Re: [systemd-devel] Permissions problems with systemd-networkd and others.

[Dave Howorth]

On Wed, 7 Feb 2024 20:41:40 +
"Murrell, Robert A."  wrote:
> I finally got everything working.  Here is what I did to fix the
> problem:
> 
> adduser systemd-network root
> adduser systemd-resolve root
> adduser bind root
> find /etc -type d -exec chmod 755 {} +
> 
> I don’t know who does this on a full linux image.  I’m posting it
> here for the next person who has this problem. I would suggest that
> release testing include a minimal Linux image to support embedded and
> IoT devices.

I would have thought this is a question for your distro rather than for
systemd?
 
> Robert Murrell
> Embedded Software Engineer
> STANLEY Assembly Technologies
> 
> 2500 Meijer Dr., Troy, MI 48084
> T 248-677-9740
> robert.murr...@sbdinc.com |
> www.StanleyEngineeredFastening.com
> 
> [http://esignature.stanleyblackanddecker.com/images/stanleyengineeredfastening.png]
> 
> This email, including any attached files, is intended only for the
> person to whom or the entity to which it is addressed and may contain
> confidential and/or privileged material. Any review, retransmission,
> dissemination or other use of, or taking of any action in reliance
> upon, this information by persons or entities other than the intended
> recipient is prohibited. If you received this in error, please
> contact the sender and delete the material from any computer.
> 
> 
> From: Murrell, Robert A. 
> Sent: Wednesday, February 7, 2024 11:43 AM
> To: systemd-devel@lists.freedesktop.org
> Subject: RE: Permissions problems with systemd-networkd and others.
> 
> I should have added that I am building a very stripped down image.
> These are the Debian packages that are being installed:
> 
> linux-image-6.2.0 - locally built
> firmware-imx-epdc - locally built
> firmware-imx-sdma - locally built
> firmware-imx-vpu - locally built
> firmware-realtek - locally built
> busybox
> locales
> u-boot-image-mspmb-2017.11 - locally built
> u-boot-tools-mspmb-2017.11 - locally built
> dosfstools
> openssl
> libmbedtls12
> gnutls-bin
> gdbserver
> socat
> fdisk
> nano
> ssh
> openvpn
> iwd
> iproute2
> nftables
> net-tools
> usbutils
> iputils-ping
> dnsutils
> isc-dhcp-server
> hostapd
> bind9
> wireless-tools
> wpasupplicant
> policykit-1
> weston
> kbd
> xwayland
> mesa-utils
> libdrm-etnaviv1
> chromium
> fonts-arphic-uming
> fonts-ipafont-mincho
> fonts-ipafont-gothic
> gstreamer1.0-plugins-good
> gstreamer1.0-plugins-bad
> gstreamer1.0-plugins-ugly
> v4l-utils
> kmod
> mono-runtime
> rng-tools
> cron
> 
> I installed policykit-1 after my first request, but it didn’t help.
> Also, here is an excerpt from the journal:
> 
> Jun 18 14:56:02 mspmbsat systemd[1]: systemd-networkd.service:
> Scheduled restart job, restart counter is at 4. Jun 18 14:56:02
> mspmbsat systemd[1]: Stopped Network Service. Jun 18 14:56:02
> mspmbsat systemd[1]: Starting Network Service... Jun 18 14:56:02
> mspmbsat systemd[241]: systemd-networkd.service: Failed to
> execute /lib/systemd/systemd-networkd: Permission denied Jun 18
> 14:56:02 mspmbsat systemd[241]: systemd-networkd.service: Failed at
> step EXEC spawning /lib/systemd/systemd-networkd: Permission denied
> Jun 18 14:56:02 mspmbsat systemd[1]: systemd-networkd.service: Main
> process exited, code=exited, status=203/EXEC Jun 18 14:56:02 mspmbsat
> systemd[1]: systemd-networkd.service: Failed with result 'exit-code'.
> 
> Jun 18 14:56:02 mspmbsat systemd[1]: Failed to start Network Service.
> 
> Is there some other package I need to install to get this to work?
> 
> Robert Murrell
> Embedded Software Engineer
> STANLEY Assembly Technologies
> 
> 2500 Meijer Dr., Troy, MI 48084
> T 248-677-9740
> robert.murr...@sbdinc.com |
> www.StanleyEngineeredFastening.com
> 
> [cid:image001.png@01DA59DB.CD6E9FE0]
> 
> This email, including any attached files, is intended only for the
> person to whom or the entity to which it is addressed and may contain
> confidential and/or privileged material. Any review, retransmission,
> dissemination or other use of, or taking of any action in reliance
> upon, this information by persons or entities other than the intended
> recipient is prohibited. If you received this in error, please
> contact the sender and delete the material from any computer.
> 
> 
> From: Murrell, Robert A.
> mailto:robert.murr...@sbdinc.com>> Sent:
> Tuesday, February 6, 2024 4:44 PM To:
> systemd-devel@lists.freedesktop.org
> Subject: Permissions problems with systemd-networkd and others.
> 
> Greetings,
> 
> I’m attempting to update one of our products from Debian Stretch with
> Linux kernel 4.14 to Debian Bullseye with Linux kernel 6.2.0.  The
> target system is an ARM iMX6QP.  I’ve managed to build the kernel
> from the old .config file.  The image is built using ELBE builder and
> reprepro for local packages (not my choi

Re: [systemd-devel] Submitting a service activation to remote mounts success

[Thomas HUMMEL]

On 2/7/24 19:55, Andrei Borzenkov wrote:

You can add drop-in to either unit (and add generator to do it 
automatically), but I do not quite see what is it going to buy you.


Hello, thanks for your answer and sorry for the previous confusions I made.

What do you call generator here ? A custom script to generate the 
dropped-in files or some systemd mechanism (I then must admit I still 
don't know yet) ?


What I want (though I don't like to over use systemd dependencies as I 
instinctively think this may not be a good idea), is to prevent an hpc 
scheduler daemon (service unit) to accept jobs if remote mounts 
(mandatory for consistent use) are not all here (successfully mounted)


The initial idea, which avoided listing (or generating) every mounts one 
by one was to express dependencies relative to remote-fs.target by 
adding BindsTo=remote-fs.target to the service (After= comes for free)


But then if some such .mount units would get unmonted remote-fs.target's 
Requires= would not deactivate remote-fs.target and my 
service would in turn not be deactivated


Thanks for your help

--
Thomas HUMMEL

Re: [systemd-devel] Permissions problems with systemd-networkd and others.

[Murrell, Robert A.]

I finally got everything working.  Here is what I did to fix the problem:

adduser systemd-network root
adduser systemd-resolve root
adduser bind root
find /etc -type d -exec chmod 755 {} +

I don’t know who does this on a full linux image.  I’m posting it here for the 
next person who has this problem. I would suggest that release testing include 
a minimal Linux image to support embedded and IoT devices.

Robert Murrell
Embedded Software Engineer
STANLEY Assembly Technologies

2500 Meijer Dr., Troy, MI 48084
T 248-677-9740
robert.murr...@sbdinc.com | 
www.StanleyEngineeredFastening.com

[http://esignature.stanleyblackanddecker.com/images/stanleyengineeredfastening.png]

This email, including any attached files, is intended only for the person to 
whom or the entity to which it is addressed and may contain confidential and/or 
privileged material. Any review, retransmission, dissemination or other use of, 
or taking of any action in reliance upon, this information by persons or 
entities other than the intended recipient is prohibited. If you received this 
in error, please contact the sender and delete the material from any computer.


From: Murrell, Robert A. 
Sent: Wednesday, February 7, 2024 11:43 AM
To: systemd-devel@lists.freedesktop.org
Subject: RE: Permissions problems with systemd-networkd and others.

I should have added that I am building a very stripped down image.  These are 
the Debian packages that are being installed:

linux-image-6.2.0 - locally built
firmware-imx-epdc - locally built
firmware-imx-sdma - locally built
firmware-imx-vpu - locally built
firmware-realtek - locally built
busybox
locales
u-boot-image-mspmb-2017.11 - locally built
u-boot-tools-mspmb-2017.11 - locally built
dosfstools
openssl
libmbedtls12
gnutls-bin
gdbserver
socat
fdisk
nano
ssh
openvpn
iwd
iproute2
nftables
net-tools
usbutils
iputils-ping
dnsutils
isc-dhcp-server
hostapd
bind9
wireless-tools
wpasupplicant
policykit-1
weston
kbd
xwayland
mesa-utils
libdrm-etnaviv1
chromium
fonts-arphic-uming
fonts-ipafont-mincho
fonts-ipafont-gothic
gstreamer1.0-plugins-good
gstreamer1.0-plugins-bad
gstreamer1.0-plugins-ugly
v4l-utils
kmod
mono-runtime
rng-tools
cron

I installed policykit-1 after my first request, but it didn’t help.  Also, here 
is an excerpt from the journal:

Jun 18 14:56:02 mspmbsat systemd[1]: systemd-networkd.service: Scheduled 
restart job, restart counter is at 4.
Jun 18 14:56:02 mspmbsat systemd[1]: Stopped Network Service.
Jun 18 14:56:02 mspmbsat systemd[1]: Starting Network Service...
Jun 18 14:56:02 mspmbsat systemd[241]: systemd-networkd.service: Failed to 
execute /lib/systemd/systemd-networkd: Permission denied
Jun 18 14:56:02 mspmbsat systemd[241]: systemd-networkd.service: Failed at step 
EXEC spawning /lib/systemd/systemd-networkd: Permission denied
Jun 18 14:56:02 mspmbsat systemd[1]: systemd-networkd.service: Main process 
exited, code=exited, status=203/EXEC
Jun 18 14:56:02 mspmbsat systemd[1]: systemd-networkd.service: Failed with 
result 'exit-code'.

Jun 18 14:56:02 mspmbsat systemd[1]: Failed to start Network Service.

Is there some other package I need to install to get this to work?

Robert Murrell
Embedded Software Engineer
STANLEY Assembly Technologies

2500 Meijer Dr., Troy, MI 48084
T 248-677-9740
robert.murr...@sbdinc.com | 
www.StanleyEngineeredFastening.com

[cid:image001.png@01DA59DB.CD6E9FE0]

This email, including any attached files, is intended only for the person to 
whom or the entity to which it is addressed and may contain confidential and/or 
privileged material. Any review, retransmission, dissemination or other use of, 
or taking of any action in reliance upon, this information by persons or 
entities other than the intended recipient is prohibited. If you received this 
in error, please contact the sender and delete the material from any computer.


From: Murrell, Robert A. 
mailto:robert.murr...@sbdinc.com>>
Sent: Tuesday, February 6, 2024 4:44 PM
To: 
systemd-devel@lists.freedesktop.org
Subject: Permissions problems with systemd-networkd and others.

Greetings,

I’m attempting to update one of our products from Debian Stretch with Linux 
kernel 4.14 to Debian Bullseye with Linux kernel 6.2.0.  The target system is 
an ARM iMX6QP.  I’ve managed to build the kernel from the old .config file.  
The image is built using ELBE builder and reprepro for local packages (not my 
choice).  This has been a very steep learning experience and I’m sure I have 
more tweaking to do.

I’m having a problem with systemd on startup.  System-networkd fails to run 
with the following error:

● systemd-networkd.service - Network Service
 Loaded: loaded (/lib/systemd/system/systemd-networkd.service; enabled; 
vendor preset: enabled)
 Active: failed (Result: exit-code) since Sun 2023-

[systemd-devel] ConditionNeedsUpdate, read-only /usr, and sysext

[Valentin David]

Hello everybody,

The behavior of ConditionNeedsUpdate is that if /etc/.updated is older than 
/usr/, then it is true.

I have some issues with this. But maybe I do not use it the right way.

First, when using a read-only /usr partition (updated through sysupdate), the 
time of /usr is of the build of that filesystem. In the case of GNOME OS, to 
ensure reproducibility bit by bit, we set all times to some time in 2011. So 
that does not work for us.

But now let's say we work-around that, and we make our system take a date that 
is reproducible, let's say the git commit of our metadata. Then we have a 
second issue.

Because of systemd-sysext, it might be that /usr is not anymore the time of the 
/usr filesystem, but the time of a directory created on the fly by 
systemd-sysext (or maybe it keeps the time from the / fileystem, I do not know, 
but for sure the time stamp is from when systemd-sysext was started). If 
systemd-update-done happens after systemd-sysext (and it effectively does on 
254), then the date of /etc/.updated will become the time when systemd-sysext 
started.

Let's imagine that I do not boot that machine often. My system is booting a new 
version. And there is already another new version available on the sysupdate 
server. My system will download a build of /usr that is likely to be older than 
the boot time. So next reboot, the condition will be false, even though I did 
have an update. And it will be false until I download a version that was built 
after the boot time of my last successful update.

So my question is, is there plan to replace time stamp comparison for 
ConditionNeedsUpdate with something that  works better with sysupdate and 
sysext? Maybe copying IMAGE_VERSION from /usr/lib/os-release into /etc/.updated 
for example?

Thanks,
--
Valentin David
m...@valentindavid.com

Re: [systemd-devel] Submitting a service activation to remote mounts success

[Andrei Borzenkov]

On 07.02.2024 19:20, Thomas HUMMEL wrote:



On 2/7/24 11:50, Thomas HUMMEL wrote:


Still I cannot understand where the Requires= comes in
remote-fs.target unit as doc for special target only describes a Wants=
dep added by systemd-fstab-generator in the case of auto mounts.


Well, forget about that Wants= dep which is to the mount unit.

Basically my only remaining question is:

is there a way to have remote-fs.target BindsTo= instead
of Requires= only ?



You can add drop-in to either unit (and add generator to do it 
automatically), but I do not quite see what is it going to buy you.

Re: [systemd-devel] Submitting a service activation to remote mounts success

[Andrei Borzenkov]

On 07.02.2024 13:50, Thomas HUMMEL wrote:


Still I cannot understand where the Requires= comes in
remote-fs.target unit


It is generated by systemd-fstab-generator


as doc for special target only describes a Wants=
dep added by systemd-fstab-generator in the case of auto mounts.



If doc for special target is systemd.special, I do not see even that in 
https://www.freedesktop.org/software/systemd/man/latest/systemd.special.html.

Re: [systemd-devel] Permissions problems with systemd-networkd and others.

[Murrell, Robert A.]

I should have added that I am building a very stripped down image.  These are 
the Debian packages that are being installed:

linux-image-6.2.0 - locally built
firmware-imx-epdc - locally built
firmware-imx-sdma - locally built
firmware-imx-vpu - locally built
firmware-realtek - locally built
busybox
locales
u-boot-image-mspmb-2017.11 - locally built
u-boot-tools-mspmb-2017.11 - locally built
dosfstools
openssl
libmbedtls12
gnutls-bin
gdbserver
socat
fdisk
nano
ssh
openvpn
iwd
iproute2
nftables
net-tools
usbutils
iputils-ping
dnsutils
isc-dhcp-server
hostapd
bind9
wireless-tools
wpasupplicant
policykit-1
weston
kbd
xwayland
mesa-utils
libdrm-etnaviv1
chromium
fonts-arphic-uming
fonts-ipafont-mincho
fonts-ipafont-gothic
gstreamer1.0-plugins-good
gstreamer1.0-plugins-bad
gstreamer1.0-plugins-ugly
v4l-utils
kmod
mono-runtime
rng-tools
cron

I installed policykit-1 after my first request, but it didn’t help.  Also, here 
is an excerpt from the journal:

Jun 18 14:56:02 mspmbsat systemd[1]: systemd-networkd.service: Scheduled 
restart job, restart counter is at 4.
Jun 18 14:56:02 mspmbsat systemd[1]: Stopped Network Service.
Jun 18 14:56:02 mspmbsat systemd[1]: Starting Network Service...
Jun 18 14:56:02 mspmbsat systemd[241]: systemd-networkd.service: Failed to 
execute /lib/systemd/systemd-networkd: Permission denied
Jun 18 14:56:02 mspmbsat systemd[241]: systemd-networkd.service: Failed at step 
EXEC spawning /lib/systemd/systemd-networkd: Permission denied
Jun 18 14:56:02 mspmbsat systemd[1]: systemd-networkd.service: Main process 
exited, code=exited, status=203/EXEC
Jun 18 14:56:02 mspmbsat systemd[1]: systemd-networkd.service: Failed with 
result 'exit-code'.

Jun 18 14:56:02 mspmbsat systemd[1]: Failed to start Network Service.

Is there some other package I need to install to get this to work?

Robert Murrell
Embedded Software Engineer
STANLEY Assembly Technologies

2500 Meijer Dr., Troy, MI 48084
T 248-677-9740
robert.murr...@sbdinc.com | 
www.StanleyEngineeredFastening.com

[http://esignature.stanleyblackanddecker.com/images/stanleyengineeredfastening.png]

This email, including any attached files, is intended only for the person to 
whom or the entity to which it is addressed and may contain confidential and/or 
privileged material. Any review, retransmission, dissemination or other use of, 
or taking of any action in reliance upon, this information by persons or 
entities other than the intended recipient is prohibited. If you received this 
in error, please contact the sender and delete the material from any computer.


From: Murrell, Robert A. 
Sent: Tuesday, February 6, 2024 4:44 PM
To: systemd-devel@lists.freedesktop.org
Subject: Permissions problems with systemd-networkd and others.

Greetings,

I’m attempting to update one of our products from Debian Stretch with Linux 
kernel 4.14 to Debian Bullseye with Linux kernel 6.2.0.  The target system is 
an ARM iMX6QP.  I’ve managed to build the kernel from the old .config file.  
The image is built using ELBE builder and reprepro for local packages (not my 
choice).  This has been a very steep learning experience and I’m sure I have 
more tweaking to do.

I’m having a problem with systemd on startup.  System-networkd fails to run 
with the following error:

● systemd-networkd.service - Network Service
 Loaded: loaded (/lib/systemd/system/systemd-networkd.service; enabled; 
vendor preset: enabled)
 Active: failed (Result: exit-code) since Sun 2023-06-18 14:56:02 UTC; 2h 
42min ago
TriggeredBy: ● systemd-networkd.socket
   Docs: man:systemd-networkd.service(8)
Process: 233 ExecStart=/lib/systemd/systemd-networkd (code=exited, 
status=203/EXEC)
   Main PID: 233 (code=exited, status=203/EXEC)
CPU: 109ms

Jun 18 14:56:02 mspmbsat systemd[1]: systemd-networkd.service: Scheduled 
restart job, restart counter is at 5.
Jun 18 14:56:02 mspmbsat systemd[1]: Stopped Network Service.
Jun 18 14:56:02 mspmbsat systemd[1]: systemd-networkd.service: Start request 
repeated too quickly.
Jun 18 14:56:02 mspmbsat systemd[1]: systemd-networkd.service: Failed with 
result 'exit-code'.

Jun 18 14:56:02 mspmbsat systemd[1]: Failed to start Network Service.

Systemd-resolvd and named have similar problems.  Running the program manually 
(from root) gives me this error:

~# /lib/systemd/systemd-networkd
Failed to open configuration file '/etc/systemd/networkd.conf': Permission 
denied
Failed to parse configuration file: Permission denied
Enumeration completed

Networkd.conf has 644 permissions.  I have noticed that systemd-networkd now 
has its own group systemd-network.  I’ve tried doing several things like adding 
systemd-network to root group and vise-versa, setting permissions on all 
affected files and paths to 777 (undesirable), but I still can’t get it to run. 
 I get a little farther, but ultimately end up wit a Permission denied error 
somewhere.


  1.  What do I 

Re: [systemd-devel] Submitting a service activation to remote mounts success

[Thomas HUMMEL]

On 2/7/24 11:50, Thomas HUMMEL wrote:

Still I cannot understand where the Requires= comes in 
remote-fs.target unit as doc for special target only describes a Wants= 
dep added by systemd-fstab-generator in the case of auto mounts.


Well, forget about that Wants= dep which is to the mount unit.

Basically my only remaining question is:

is there a way to have remote-fs.target BindsTo= instead 
of Requires= only ?


Thanks for your help

--
Thomas HUMMEL

Re: [systemd-devel] Submitting a service activation to remote mounts success

[Thomas HUMMEL]

On 2/6/24 17:06, Silvio Knizek wrote:


Hi Thomas,

RequiresMountsFor=3D should be your friend. It just takes a space-
separated list of paths and does all the other stuff by itself.


Hello, thanks for your reply.
Actually RequiresMountsFor is not what I need because I'd have to point 
some file *inside* the fs.


I mistakenly did my tests on a noauto mount which made me draw false 
conclusions. In fact what I need is just a Requires= ou 
BindsTo=remote-fs.target in my service unit file.


Still I cannot understand where the Requires= comes in 
remote-fs.target unit as doc for special target only describes a Wants= 
dep added by systemd-fstab-generator in the case of auto mounts.


Thanks for your help

--
TH