Bug#976688: updatedb systemd service generates incomplete database

Sun, 06 Dec 2020 15:51:13 -0800 

Package: plocate
Version: 1.1.1-1
Severity: normal
X-Debbugs-Cc: roderich.sch...@gmail.com

I noticed that locate doesn't report any files in /usr, e.g.

$ locate libx | grep /usr
# no output

Turns out that databases generated by calling updatedb directly
and using the systemd service are different:

root@nuc8:~# rm /var/lib/plocate/plocate.db
root@nuc8:~# /usr/sbin/updatedb.plocate
root@nuc8:~# ls -l /var/lib/plocate/plocate.db
-rw-r----- 1 root plocate 35532841 Dec  7 00:35 /var/lib/plocate/plocate.db

root@nuc8:~# rm /var/lib/plocate/plocate.db
root@nuc8:~# systemctl start plocate-updatedb.service
root@nuc8:~# ls -l /var/lib/plocate/plocate.db
-rw-r----- 1 root plocate 32733304 Dec  7 00:37 /var/lib/plocate/plocate.db

The culprit seems to be

ProtectSystem=full

in plocate-updatedb.service. systemd.exec(5) has:

ProtectSystem=
    Takes a boolean argument or the special values "full" or "strict". If true,
mounts the
    /usr/ and the boot loader directories (/boot and /efi) read-only for
processes invoked
    by this unit. If set to "full", the /etc/ directory is mounted read-only,
too.

Does systemd achieve read-only mounts by using bind-mounts which are pruned by
default?


Cheers, Roderich



-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-rc6 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages plocate depends on:
ii  libc6       2.31-5
ii  libgcc-s1   10.2.0-23
ii  libstdc++6  10.2.0-23
ii  liburing1   0.7-2
ii  libzstd1    1.4.5+dfsg-4

plocate recommends no packages.

plocate suggests no packages.

-- Configuration Files:
/etc/updatedb.conf changed:
PRUNE_BIND_MOUNTS="yes"
PRUNENAMES=".git .bzr .hg .svn"
PRUNEPATHS="/tmp /var/spool /media /var/lib/os-prober /var/lib/ceph"
PRUNEFS="NFS afs autofs binfmt_misc ceph cgroup cgroup2 cifs coda configfs 
curlftpfs debugfs devfs devpts devtmpfs ecryptfs ftpfs fuse.ceph fuse.glusterfs 
fuse.gvfsd-fuse fuse.mfs fuse.rozofs fuse.sshfs fusectl fusesmb hugetlbfs 
iso9660 lustre lustre_lite mfs mqueue ncpfs nfs nfs4 ocfs ocfs2 proc pstore 
rpc_pipefs securityfs shfs smbfs sysfs tmpfs tracefs udev udf usbfs"


-- no debconf information

Reply via email to