[Bug 1732411] Re: On upgrade, daemon-reexec should only be issued if safe

Stéphane Graber stgraber at stgraber.org
Tue Dec 12 21:24:01 UTC 2017 

Marking the lxc task as invalid since LXC does not drop any such
capabilities by default, so such failure isn't lxc's fault. It's either
the user's fault (by dropping capabilities that Ubuntu/Debian consider
as required) or the systemd's package fault (for not doing a capability
check).

** Changed in: lxc (Ubuntu)
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1732411

Title:
  On upgrade, daemon-reexec should only be issued if safe

Status in lxc package in Ubuntu:
  Invalid
Status in systemd package in Ubuntu:
  New

Bug description:
  Dear all,

  Following up the bug report #1713674, when executing systemd in a
  hardened LXC context, it might not be suitable to reexec systemd
  daemon, that would not be able to perform.

  For instance, in our LXC, we drop several capabilities, including
  sys_admin and we set /sys to read-only (in which, systemd will find
  its cgroups). This means, systemd cannot be reexecuted, it will fail
  to restart and will freeze (properly) at restart making the LXC
  container in frozen state (still working, but no new services
  startable, no interaction with systemd possible anymore).

  When upgrading systemd the debian package, as postinst, will always
  attempt to reexecute systemd, possibly breaking every other upgrade
  where a daemon restart is made in postinst, and leaving the system in
  a degraded state.

  It would likely be appropriate the check whether the reexecute can
  work will before performing it: checking capabilities, sys mount point
  perms, etc. If not applicable, not performing a reexucte and possibly
  print a message to the user.

  Occurs with Ubuntu Xenial 16.04.3 LTS and systemd 229-4ubuntu21.

  Cheers

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1732411/+subscriptions

More information about the foundations-bugs mailing list