PrivateDevices=true fails inside a container if /dev/ptmx is bind mounted

[major]

Submission type

• Bug report

systemd version the issue has been seen with

systemd 219 (systemd-219-30.el7_3.9.x86_64)

Used distribution

CentOS 7

In case of bug report: Expected behaviour you didn't see

Expect MariaDB service to start with PrivateDevices=true

In case of bug report: Unexpected behaviour you saw

MariaDB fails to start

Journal output:

systemd[9435]: Failed at step NAMESPACE spawning /bin/sh: Invalid argument
Subject: Process /bin/sh could not be executed
Defined-By: systemd
Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
The process /bin/sh could not be executed and failed.

In case of bug report: Steps to reproduce the problem

Install LXC 2.0.8 on CentOS 7
Create a CentOS 7 container
Install MariaDB 10.2.x
Start MariaDB

It appears that /dev/ptmx is a bind mount of /dev/pts/ptmx within the LXC container. It also appears that systemd is attempting to bind mount /dev/ptmx into a namespace since PrivateDevices=true is set in the MariaDB service file. Here is some strace output that led me to believe that the bind mounted /dev/ptmx may be the problem.

I've opened a bug with upstream LXC about this as well since it seemed to break in the 2.0.8 release.

[stgraber]

Just a quick note to say that LXC upstream has so far been unable to reproduce this issue using a variety of systemd versions, including the one included in Centos 7. I think it'd be best we keep discussing this in the LXC issue for now until we track down the actual source of this user's issue.

[poettering]

So we don't track issues with anything older than the two most current systemd versions here (233/232). 219 is really really old, and hence something to contact downstreams for, i.e. your distro of choice. Hence, I will close this now, unless this is reproducible on something recent. Sorry if that's disappointing.

Moreover it appears to me this would be something to fix in LXC, as setting up the execution environment correctly is a job for the container manager, not the payload really wherever that's possible. And it is possible, since nspawn works fine with this. And judging by @stgraber's comments LXC is willing to consider this an LXC issue for now.

Closing hence. Sorry!

[evverx]

@poettering it seems that v219 contains a bug which has been fixed.

$ cat /proc/version
Linux version 3.10.0-514.16.1.el7.x86_64 (builder@kbuilder.dev.centos.org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-11) (GCC) ) #1 SMP Wed Apr 12 15:04:24 UTC 2017

rm /dev/ptmx
touch /dev/ptmx
mount --bind /dev/pts/ptmx /dev/ptmx
cat <<'EOF' >/etc/systemd/system/a.service
[Service]
PrivateDevices=yes
ExecStart=/bin/sh -c date
EOF
systemctl start a

v219

a.service: main process exited, code=exited, status=226/NAMESPACE

master

systemd[1]: Started a.service.

[evverx]

The bug was fixed by #3254.

[major]

@poettering Every little bit helps! Thanks as well, @evverx, for finding where it was fixed. I was having lots of trouble finding that.

[jfgibbins]

I've had the same issue using PrivateDevices=yes with hashicorp vault running inside an ubuntu 16.04 container on lxd with 229-4ubuntu19 amd64

[vdloo]

Seeing something similar, this is probably an lxc issue though not systemd

[root@host hypernode-vagrant]# pacman -Qi systemd | grep Version
Version         : 236.81-1
[root@host hypernode-vagrant]# uname -a
Linux host 4.14.15-1-ARCH #1 SMP PREEMPT Tue Jan 23 21:49:25 UTC 2018 x86_64 GNU/Linux
root@6af9cf-root-magweb-vgr /home/vagrant # systemd --version
systemd 229
+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ -LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD -IDN
root@6af9cf-root-magweb-vgr /home/vagrant # lsb_release -a |& grep Desc
Description:	Ubuntu 16.04 LTS

Feb 02 09:29:18 xxxxx-dummytag-vagrant.nodes.hypernode.io systemd[1]: Started Varnish HTTP accelerator.
Feb 02 09:29:18 xxxxx-dummytag-vagrant.nodes.hypernode.io systemd[578]: varnish.service: Failed at step NAMESPACE spawning /usr/sbin/varnishd: Invalid argument
Feb 02 09:29:18 xxxxx-dummytag-vagrant.nodes.hypernode.io systemd[1]: varnish.service: Main process exited, code=exited, status=226/NAMESPACE
Feb 02 09:29:18 xxxxx-dummytag-vagrant.nodes.hypernode.io systemd[1]: varnish.service: Unit entered failed state.
Feb 02 09:29:18 xxxxx-dummytag-vagrant.nodes.hypernode.io systemd[1]: varnish.service: Failed with result 'exit-code'.

/home/vagrant # grep PrivateDevices /lib/systemd/system/varnish.service
PrivateDevices=true

Changing PrivateDevices to false 'fixes' it. Found some suggestions on google about how this might occur if LXC drops CAP_SYS_ADMIN but I disabled all lxc.cap.drop settings in my environment and it still happens. I've read things about more distros packaging their stuff with PrivateDevices=true in the default config files, so this might become more of an issue in the future.

[stgraber]

@vdloo is that an unprivileged container? If it is, then CAP_SYS_ADMIN or not, you can't create device nodes, so you have to resort to bind-mounting the device nodes instead of using mknod and systemd may be missing that bit of logic