reassign 919231 systemd 240-5 retitle 919231 CacheDirectory/StateDirectory does not change owner/group thanks
Hi Stijn, your bug description was enough for me to reproduce this misbehavior and tracked it down to systemd not behaving like the documentation describes: StateDirectory=, CacheDirectory= Except in case of ConfigurationDirectory=, the innermost specified directories will be owned by the user and group specified in User= and Group=. If the specified directories already exist and their owning user or group do not match the configured ones, all files and directories below the specified directories as well as the directories themselves will have their file ownership recursively changed to match what is configured. As an optimization, if the specified directories are already owned by the right user and group, files and directories below of them are left as-is, even if they do not match what is requested. The salt-master systemd service is configured to use /var/lib/salt/pki/master and /var/cache/salt/master as state and cache directory. salt should change the ownership, but it does not. Steps to reproduce: Take a minimal Debian 9 installation and: ``` root@debian:~# apt install salt-master root@debian:~# sed -i 's/stretch/buster/g' /etc/apt/sources.list root@debian:~# apt upgrade [...] Setting up salt-master (2018.3.3+dfsg1-2) ... Installing new version of config file /etc/salt/master ... Job for salt-master.service failed because the control process exited with error code. See "systemctl status salt-master.service" and "journalctl -xe" for details. invoke-rc.d: initscript salt-master, action "restart" failed. ● salt-master.service - The Salt Master Server Loaded: loaded (/lib/systemd/system/salt-master.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since Wed 2019-02-06 16:16:37 UTC; 8ms ago Docs: man:salt-master(1) file:///usr/share/doc/salt/html/contents.html https://docs.saltstack.com/en/latest/contents.html Process: 31417 ExecStart=/usr/bin/salt-master (code=exited, status=13) Main PID: 31417 (code=exited, status=13) Feb 06 16:16:37 debian systemd[1]: Starting The Salt Master Server... Feb 06 16:16:37 debian salt-master[31417]: Failed to create directory path "/var/lib/salt/pki/master/minions" - [Errno 13] Permission denied: '/var/lib/salt/pki/master/minions' Feb 06 16:16:37 debian systemd[1]: salt-master.service: Main process exited, code=exited, status=13/n/a Feb 06 16:16:37 debian systemd[1]: salt-master.service: Failed with result 'exit-code'. Feb 06 16:16:37 debian systemd[1]: Failed to start The Salt Master Server. dpkg: error processing package salt-master (--configure): installed salt-master package post-installation script subprocess returned error exit status 1 [...] ``` Instead of doing an upgrade test, you can just do the test on testing by stopping salt-master, changing the permission to root and starting salt-master. ``` root@debian:~# systemctl cat salt-master.service # /lib/systemd/system/salt-master.service [Unit] Description=The Salt Master Server Documentation=man:salt-master(1) file:///usr/share/doc/salt/html/contents.html https://docs.saltstack.com/en/latest/contents.html After=network.target [Service] LimitNOFILE=100000 Type=notify NotifyAccess=all ExecStart=/usr/bin/salt-master User=salt Group=salt CacheDirectory=salt/master RuntimeDirectory=salt StateDirectory=salt/pki/master [Install] WantedBy=multi-user.target root@debian:~# ls -ld /var/lib/salt /var/lib/salt/pki /var/lib/salt/pki/master drwxr-xr-x 3 salt salt 4096 Feb 6 16:16 /var/lib/salt drwxr-xr-x 3 root root 4096 Feb 6 16:16 /var/lib/salt/pki drwx------ 7 root root 4096 Feb 6 16:10 /var/lib/salt/pki/master root@debian:~# ls -ld /var/cache/salt /var/cache/salt/master drwxr-xr-x 3 root root 4096 Feb 6 16:10 /var/cache/salt drwxr-xr-x 8 root root 4096 Feb 6 16:11 /var/cache/salt/master rroot@debian:~# dpkg -l | grep systemd | sed 's/ \+amd64 .*$//' ii libnss-systemd:amd64 240-5 ii libpam-systemd:amd64 240-5 ii libsystemd0:amd64 240-5 ii python-systemd 234-2+b1 ii python3-systemd 234-2+b1 ii systemd 240-5 ii systemd-sysv 240-5 ``` The workaround is to manually change the owner/group to salt: root@debian:~# chown -R salt:salt /var/lib/salt/pki/master /var/cache/salt/master root@debian:~# systemctl start salt-master -- Benjamin Drung System Developer Debian & Ubuntu Developer 1&1 IONOS Cloud GmbH | Greifswalder Str. 207 | 10405 Berlin | Germany E-mail: benjamin.dr...@cloud.ionos.com | Web: www.ionos.de Head Office: Berlin, Germany District Court Berlin Charlottenburg, Registration number: HRB 125506 B Executive Management: Christoph Steffens, Matthias Steinberg, Achim Weiss Member of United Internet