000 commented 4 months ago

Which ones? There is one other issue open where we have no logs and no reproducer.

alois31 commented 4 months ago

Apparently there's other regressions with the switch to dbus-broker too, I opened a PR with a revert for now in #307731.

Given the other comments here (particularly https://github.com/NixOS/nixpkgs/issues/297756#issuecomment-2013726099) and from testing on my system, this is actually fixed by dbus-broker.

flokli commented 4 months ago

@alois31 @yu-re-ka would you be up to constructing a NixOS test for this / extending our existing set of tests? That way it'd be easy to verify where things are broken and where fixed.