Bug 1467263
| Summary: | rhel7 image has systemd-random-seed.service which is bound to fail due to SELinux | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Jan Pazdziora <jpazdziora> |
| Component: | rhel7-init-container | Assignee: | Frantisek Kluknavsky <fkluknav> |
| Status: | CLOSED ERRATA | QA Contact: | Martin Jenner <mjenner> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.3 | Keywords: | Extras |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-08-01 13:21:16 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Thank you for the report. Please try rhel7-init instead. It is rhel-server with cmd, stopsignal and a few masked services to run systemd out of box. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2017:2377 |
Description of problem: Running systemd in rhel7 container mostly works except for systemd-random-seed.service: main process exited, code=exited, status=1/FAILURE [FAILED] Failed to start Load/Save Random Seed. See 'systemctl status systemd-random-seed.service' for details. Unit systemd-random-seed.service entered failed state. systemd-random-seed.service failed. which fail due to AVC denials. Version-Release number of selected component (if applicable): registry.access.redhat.com/rhel7 latest 93bb76ddeb7a 11 days ago 192.7 MB under docker-1.12.6-39.1.git6ffd653.el7.x86_64 oci-systemd-hook-0.1.8-4.1.gite533efa.el7.x86_64 How reproducible: Deterministic. Steps to Reproduce: 1. docker run --rm -ti rhel7 /usr/sbin/init Actual results: # docker run --rm -ti rhel7 /usr/sbin/init systemd 219 running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ -LZ4 -SECCOMP +BLKID +ELFUTILS +KMOD +IDN) Detected virtualization other. Detected architecture x86-64. Welcome to Red Hat Enterprise Linux Server 7.3 (Maipo)! Set hostname to <d571aa2ad1a3>. Failed to read AF_UNIX datagram queue length, ignoring: No such file or directory Cannot add dependency job for unit sys-fs-fuse-connections.mount, ignoring: Unit is masked. Cannot add dependency job for unit systemd-logind.service, ignoring: Unit is masked. Cannot add dependency job for unit getty.target, ignoring: Unit is masked. [ OK ] Created slice Root Slice. [ OK ] Listening on Journal Socket. [ OK ] Listening on Delayed Shutdown Socket. [ OK ] Created slice System Slice. [ OK ] Reached target Slices. Starting Journal Service... [ OK ] Reached target Swap. [ OK ] Reached target Remote File Systems. Starting Load/Save Random Seed... [ OK ] Reached target Encrypted Volumes. Starting Rebuild Hardware Database... [ OK ] Listening on /dev/initctl Compatibility Named Pipe. [ OK ] Reached target Paths. [ OK ] Reached target Local File Systems (Pre). [ OK ] Reached target Local File Systems. Starting Rebuild Journal Catalog... systemd-random-seed.service: main process exited, code=exited, status=1/FAILURE [FAILED] Failed to start Load/Save Random Seed. See 'systemctl status systemd-random-seed.service' for details. Unit systemd-random-seed.service entered failed state. systemd-random-seed.service failed. [ OK ] Started Rebuild Hardware Database. [ OK ] Started Journal Service. Starting Flush Journal to Persistent Storage... [ OK ] Started Rebuild Journal Catalog. Starting Update is Completed... [ OK ] Started Update is Completed. [ OK ] Started Flush Journal to Persistent Storage. Starting Create Volatile Files and Directories... [ OK ] Started Create Volatile Files and Directories. Starting Update UTMP about System Boot/Shutdown... [ OK ] Started Update UTMP about System Boot/Shutdown. [ OK ] Reached target System Initialization. [ OK ] Reached target Timers. [ OK ] Listening on D-Bus System Message Bus Socket. [ OK ] Reached target Sockets. [ OK ] Reached target Basic System. Starting Permit User Sessions... [ OK ] Started D-Bus System Message Bus. Starting D-Bus System Message Bus... [ OK ] Started Permit User Sessions. Starting Cleanup of Temporary Directories... [ OK ] Reached target Multi-User System. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Cleanup of Temporary Directories. [ OK ] Started Update UTMP about System Runlevel Changes. and in audit.log type=AVC msg=audit(1499073426.205:191): avc: denied { write } for pid=25033 comm="systemd-random-" name="urandom" dev="devtmpfs" ino=4861 scontext=system_u:system_r:svirt_lxc_net_t:s0:c145,c1020 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file type=AVC msg=audit(1499073426.205:192): avc: denied { write } for pid=25033 comm="systemd-random-" name="urandom" dev="devtmpfs" ino=4861 scontext=system_u:system_r:svirt_lxc_net_t:s0:c145,c1020 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file type=AVC msg=audit(1499073454.237:218): avc: denied { getattr } for pid=25098 comm="tty" path="/dev/fuse" dev="devtmpfs" ino=12364 scontext=system_u:system_r:svirt_lxc_net_t:s0:c145,c1020 tcontext=system_u:object_r:fuse_device_t:s0 tclass=chr_file Expected results: No failed service, no AVC denial, systemd-random-seed.service not enabled by default. Additional info: While fedora:24 image has the same problem, fedora:25 does not as it does not enable systemd-random-seed.service. That's why I believe disabling / removing that service from default rhel7 configuration is the step in correct direction.