RFE: credentials loaded with LoadCredential should be available to ExecStartPre too

[happysalada]

This is just asking precision around the LoadCredential doc.

I couldn't understand how to actually use the feature.

The way i understood it was:
In order to pass an environment variable SECRET_KEY_BASE to a service

• add a LoadCredential=secret_key_base:/run/secrets/unionBlue.secret_key_base.
• then add an environment variable SECRET_KEY_BASE=$CREDENTIALS_DIRECTORY/secret_key_base;
  I made sure that the /run/secrets/unionBlue.secret_key_base file (just a text file) is owned by the same user running the service.
  However upon starting the service I run into the following errors

72670]: union-blue.service: Failed to set up mount namespacing: /run/systemd/unit-root/run/credentials/union-blue.service: No such file or directory
72670]: union-blue.service: Failed at step NAMESPACE spawning /nix/store/sxpb7vbxx1kwprnhsvr2cn7l0vssl9r2-union-0.0.1/bin/union: No such file or directory

I'm not sure what I missed.
I'm happy to test any suggestions and propose an amendment to the documentation.

[poettering]

I am not sure I follow?

What is SECRET_KEY_BASE supposed to point to? A file name? the literal secret?

* I made sure that the `/run/secrets/unionBlue.secret_key_base` file (just a text file) is owned by the same user running the service.

Don't. The file should be owned by by root on the host. The point of the credentials logic is that the service manager loads the creds off disk and then places them into a dir accessible to the service. The service doesn't (and shouldn't) have direct access.

Are you running this inside nspawn or on the host?

which systemd versions?

[happysalada]

Thanks a lot for helping with this!

SECRET_KEY_BASE is a literal secret.

To give you a little more context. I would like to manage everything with git. So for secrets I use something like age that does encryption with ssh keys. The idea being that when I deploy something will decrypt the file at a special location owned by root. That decrypted location is /run/secrets/unionBlue.secret_key_base. At that location, I have a decrypted file containing a string of characters that corresponds to the secret.

That said, I'm open to using this in a different way. Ideally though I can pass files to LoadCredentials. However in the end, my service needs some environment variables to be literal secrets. There are several of those. Currently I'm using EnvironmentFile (using the encryption/decryption process I'm talking about in the previous step).

[yt@hetzner-AX41-UEFI-ZFS-NVME:~]$ systemctl --version
systemd 247 (247)
+PAM +AUDIT -SELINUX +IMA +APPARMOR +SMACK -SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT -GNUTLS +ACL +XZ +LZ4 -ZSTD +SECCOMP +BLKID -ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=unified

Let me know if you need any more information.

[mjlbach]

I'm also running into this issue trying to share a file (not a literal secret).

May 15 12:17:47 nixos-desktop systemd[3320593]: /run/systemd/unit-root/home (rw-implicit) is duplicate.
May 15 12:17:47 nixos-desktop systemd[3320593]: /run/systemd/unit-root/root (rw-implicit) is duplicate.
May 15 12:17:47 nixos-desktop systemd[3320593]: /run/systemd/unit-root/run/user (rw-implicit) is duplicate.
May 15 12:17:47 nixos-desktop systemd[3320593]: /run/systemd/unit-root/home (read-only) is made redundant by /run/systemd/unit-root/ (read-only)
May 15 12:17:47 nixos-desktop systemd[3320593]: /run/systemd/unit-root/root (read-only) is made redundant by /run/systemd/unit-root/ (read-only)
May 15 12:17:47 nixos-desktop systemd[3320593]: /run/systemd/unit-root/run/user (read-only) is made redundant by /run/systemd/unit-root/ (read-only)
May 15 12:17:47 nixos-desktop systemd[3320593]: Bind-mounting / on /run/systemd/unit-root (MS_BIND|MS_REC "")...
May 15 12:17:47 nixos-desktop systemd[3320593]: Applying namespace mount on /run/systemd/unit-root/
May 15 12:17:47 nixos-desktop systemd[3320593]: Applying namespace mount on /run/systemd/unit-root/dev
May 15 12:17:47 nixos-desktop systemd[3320593]: Applying namespace mount on /run/systemd/unit-root/proc
May 15 12:17:47 nixos-desktop systemd[3320593]: Applying namespace mount on /run/systemd/unit-root/run/credentials
May 15 12:17:47 nixos-desktop systemd[3320593]: Mounting tmpfs (tmpfs) on /run/systemd/unit-root/run/credentials (MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_STRICTATIME "mode=0755,size=4m,nr_inodes=1k")...
May 15 12:17:47 nixos-desktop systemd[3320593]: Applying namespace mount on /run/systemd/unit-root/run/credentials/dendrite.service
May 15 12:17:47 nixos-desktop systemd[3320593]: Failed to follow symlinks on /run/credentials/dendrite.service: No such file or directory
May 15 12:17:47 nixos-desktop systemd[3320593]: dendrite.service: Failed to set up mount namespacing: /run/systemd/unit-root/run/credentials/dendrite.service: No such file or directory
May 15 12:17:47 nixos-desktop systemd[3320593]: dendrite.service: Failed at step NAMESPACE spawning /nix/store/dyikz835agazxvxm9fj7xqlsz0k34iwj-coreutils-8.32/bin/cp: No such file or directory
May 15 12:17:47 nixos-desktop systemd[1]: dendrite.service: Child 3320593 belongs to dendrite.service.

The exact service config I'm using is:

[Unit]
After=network.target
Description=Dendrite Matrix homeserver

[Service]
Environment="LOCALE_ARCHIVE=/nix/store/7dz31dq4n1r0wqq3r28r7975cql68n8w-glibc-locales-2.32-40/lib/locale/locale-archive"
Environment="PATH=/nix/store/dyikz835agazxvxm9fj7xqlsz0k34iwj-coreutils-8.32/bin:/nix/store/2nx0mmb4k7z9i5ii4fw9jxwm9afh5wyl-findutils-4.7.0/bin:/nix/store/fxy5ficr8paan2yxrh45d9j17ryy2z2y-gnugrep-3.6/bin:/nix/store/9fbkl74hnskvmlkbx2cyy88q04nx12vp-gnused-4.8/bin:/nix/store/bmvjq883zj2vxgynl8p47za39lrg0ypi-systemd-247.6/bin:/nix/store/dyikz835agazxvxm9fj7xqlsz0k34iwj-coreutils-8.32/sbin:/nix/store/2nx0mmb4k7z9i5ii4fw9jxwm9afh5wyl-findutils-4.7.0/sbin:/nix/store/fxy5ficr8paan2yxrh45d9j17ryy2z2y-gnugrep-3.6/sbin:/nix/store/9fbkl74hnskvmlkbx2cyy88q04nx12vp-gnused-4.8/sbin:/nix/store/bmvjq883zj2vxgynl8p47za39lrg0ypi-systemd-247.6/sbin"
Environment="TZDIR=/nix/store/qqlfpa7hsgvpaj1nmg2d6qlxdh8s2vsv-tzdata-2020f/share/zoneinfo"



DynamicUser=true
ExecReload=/nix/store/dyikz835agazxvxm9fj7xqlsz0k34iwj-coreutils-8.32/bin/kill -HUP $MAINPID
ExecStart=/nix/store/ydh46v17fipa1q9s0my9w8dfdx35sh2x-matrix-dendrite-0.3.11/bin/dendrite-monolith-server --config $STATE_DIRECTORY/dendrite.yaml --http-bind-address :8008
ExecStartPre=/nix/store/dyikz835agazxvxm9fj7xqlsz0k34iwj-coreutils-8.32/bin/cp /nix/store/njqqj4nygg4nq70g7pfa5l7zi9nxqyhs-dendrite.yaml /run/dendrite/dendrite.yaml

LoadCredential=matrix_key.pem:/home/mjlbach/matrix_key.pem
Restart=on-failure
RuntimeDirectory=dendrite
RuntimeDirectoryMode=0700
StateDirectory=dendrite
Type=simple
WorkingDirectory=/var/lib/dendrite

Sorry for the nix stuff, but that is also my usecase.

The systemd version is 247

❯ systemctl --version
systemd 247 (247)
+PAM +AUDIT -SELINUX +IMA +APPARMOR +SMACK -SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT -GNUTLS +ACL +XZ +LZ4 -ZSTD +SECCOMP +BLKID -ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=unified

[poettering]

SECRET_KEY_BASE is a literal secret.

the credentials logic doesn't support passing secrets down via env vars, because that's not a safe thing since env vars are by default inherited down the tree, even when there are privilege transitions.

@happysalada can you please provide the most minimal unit that shows your issue?

if you run 'systemd-run -p LoadCredential=foo:/etc/shadow -t /bin/bash' on the cmdline, and then type cat $CREDENTIALS_PATH/foo in the shell that opens then, does that work?

If you run this on 248, does it work then?

[happysalada]

Here are the results

echo $CREDENTIALS_PATH


[root@hetzner-AX41-UEFI-ZFS-NVME:/]# cat $CREDENTIALS_PATH/foo
cat: /foo: No such file or directory

the CREDENTIAL_PATHS env var appears to be not set.
but the service says it's running

Running as unit: run-u921297.service
Press ^] three times within 1s to disconnect TTY.

248 should come out on NixOS in a few days, I can test again then.

When using LoadCredential. Does it mean that the service will have access to the $CREDENTIALS_PATH and it should try to read files from that path?

[poettering]

When using LoadCredential. Does it mean that the service will have access to the $CREDENTIALS_PATH and it should try to read files from that path?

Yes. Isn't the documentation explicit enough about this, it even provides example command lines? https://www.freedesktop.org/software/systemd/man/systemd.exec.html#LoadCredential=ID:PATH

If the aforementioned cmdline doesn't work, then I am puzzled. Might be something weird with what nixos does with the paths?

Can you reproduce the issue on a more regular distro?

Can you ping the nixos people about this?

[dotlambda]

If the aforementioned cmdline doesn't work, then I am puzzled.

It does work if you use $CREDENTIALS_DIRECTORY:

# systemd-run -p LoadCredential=foo:/etc/shadow -t $(which bash)
Running as unit: run-u139.service
Press ^] three times within 1s to disconnect TTY.

# cat $CREDENTIALS_DIRECTORY/foo
nixbld4:!:1::::::
messagebus:!:1::::::
systemd-network:!:1::::::
nixbld7:!:1::::::
nixbld9:!:1::::::
nobody:!:1::::::
nixbld1:!:1::::::
...

[poettering]

oops, sorry, i meant DIRECTORY of course, not PATH. Sorry for the confusion.

[poettering]

So is all cleared up now? or any questions left? can we close this?

[dotlambda]

Sadly, the issue is still there. I was able to boil it down to the following unit file:

[Unit]

[Service]
Environment="LOCALE_ARCHIVE=/nix/store/77iwp66553657gnsmbx66y4gbpsmvpih-glibc-locales-2.32-46/lib/locale/>
Environment="PATH=/nix/store/0vkw1m51q34dr64z5i87dy99an4hfmyg-coreutils-8.32/bin:/nix/store/j1pkn9109012w>
Environment="TZDIR=/nix/store/bjxkrk1pd65z5gz5y62jyqdsjkicvvck-tzdata-2020f/share/zoneinfo"



DynamicUser=true
ExecStart=/nix/store/0vkw1m51q34dr64z5i87dy99an4hfmyg-coreutils-8.32/bin/cat ${CREDENTIALS_DIRECTORY}/foo
ExecStartPre=/nix/store/0vkw1m51q34dr64z5i87dy99an4hfmyg-coreutils-8.32/bin/ls
LoadCredential=foo:/etc/shadow
RuntimeDirectory=test

In particular, it doesn't occur if I remove DynamicUser, RuntimeDirectory, or ExecStartPre.
Btw, the Nix stuff shouldn't matter, just replace /nix/store/* with /usr/bin.

Using nixos-shell, you can try the following vm.nix

{ pkgs, ... }:

{
  nixos-shell.mounts = {
    mountHome = false;
    mountNixProfile = false;
  };

  systemd.services.test = {
    wantedBy = [ "multi-user.target" ];
    serviceConfig = {
      DynamicUser = true;
      RuntimeDirectory = "test";
      LoadCredential = "foo:/etc/shadow";
      ExecStartPre = "${pkgs.coreutils}/bin/ls";
      ExecStart = "${pkgs.coreutils}/bin/cat \${CREDENTIALS_DIRECTORY}/foo";
    };
  };
}

[arianvp]

Can you reproduce the issue on a more regular distro?

The same issue reproduces on Ubuntu 21.04 (Systemd 247):

[Service]
DynamicUser=true
ExecStart=/usr/bin/cat ${CREDENTIALS_DIRECTORY}/foo
ExecStartPre=/usr/bin/ls
LoadCredential=foo:/etc/passwd
RuntimeDirectory=test

May 26 21:25:38 vultr.guest systemd[1]: Starting test.service...
░░ Subject: A start job for unit test.service has begun execution
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░ 
░░ A start job for unit test.service has begun execution.
░░ 
░░ The job identifier is 1364.
May 26 21:25:38 vultr.guest systemd[2360]: test.service: Failed to set up mount namespacing: /run/systemd/unit-root/run/credentials/test.service: No such file or directory
May 26 21:25:38 vultr.guest systemd[2360]: test.service: Failed at step NAMESPACE spawning /usr/bin/ls: No such file or directory
░░ Subject: Process /usr/bin/ls could not be executed
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░ 
░░ The process /usr/bin/ls could not be executed and failed.
░░ 
░░ The error number returned by this process is ERRNO.
May 26 21:25:38 vultr.guest systemd[1]: test.service: Control process exited, code=exited, status=226/NAMESPACE
░░ Subject: Unit process exited
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░ 
░░ An ExecStartPre= process belonging to unit test.service has exited.
░░ 
░░ The process' exit code is 'exited' and its exit status is 226.
May 26 21:25:38 vultr.guest systemd[1]: test.service: Failed with result 'exit-code'.
░░ Subject: Unit failed
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░ 
░░ The unit test.service has entered the 'failed' state with result 'exit-code'.
May 26 21:25:38 vultr.guest systemd[1]: Failed to start test.service.
░░ Subject: A start job for unit test.service has failed
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░ 
░░ A start job for unit test.service has finished with a failure.

Debug log:

May 26 21:27:02 vultr.guest systemd[1]: test.service: Installed new job test.service/start as 1438
May 26 21:27:02 vultr.guest systemd[1]: test.service: Enqueued job test.service/start as 1438
May 26 21:27:02 vultr.guest systemd[1]: Sent message type=signal sender=org.freedesktop.systemd1 destination=n/a path=/org/freedesktop/systemd1/unit/test_2eservice interface=org.freedesktop.DBus.Properties member=PropertiesChanged cookie=1 reply_cookie=0 signature=sa{sv}as error-name=n/a error-message=n/a
May 26 21:27:02 vultr.guest systemd[1]: Sent message type=signal sender=org.freedesktop.systemd1 destination=n/a path=/org/freedesktop/systemd1/unit/test_2eservice interface=org.freedesktop.DBus.Properties member=PropertiesChanged cookie=2 reply_cookie=0 signature=sa{sv}as error-name=n/a error-message=n/a
May 26 21:27:02 vultr.guest systemd[1]: Sent message type=signal sender=n/a destination=n/a path=/org/freedesktop/systemd1/unit/test_2eservice interface=org.freedesktop.DBus.Properties member=PropertiesChanged cookie=15314 reply_cookie=0 signature=sa{sv}as error-name=n/a error-message=n/a
May 26 21:27:02 vultr.guest systemd[1]: Sent message type=signal sender=n/a destination=n/a path=/org/freedesktop/systemd1/unit/test_2eservice interface=org.freedesktop.DBus.Properties member=PropertiesChanged cookie=15315 reply_cookie=0 signature=sa{sv}as error-name=n/a error-message=n/a
May 26 21:27:02 vultr.guest systemd[1]: Sent message type=signal sender=org.freedesktop.systemd1 destination=n/a path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member=JobNew cookie=3 reply_cookie=0 signature=uos error-name=n/a error-message=n/a
May 26 21:27:02 vultr.guest systemd[1]: Sent message type=signal sender=n/a destination=n/a path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member=JobNew cookie=15316 reply_cookie=0 signature=uos error-name=n/a error-message=n/a
May 26 21:27:02 vultr.guest systemd[1]: Sent message type=method_return sender=org.freedesktop.systemd1 destination=n/a path=n/a interface=n/a member=n/a cookie=4 reply_cookie=1 signature=o error-name=n/a error-message=n/a
May 26 21:27:02 vultr.guest systemd[1]: systemd-logind.service: Got notification message from PID 614 (WATCHDOG=1)
May 26 21:27:02 vultr.guest systemd[1]: test.service: Failed to set 'blkio.weight' attribute on '/system.slice/test.service' to '500': No such file or directory
May 26 21:27:02 vultr.guest systemd[1]: test.service: Failed to set 'blkio.bfq.weight' attribute on '/system.slice/test.service' to '500': No such file or directory
May 26 21:27:02 vultr.guest systemd[1]: Failed to read pids.max attribute of cgroup root, ignoring: No data available
May 26 21:27:02 vultr.guest systemd[1]: test.service: About to execute /usr/bin/ls
May 26 21:27:02 vultr.guest systemd[1]: test.service: Forked /usr/bin/ls as 2391
May 26 21:27:02 vultr.guest systemd[1]: Sent message type=signal sender=org.freedesktop.systemd1 destination=n/a path=/org/freedesktop/systemd1/unit/test_2eservice interface=org.freedesktop.DBus.Properties member=PropertiesChanged cookie=5 reply_cookie=0 signature=sa{sv}as error-name=n/a error-message=n/a
May 26 21:27:02 vultr.guest systemd[1]: Sent message type=signal sender=org.freedesktop.systemd1 destination=n/a path=/org/freedesktop/systemd1/unit/test_2eservice interface=org.freedesktop.DBus.Properties member=PropertiesChanged cookie=6 reply_cookie=0 signature=sa{sv}as error-name=n/a error-message=n/a
May 26 21:27:02 vultr.guest systemd[1]: Sent message type=signal sender=n/a destination=n/a path=/org/freedesktop/systemd1/unit/test_2eservice interface=org.freedesktop.DBus.Properties member=PropertiesChanged cookie=15317 reply_cookie=0 signature=sa{sv}as error-name=n/a error-message=n/a
May 26 21:27:02 vultr.guest systemd[1]: Sent message type=signal sender=n/a destination=n/a path=/org/freedesktop/systemd1/unit/test_2eservice interface=org.freedesktop.DBus.Properties member=PropertiesChanged cookie=15318 reply_cookie=0 signature=sa{sv}as error-name=n/a error-message=n/a
May 26 21:27:02 vultr.guest systemd[1]: test.service: Changed failed -> start-pre
May 26 21:27:02 vultr.guest systemd[1]: Sent message type=signal sender=org.freedesktop.systemd1 destination=n/a path=/org/freedesktop/systemd1 interface=org.freedesktop.DBus.Properties member=PropertiesChanged cookie=7 reply_cookie=0 signature=sa{sv}as error-name=n/a error-message=n/a
May 26 21:27:02 vultr.guest systemd[1]: Sent message type=signal sender=n/a destination=n/a path=/org/freedesktop/systemd1 interface=org.freedesktop.DBus.Properties member=PropertiesChanged cookie=15319 reply_cookie=0 signature=sa{sv}as error-name=n/a error-message=n/a
May 26 21:27:02 vultr.guest systemd[1]: Starting test.service...
░░ Subject: A start job for unit test.service has begun execution
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░ 
░░ A start job for unit test.service has begun execution.
░░ 
░░ The job identifier is 1438.
May 26 21:27:02 vultr.guest systemd[1]: Sent message type=signal sender=org.freedesktop.systemd1 destination=n/a path=/org/freedesktop/systemd1/unit/test_2eservice interface=org.freedesktop.DBus.Properties member=PropertiesChanged cookie=8 reply_cookie=0 signature=sa{sv}as error-name=n/a error-message=n/a
May 26 21:27:02 vultr.guest systemd[1]: Sent message type=signal sender=org.freedesktop.systemd1 destination=n/a path=/org/freedesktop/systemd1/unit/test_2eservice interface=org.freedesktop.DBus.Properties member=PropertiesChanged cookie=9 reply_cookie=0 signature=sa{sv}as error-name=n/a error-message=n/a
May 26 21:27:02 vultr.guest systemd[1]: Sent message type=signal sender=n/a destination=n/a path=/org/freedesktop/systemd1/unit/test_2eservice interface=org.freedesktop.DBus.Properties member=PropertiesChanged cookie=15320 reply_cookie=0 signature=sa{sv}as error-name=n/a error-message=n/a
May 26 21:27:02 vultr.guest systemd[1]: Sent message type=signal sender=n/a destination=n/a path=/org/freedesktop/systemd1/unit/test_2eservice interface=org.freedesktop.DBus.Properties member=PropertiesChanged cookie=15321 reply_cookie=0 signature=sa{sv}as error-name=n/a error-message=n/a
May 26 21:27:02 vultr.guest systemd[1]: Sent message type=signal sender=org.freedesktop.systemd1 destination=n/a path=/org/freedesktop/systemd1/job/1438 interface=org.freedesktop.DBus.Properties member=PropertiesChanged cookie=10 reply_cookie=0 signature=sa{sv}as error-name=n/a error-message=n/a
May 26 21:27:02 vultr.guest systemd[1]: Sent message type=signal sender=n/a destination=n/a path=/org/freedesktop/systemd1/job/1438 interface=org.freedesktop.DBus.Properties member=PropertiesChanged cookie=15322 reply_cookie=0 signature=sa{sv}as error-name=n/a error-message=n/a
May 26 21:27:02 vultr.guest systemd[1]: Got message type=method_call sender=n/a destination=org.freedesktop.systemd1 path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member=GetUnit cookie=2 reply_cookie=0 signature=s error-name=n/a error-message=n/a
May 26 21:27:02 vultr.guest systemd[1]: Sent message type=method_return sender=org.freedesktop.systemd1 destination=n/a path=n/a interface=n/a member=n/a cookie=11 reply_cookie=2 signature=o error-name=n/a error-message=n/a
May 26 21:27:02 vultr.guest systemd[1]: Got message type=method_call sender=n/a destination=org.freedesktop.systemd1 path=/org/freedesktop/systemd1/unit/test_2eservice interface=org.freedesktop.DBus.Properties member=Get cookie=3 reply_cookie=0 signature=ss error-name=n/a error-message=n/a
May 26 21:27:02 vultr.guest systemd[1]: Sent message type=method_return sender=org.freedesktop.systemd1 destination=n/a path=n/a interface=n/a member=n/a cookie=12 reply_cookie=3 signature=v error-name=n/a error-message=n/a
May 26 21:27:02 vultr.guest systemd[2391]: Failed to connect to nscd socket: No such file or directory
May 26 21:27:02 vultr.guest systemd[2391]: Failed to connect to nscd socket: No such file or directory
May 26 21:27:02 vultr.guest systemd[1]: test.service: User lookup succeeded: uid=63378 gid=63378
May 26 21:27:02 vultr.guest systemd[1]: Sent message type=signal sender=org.freedesktop.systemd1 destination=n/a path=/org/freedesktop/systemd1/unit/test_2eservice interface=org.freedesktop.DBus.Properties member=PropertiesChanged cookie=13 reply_cookie=0 signature=sa{sv}as error-name=n/a error-message=n/a
May 26 21:27:02 vultr.guest systemd[1]: Sent message type=signal sender=org.freedesktop.systemd1 destination=n/a path=/org/freedesktop/systemd1/unit/test_2eservice interface=org.freedesktop.DBus.Properties member=PropertiesChanged cookie=14 reply_cookie=0 signature=sa{sv}as error-name=n/a error-message=n/a
May 26 21:27:02 vultr.guest systemd[1]: Sent message type=signal sender=n/a destination=n/a path=/org/freedesktop/systemd1/unit/test_2eservice interface=org.freedesktop.DBus.Properties member=PropertiesChanged cookie=15323 reply_cookie=0 signature=sa{sv}as error-name=n/a error-message=n/a
May 26 21:27:02 vultr.guest systemd[1]: Sent message type=signal sender=n/a destination=n/a path=/org/freedesktop/systemd1/unit/test_2eservice interface=org.freedesktop.DBus.Properties member=PropertiesChanged cookie=15324 reply_cookie=0 signature=sa{sv}as error-name=n/a error-message=n/a
May 26 21:27:02 vultr.guest systemd[2391]: /run/systemd/unit-root/home (rw-implicit) is duplicate.
May 26 21:27:02 vultr.guest systemd[2391]: /run/systemd/unit-root/root (rw-implicit) is duplicate.
May 26 21:27:02 vultr.guest systemd[2391]: /run/systemd/unit-root/run/user (rw-implicit) is duplicate.
May 26 21:27:02 vultr.guest systemd[2391]: /run/systemd/unit-root/home (read-only) is made redundant by /run/systemd/unit-root/ (read-only)
May 26 21:27:02 vultr.guest systemd[2391]: /run/systemd/unit-root/root (read-only) is made redundant by /run/systemd/unit-root/ (read-only)
May 26 21:27:02 vultr.guest systemd[2391]: /run/systemd/unit-root/run/user (read-only) is made redundant by /run/systemd/unit-root/ (read-only)
May 26 21:27:02 vultr.guest systemd[2391]: Bind-mounting / on /run/systemd/unit-root (MS_BIND|MS_REC "")...
May 26 21:27:02 vultr.guest systemd[2391]: Applying namespace mount on /run/systemd/unit-root/
May 26 21:27:02 vultr.guest systemd[2391]: Applying namespace mount on /run/systemd/unit-root/dev
May 26 21:27:02 vultr.guest systemd[2391]: Applying namespace mount on /run/systemd/unit-root/proc
May 26 21:27:02 vultr.guest systemd[2391]: Applying namespace mount on /run/systemd/unit-root/run/credentials
May 26 21:27:02 vultr.guest systemd[2391]: Mounting tmpfs (tmpfs) on /run/systemd/unit-root/run/credentials (MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_STRICTATIME "mode=0755,size=4m,nr_inodes=1k")...
May 26 21:27:02 vultr.guest systemd[2391]: Applying namespace mount on /run/systemd/unit-root/run/credentials/test.service
May 26 21:27:02 vultr.guest systemd[2391]: Failed to follow symlinks on /run/credentials/test.service: No such file or directory
May 26 21:27:02 vultr.guest systemd[2391]: test.service: Failed to set up mount namespacing: /run/systemd/unit-root/run/credentials/test.service: No such file or directory
May 26 21:27:02 vultr.guest systemd[2391]: test.service: Failed at step NAMESPACE spawning /usr/bin/ls: No such file or directory
░░ Subject: Process /usr/bin/ls could not be executed
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░ 
░░ The process /usr/bin/ls could not be executed and failed.
░░ 
░░ The error number returned by this process is ERRNO.
May 26 21:27:02 vultr.guest systemd[1]: Received SIGCHLD from PID 2391 ((ls)).
May 26 21:27:02 vultr.guest systemd[1]: Child 2391 ((ls)) died (code=exited, status=226/NAMESPACE)
May 26 21:27:02 vultr.guest systemd[1]: test.service: Failed to read oom_kill field of memory.events cgroup attribute: No such file or directory
May 26 21:27:02 vultr.guest systemd[1]: test.service: Child 2391 belongs to test.service.
May 26 21:27:02 vultr.guest systemd[1]: test.service: Control process exited, code=exited, status=226/NAMESPACE
░░ Subject: Unit process exited
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░ 
░░ An ExecStartPre= process belonging to unit test.service has exited.
░░ 
░░ The process' exit code is 'exited' and its exit status is 226.
May 26 21:27:02 vultr.guest systemd[1]: test.service: Got final SIGCHLD for state start-pre.
May 26 21:27:02 vultr.guest systemd[1]: test.service: Failed with result 'exit-code'.
░░ Subject: Unit failed
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░ 
░░ The unit test.service has entered the 'failed' state with result 'exit-code'.
May 26 21:27:02 vultr.guest systemd[1]: test.service: Service will not restart (restart setting)
May 26 21:27:02 vultr.guest systemd[1]: test.service: Changed start-pre -> failed
May 26 21:27:02 vultr.guest systemd[1]: Sent message type=signal sender=org.freedesktop.systemd1 destination=n/a path=/org/freedesktop/systemd1 interface=org.freedesktop.DBus.Properties member=PropertiesChanged cookie=15 reply_cookie=0 signature=sa{sv}as error-name=n/a error-message=n/a
May 26 21:27:02 vultr.guest systemd[1]: Sent message type=signal sender=n/a destination=n/a path=/org/freedesktop/systemd1 interface=org.freedesktop.DBus.Properties member=PropertiesChanged cookie=15325 reply_cookie=0 signature=sa{sv}as error-name=n/a error-message=n/a
May 26 21:27:02 vultr.guest systemd[1]: test.service: Job 1438 test.service/start finished, result=failed
May 26 21:27:02 vultr.guest systemd[1]: Failed to start test.service.
░░ Subject: A start job for unit test.service has failed
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░ 
░░ A start job for unit test.service has finished with a failure.
░░ 
░░ The job identifier is 1438 and the job result is failed.
May 26 21:27:02 vultr.guest systemd[1]: Sent message type=signal sender=org.freedesktop.systemd1 destination=n/a path=/org/freedesktop/systemd1/unit/test_2eservice interface=org.freedesktop.DBus.Properties member=PropertiesChanged cookie=16 reply_cookie=0 signature=sa{sv}as error-name=n/a error-message=n/a
May 26 21:27:02 vultr.guest systemd[1]: Sent message type=signal sender=org.freedesktop.systemd1 destination=n/a path=/org/freedesktop/systemd1/unit/test_2eservice interface=org.freedesktop.DBus.Properties member=PropertiesChanged cookie=17 reply_cookie=0 signature=sa{sv}as error-name=n/a error-message=n/a
May 26 21:27:02 vultr.guest systemd[1]: Sent message type=signal sender=n/a destination=n/a path=/org/freedesktop/systemd1/unit/test_2eservice interface=org.freedesktop.DBus.Properties member=PropertiesChanged cookie=15326 reply_cookie=0 signature=sa{sv}as error-name=n/a error-message=n/a
May 26 21:27:02 vultr.guest systemd[1]: Sent message type=signal sender=n/a destination=n/a path=/org/freedesktop/systemd1/unit/test_2eservice interface=org.freedesktop.DBus.Properties member=PropertiesChanged cookie=15327 reply_cookie=0 signature=sa{sv}as error-name=n/a error-message=n/a
May 26 21:27:02 vultr.guest systemd[1]: Sent message type=signal sender=org.freedesktop.systemd1 destination=n/a path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member=JobRemoved cookie=18 reply_cookie=0 signature=uoss error-name=n/a error-message=n/a
May 26 21:27:02 vultr.guest systemd[1]: Sent message type=signal sender=n/a destination=n/a path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member=JobRemoved cookie=15328 reply_cookie=0 signature=uoss error-name=n/a error-message=n/a
May 26 21:27:02 vultr.guest systemd[1]: test.service: Unit entered failed state.
May 26 21:27:02 vultr.guest systemd[1]: Spawning thread to nuke /tmp/systemd-private-23239239247748ba813b616a5f9ecf69-test.service-inJvmj
May 26 21:27:02 vultr.guest systemd[1]: Spawning thread to nuke /var/tmp/systemd-private-23239239247748ba813b616a5f9ecf69-test.service-ZXFj1i
May 26 21:27:02 vultr.guest systemd[1]: UID 63378 is no longer referenced, cleaning up its IPC.
May 26 21:27:02 vultr.guest systemd[1]: GID 63378 is no longer referenced, cleaning up its IPC.
May 26 21:27:02 vultr.guest systemd[1]: Failed to connect to nscd socket: No such file or directory
May 26 21:27:02 vultr.guest systemd[1]: Failed to connect to nscd socket: No such file or directory
May 26 21:27:02 vultr.guest systemd[1]: Sent message type=signal sender=org.freedesktop.systemd1 destination=n/a path=/org/freedesktop/systemd1/unit/test_2eservice interface=org.freedesktop.DBus.Properties member=PropertiesChanged cookie=19 reply_cookie=0 signature=sa{sv}as error-name=n/a error-message=n/a
May 26 21:27:02 vultr.guest systemd[1]: Sent message type=signal sender=org.freedesktop.systemd1 destination=n/a path=/org/freedesktop/systemd1/unit/test_2eservice interface=org.freedesktop.DBus.Properties member=PropertiesChanged cookie=20 reply_cookie=0 signature=sa{sv}as error-name=n/a error-message=n/a
May 26 21:27:02 vultr.guest systemd[1]: Sent message type=signal sender=n/a destination=n/a path=/org/freedesktop/systemd1/unit/test_2eservice interface=org.freedesktop.DBus.Properties member=PropertiesChanged cookie=15329 reply_cookie=0 signature=sa{sv}as error-name=n/a error-message=n/a
May 26 21:27:02 vultr.guest systemd[1]: Sent message type=signal sender=n/a destination=n/a path=/org/freedesktop/systemd1/unit/test_2eservice interface=org.freedesktop.DBus.Properties member=PropertiesChanged cookie=15330 reply_cookie=0 signature=sa{sv}as error-name=n/a error-message=n/a
May 26 21:27:02 vultr.guest systemd[1]: Got message type=method_call sender=n/a destination=org.freedesktop.systemd1 path=/org/freedesktop/systemd1/unit/test_2eservice interface=org.freedesktop.DBus.Properties member=Get cookie=4 reply_cookie=0 signature=ss error-name=n/a error-message=n/a
May 26 21:27:02 vultr.guest systemd[1]: Sent message type=method_return sender=org.freedesktop.systemd1 destination=n/a path=n/a interface=n/a member=n/a cookie=21 reply_cookie=4 signature=v error-name=n/a error-message=n/a
May 26 21:27:02 vultr.guest systemd[1]: Bus private-bus-connection: changing state RUNNING → CLOSING
May 26 21:27:02 vultr.guest systemd[1]: Bus private-bus-connection: changing state CLOSING → CLOSED
May 26 21:27:02 vultr.guest systemd[1]: Got disconnect on private connection.
May 26 21:27:02 vultr.guest systemd[1]: systemd-journald.service: Got notification message from PID 2348 (FDSTORE=1)
May 26 21:27:02 vultr.guest systemd[1]: systemd-journald.service: Added fd 24 (n/a) to fd store.
May 26 21:27:02 vultr.guest systemd[1]: systemd-journald.service: Received EPOLLHUP on stored fd 24 (stored), closing.
May 26 21:27:51 vultr.guest systemd[1]: systemd-resolved.service: Got notification message from PID 548 (WATCHDOG=1)
May 26 21:27:56 vultr.guest systemd[1]: systemd-networkd.service: Got notification message from PID 793 (WATCHDOG=1)