Failed to set up credentials: Protocol error with systemd 254

[jtojnar]

Describe the bug

After bumping systemd from 253.6 to 254.3, a oneshot service using credentials no longer starts:

Oct 01 12:15:59 azazel systemd[1]: Starting Wallabag install service...
Oct 01 12:15:59 azazel (ll-start)[519003]: wallabag-install.service: Failed to set up credentials: Protocol error
Oct 01 12:15:59 azazel (ll-start)[519003]: wallabag-install.service: Failed at step CREDENTIALS spawning /nix/store/mlwk9kpwsvq82phwcwcq42da0giwsypr-unit-script-wallabag-install-start/bin/wallabag-install-start: Protocol error
Oct 01 12:16:00 azazel systemd[1]: wallabag-install.service: Main process exited, code=exited, status=243/CREDENTIALS
Oct 01 12:16:00 azazel systemd[1]: wallabag-install.service: Failed with result 'exit-code'.
Oct 01 12:16:00 azazel systemd[1]: Failed to start Wallabag install service.

Steps To Reproduce

Trying to switch to a configuration with this service: https://github.com/jtojnar/nixfiles/blob/384248379d6d6a8bddbc6f8334ecbea886671483/hosts/azazel/ogion.cz/bag/default.nix#L201-L204

wallabag-install.service

[Unit]
After=postgresql.service
Before=phpfpm-bag.service
Description=Wallabag install service

[Service]
Environment="LOCALE_ARCHIVE=/nix/store/23j503pfa2gvdi4hgldsqkwzg80bdicn-glibc-locales-2.37-8/lib/locale/locale-archive"
Environment="PATH=/nix/store/y9gr7abwxvzcpg5g73vhnx1fpssr5frr-coreutils-9.3/bin:/nix/store/ysdsy30i42qbm0d4sl0illn52bam46rk-php-with-extensions-8.2.10/bin:/nix/store/binxgxrbqm8bavili2kr7vy1s2257mzv-composer-2.6.3/bin:/nix/store/y9gr7abwxvzcpg5g73vhnx1fpssr5frr-coreutils-9.3/bin:/nix/store/b6izr8wh0p7dyvh3cyg14wq2rn8d31ik-findutils-4.9.0/bin:/nix/store/xafzciap7acqhfx84dvqkp18bg4lrai3-gnugrep-3.11/bin:/nix/store/x23by79p38ll0js1alifmf3y56vqfs49-gnused-4.9/bin:/nix/store/1zmmnm0r0bdga398rl7fc7s4hkyqxjk4-systemd-254.3/bin:/nix/store/y9gr7abwxvzcpg5g73vhnx1fpssr5frr-coreutils-9.3/sbin:/nix/store/ysdsy30i42qbm0d4sl0illn52bam46rk-php-with-extensions-8.2.10/sbin:/nix/store/binxgxrbqm8bavili2kr7vy1s2257mzv-composer-2.6.3/sbin:/nix/store/y9gr7abwxvzcpg5g73vhnx1fpssr5frr-coreutils-9.3/sbin:/nix/store/b6izr8wh0p7dyvh3cyg14wq2rn8d31ik-findutils-4.9.0/sbin:/nix/store/xafzciap7acqhfx84dvqkp18bg4lrai3-gnugrep-3.11/sbin:/nix/store/x23by79p38ll0js1alifmf3y56vqfs49-gnused-4.9/sbin:/nix/store/1zmmnm0r0bdga398rl7fc7s4hkyqxjk4-systemd-254.3/sbin"
Environment="TZDIR=/nix/store/dk5vk3c9zknbjzzxmiglzv46qgv32gb0-tzdata-2023c/share/zoneinfo"



CacheDirectory=wallabag
CacheDirectoryMode=700
ConfigurationDirectory=wallabag
ExecStart=/nix/store/mlwk9kpwsvq82phwcwcq42da0giwsypr-unit-script-wallabag-install-start/bin/wallabag-install-start 
LoadCredential=secret:/run/agenix/bag.ogion.cz-secret
LogsDirectory=wallabag
StateDirectory=wallabag
StateDirectoryMode=700
Type=oneshot
User=bag

More minimal steps TBD.

I tried building a minimal configuration in a VM but it worked there.

Expected behavior

The service should start without issue as before.

Additional context

I am using LoadCredential with agenix path owned by the user service:

$ ls -la /run/agenix/bag.ogion.cz-secret
-r-------- 1 bag bag 49 Oct  1 12:38 /run/agenix/bag.ogion.cz-secret

It fails with store path as well.

There are some credentials-related changes in 254: https://github.com/systemd/systemd/blob/174e8e9897c2d1c8b2c8324f07a6c784d7127410/NEWS#L304-L309

Notify maintainers

Metadata

This is running on VPSAdminOS so maybe there is something weird going on.

[user@system:~]$ nix-shell -p nix-info --run "nix-info -m"
- system: `"x86_64-linux"`
 - host os: `Linux 6.5.4, NixOS, 23.11 (Tapir), 23.11.20230927.eb9b1d1`
 - multi-user?: `no`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.15.1`
 - channels(jtojnar): `""`
 - channels(root): `""`
 - nixpkgs: `not found`

[ElvishJerricco]

Can you try this with systemd's log_level set to debug? Either boot with systemd.log_level=debug, or run systemctl log-level debug before starting the service.

[jtojnar]

I also tried applying the patch below to find out where it returns:

Oct 01 17:53:15 azazel (sd-mkdcre[540246]: Mounting ramfs (ramfs) on /dev/shm (MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_NOSYMFOLLOW "mode=0700")...
Oct 01 17:53:15 azazel (sd-mkdcre[540246]: Failed to mount ramfs (type ramfs) on /dev/shm (MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_NOSYMFOLLOW "mode=0700"): Permission denied
Oct 01 17:53:15 azazel (sd-mkdcre[540246]: Mounting tmpfs (tmpfs) on /dev/shm (MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_NOSYMFOLLOW "mode=0700,nr_inodes=1024,size=1048576")...
Oct 01 17:53:15 azazel (sd-mkdcre[540246]: Changing mount flags /dev/shm (MS_RDONLY|MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_REMOUNT|MS_NOSYMFOLLOW|MS_BIND "")...
Oct 01 17:53:15 azazel (sd-mkdcre[540246]: Failed to mount n/a (type n/a) on /dev/shm (MS_RDONLY|MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_REMOUNT|MS_NOSYMFOLLOW|MS_BIND ""): Permission denied
Oct 01 17:53:15 azazel (sd-mkdcre[540246]: setup_credentials_internal: return 10: -13
Oct 01 17:53:15 azazel (ll-start)[540229]: (sd-mkdcreds) failed with exit status 1.
Oct 01 17:53:15 azazel (ll-start)[540229]: return setup_credentials 7: -71
Oct 01 17:53:15 azazel (ll-start)[540229]: wallabag-install.service: Failed to set up credentials: Protocol error
Oct 01 17:53:15 azazel (ll-start)[540229]: wallabag-install.service: Failed at step CREDENTIALS spawning /nix/store/mlwk9kpwsvq82phwcwcq42da0giwsypr-unit-script-wallabag-install-start/bin/wallabag-install-start: Protocol error

This is the line where EPROTO is returned:

https://github.com/systemd/systemd/blob/v254/src/core/execute.c#L3501

Debug patch

diff --git a/src/core/execute.c b/src/core/execute.c
index 9dafdffa08..1035d2904b 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -3333,7 +3333,7 @@ static int setup_credentials_internal(
         if (reuse_workspace) {
                 r = path_is_mount_point(workspace, NULL, 0);
                 if (r < 0)
-                        return r;
+                        {log_error("setup_credentials_internal: return 1: %d\n", r); return r;}
                 if (r > 0)
                         workspace_mounted = true; /* If this is already a mount, and we are supposed to reuse it, let's keep this in mind */
                 else
@@ -3343,7 +3343,7 @@ static int setup_credentials_internal(
 
         r = path_is_mount_point(final, NULL, 0);
         if (r < 0)
-                return r;
+                {log_error("setup_credentials_internal: return 2: %d\n", r); return r;}
         if (r > 0) {
                 /* If the final place already has something mounted, we use that. If the workspace also has
                  * something mounted we assume it's actually the same mount (but with MS_RDONLY
@@ -3357,11 +3357,11 @@ static int setup_credentials_internal(
 
                         r = mount_nofollow_verbose(LOG_DEBUG, final, workspace, NULL, MS_BIND|MS_REC, NULL);
                         if (r < 0)
-                                return r;
+                                {log_error("setup_credentials_internal: return 3: %d\n", r); return r;}
 
                         r = mount_nofollow_verbose(LOG_DEBUG, NULL, workspace, NULL, MS_BIND|MS_REMOUNT|credentials_fs_mount_flags(/* ro= */ false), NULL);
                         if (r < 0)
-                                return r;
+                                {log_error("setup_credentials_internal: return 4: %d\n", r); return r;}
 
                         workspace_mounted = true;
                 }
@@ -3377,11 +3377,11 @@ static int setup_credentials_internal(
                         r = mount_nofollow_verbose(LOG_DEBUG, final, workspace, NULL, MS_BIND|MS_REC, NULL);
                         if (r < 0) {
                                 if (!ERRNO_IS_PRIVILEGE(r)) /* Propagate anything that isn't a permission problem */
-                                        return r;
+                                        {log_error("setup_credentials_internal: return 5: %d\n", r); return r;}
 
                                 if (must_mount) /* If we it's not OK to use the plain directory
                                                  * fallback, propagate all errors too */
-                                        return r;
+                                        {log_error("setup_credentials_internal: return 6: %d\n", r); return r;}
 
                                 /* If we lack privileges to bind mount stuff, then let's gracefully
                                  * proceed for compat with container envs, and just use the final dir
@@ -3392,7 +3392,7 @@ static int setup_credentials_internal(
                                 /* Make the new bind mount writable (i.e. drop MS_RDONLY) */
                                 r = mount_nofollow_verbose(LOG_DEBUG, NULL, workspace, NULL, MS_BIND|MS_REMOUNT|credentials_fs_mount_flags(/* ro= */ false), NULL);
                                 if (r < 0)
-                                        return r;
+                                        {log_error("setup_credentials_internal: return 7: %d\n", r); return r;}
 
                                 workspace_mounted = true;
                         }
@@ -3407,7 +3407,7 @@ static int setup_credentials_internal(
 
         r = acquire_credentials(context, params, unit, where, uid, workspace_mounted);
         if (r < 0)
-                return r;
+                {log_error("setup_credentials_internal: return 8: %d\n", r); return r;}
 
         if (workspace_mounted) {
                 bool install;
@@ -3422,7 +3422,7 @@ static int setup_credentials_internal(
                 else {
                         r = dir_is_empty(where, /* ignore_hidden_or_backup= */ false);
                         if (r < 0)
-                                return r;
+                                {log_error("setup_credentials_internal: return 9: %d\n", r); return r;}
 
                         install = r == 0; /* install only if non-empty */
                 }
@@ -3431,7 +3431,7 @@ static int setup_credentials_internal(
                         /* Make workspace read-only now, so that any bind mount we make from it defaults to read-only too */
                         r = mount_nofollow_verbose(LOG_DEBUG, NULL, workspace, NULL, MS_BIND|MS_REMOUNT|credentials_fs_mount_flags(/* ro= */ true), NULL);
                         if (r < 0)
-                                return r;
+                                {log_error("setup_credentials_internal: return 10: %d\n", r); return r;}
 
                         /* And mount it to the final place, read-only */
                         r = mount_nofollow_verbose(LOG_DEBUG, workspace, final, NULL, MS_MOVE, NULL);
@@ -3439,7 +3439,7 @@ static int setup_credentials_internal(
                         /* Otherwise get rid of it */
                         r = umount_verbose(LOG_DEBUG, workspace, MNT_DETACH|UMOUNT_NOFOLLOW);
                 if (r < 0)
-                        return r;
+                        {log_error("setup_credentials_internal: return 11: %d\n", r); return r;}
         } else {
                 _cleanup_free_ char *parent = NULL;
 
@@ -3448,12 +3448,12 @@ static int setup_credentials_internal(
 
                 r = path_extract_directory(final, &parent);
                 if (r < 0)
-                        return r;
+                        {log_error("setup_credentials_internal: return 12: %d\n", r); return r;}
                 if (chmod(parent, 0755) < 0)
-                        return -errno;
+                        {log_error("setup_credentials_internal: return 13: %d\n", -errno); return -errno;}
         }
 
-        return 0;
+        {log_error("setup_credentials_internal: return 14: %d\n", 0); return 0;}
 }
 
 static int setup_credentials(
@@ -3469,28 +3469,28 @@ static int setup_credentials(
         assert(params);
 
         if (!exec_context_has_credentials(context))
-                return 0;
+                {log_error("return setup_credentials 1: %d", 0);return 0;}
 
         if (!params->prefix[EXEC_DIRECTORY_RUNTIME])
-                return -EINVAL;
+                {log_error("return setup_credentials 2: %d", -EINVAL);return -EINVAL;}
 
         /* This where we'll place stuff when we are done; this main credentials directory is world-readable,
          * and the subdir we mount over with a read-only file system readable by the service's user */
         q = path_join(params->prefix[EXEC_DIRECTORY_RUNTIME], "credentials");
         if (!q)
-                return -ENOMEM;
+                {log_error("return setup_credentials 3: %d", -ENOMEM);return -ENOMEM;}
 
         r = mkdir_label(q, 0755); /* top-level dir: world readable/searchable */
         if (r < 0 && r != -EEXIST)
-                return r;
+                {log_error("return setup_credentials 4: %d", r);return r;}
 
         p = path_join(q, unit);
         if (!p)
-                return -ENOMEM;
+                {log_error("return setup_credentials 5: %d", -ENOMEM);return -ENOMEM;}
 
         r = mkdir_label(p, 0700); /* per-unit dir: private to user */
         if (r < 0 && r != -EEXIST)
-                return r;
+                {log_error("return setup_credentials 6: %d", r);return r;}
 
         r = safe_fork("(sd-mkdcreds)", FORK_DEATHSIG|FORK_WAIT|FORK_NEW_MOUNTNS, NULL);
         if (r < 0) {
@@ -3498,25 +3498,25 @@ static int setup_credentials(
 
                 /* If this is not a privilege or support issue then propagate the error */
                 if (!ERRNO_IS_NOT_SUPPORTED(r) && !ERRNO_IS_PRIVILEGE(r))
-                        return r;
+                        {log_error("return setup_credentials 7: %d", r);return r;}
 
                 /* Temporary workspace, that remains inaccessible all the time. We prepare stuff there before moving
                  * it into place, so that users can't access half-initialized credential stores. */
                 t = path_join(params->prefix[EXEC_DIRECTORY_RUNTIME], "systemd/temporary-credentials");
                 if (!t)
-                        return -ENOMEM;
+                        {log_error("return setup_credentials 8: %d", -ENOMEM);return -ENOMEM;}
 
                 /* We can't set up a mount namespace. In that case operate on a fixed, inaccessible per-unit
                  * directory outside of /run/credentials/ first, and then move it over to /run/credentials/
                  * after it is fully set up */
                 u = path_join(t, unit);
                 if (!u)
-                        return -ENOMEM;
+                        {log_error("return setup_credentials 9: %d", -ENOMEM);return -ENOMEM;}
 
                 FOREACH_STRING(i, t, u) {
                         r = mkdir_label(i, 0700);
                         if (r < 0 && r != -EEXIST)
-                                return r;
+                                {log_error("return setup_credentials 10: %d", r);return r;}
                 }
 
                 r = setup_credentials_internal(
@@ -3532,7 +3532,7 @@ static int setup_credentials(
                 (void) rmdir(u); /* remove the workspace again if we can. */
 
                 if (r < 0)
-                        return r;
+                        {log_error("return setup_credentials 11: %d", r);return r;}
 
         } else if (r == 0) {
 
@@ -3580,7 +3580,7 @@ static int setup_credentials(
          * actually end up mounting anything on it. In that case we'd rather have ENOENT than EACCESS being
          * seen by users when trying access this inode. */
         (void) rmdir(p);
-        return 0;
+        {printf("return setup_credentials 12: %d", 0);return 0;}
 }
 
 #if ENABLE_SMACK

[ElvishJerricco]

@jtojnar FYI, for that patch, you can shorthand a lot of those changes with return log_error_errno(r, "foo bar: %m");, which will also print the human readable version of the error.

[happysalada]

I had the same problem without specifying Type="oneshot" to one of my services. I believe the default type is "simple". This doesn't seem related to the service type.

[aither64]

The error is caused by AppArmor profile on vpsAdminOS denying mount of ramfs and then remount of /dev/shm. The denials can be seen in kernel logs on the host system. I haven't been able to fix the profile so far, I don't see what I'm missing. Anyways, vpsAdminOS is transitioning away from AppArmor in any case. Should anyone else encounter it on vpsFree.cz VPS, we can migrate the VPS to a node that is already without AppArmor. It's not possible to disable it at runtime and it can be a while until all nodes are rebooted.

@jtojnar, please feel free to ping me or @snajpa when you find issues related to vpsAdminOS.

[happysalada]

Vpsadminos is only used in providers that use virtualization right ?
I encountered the error on hetzner baremetal instances so there might be another cause for the error.

[t184256]

On November 1, 2023 3:59:40 PM GMT+01:00, Yt ***@***.***> wrote: Vpsadminos is only used in providers that use virtualization right ? I encountered the error on hetzner baremetal instances so there might be another cause for the error.

I have this error under vanilla NixOS on Contabo, if you need data points.

[aither64]

@happysalada Yes, as far as I know, vpsAdminOS is only used for virtual servers (Linux containers actually) at vpsFree.cz. If you see this error elsewhere on baremetal or fully virtualized servers, then the cause is different and my comment above is not relevant.

[wahjava]

In my case, I received following spurious error (whole log):

Oct 22 23:31:25 hostname (sd-mkdcre[679814]: Failed to write credential 'pqpk': No space left on device

[happysalada]

This is fixed for me on master.

[wahjava]

This is fixed for me on master.

@happysalada do you know which commit ? Thanks!

[happysalada]

Its latest nixpkgs-unstable.

This is weird though, i thought that systemd was updated, but it doesnt look like it was.

Let me know if this works for you too.