Bug 1631794

Summary: silverblue boot shows multiple errors from tmpfiles from missing users
Product: [Fedora] Fedora Reporter: Zbigniew Jędrzejewski-Szmek <zbyszek>
Component: rpm-ostreeAssignee: Colin Walters <walters>
Status: CLOSED UPSTREAM QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 29CC: dustymabe, jlebon, jonathan, miabbott, walters
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-09-21 15:57:04 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Zbigniew Jędrzejewski-Szmek 2018-09-21 15:07:33 UTC 
Description of problem:
I'm testing F29-beta5 amd64 silverblue image under qemu.
I get errors in the logs from rpm-ostree.

$ journalctl -b -t systemd-tmpfiles --no-hostname 
Sep 21 15:51:50 systemd-tmpfiles[229]: Failed to parse ACL "d:group:adm:r-x,d:group:wheel:r-x": Invalid argument. Ignoring
Sep 21 15:51:50 systemd-tmpfiles[229]: Failed to parse ACL "group:adm:r-x,group:wheel:r-x": Invalid argument. Ignoring
Sep 21 15:51:50 systemd-tmpfiles[229]: Failed to parse ACL "group:adm:r--,group:wheel:r--": Invalid argument. Ignoring
Sep 21 15:51:50 systemd-tmpfiles[229]: Failed to parse ACL "d:group::r-x,d:group:adm:r-x,d:group:wheel:r-x": Invalid argument. Ignoring
Sep 21 15:51:50 systemd-tmpfiles[229]: Failed to parse ACL "group::r-x,group:adm:r-x,group:wheel:r-x": Invalid argument. Ignoring
Sep 21 15:51:50 systemd-tmpfiles[229]: Failed to parse ACL "d:group:adm:r-x,d:group:wheel:r-x": Invalid argument. Ignoring
Sep 21 15:51:50 systemd-tmpfiles[229]: Failed to parse ACL "group:adm:r-x,group:wheel:r-x": Invalid argument. Ignoring
Sep 21 15:51:50 systemd-tmpfiles[229]: Failed to parse ACL "group:adm:r--,group:wheel:r--": Invalid argument. Ignoring
Sep 21 15:51:51 systemd-tmpfiles[498]: [/usr/lib/tmpfiles.d/systemd.conf:11] Unknown group 'utmp'.
Sep 21 15:51:51 systemd-tmpfiles[498]: [/usr/lib/tmpfiles.d/systemd.conf:25] Unknown group 'systemd-journal'.
Sep 21 15:51:51 systemd-tmpfiles[498]: [/usr/lib/tmpfiles.d/systemd.conf:26] Unknown group 'systemd-journal'.
Sep 21 15:51:51 systemd-tmpfiles[498]: Failed to parse ACL "d:group:adm:r-x,d:group:wheel:r-x": Invalid argument. Ignoring
Sep 21 15:51:51 systemd-tmpfiles[498]: Failed to parse ACL "group:adm:r-x,group:wheel:r-x": Invalid argument. Ignoring
Sep 21 15:51:51 systemd-tmpfiles[498]: Failed to parse ACL "group:adm:r--,group:wheel:r--": Invalid argument. Ignoring
Sep 21 15:51:51 systemd-tmpfiles[498]: [/usr/lib/tmpfiles.d/systemd.conf:32] Unknown group 'systemd-journal'.
Sep 21 15:51:51 systemd-tmpfiles[498]: [/usr/lib/tmpfiles.d/systemd.conf:33] Unknown group 'systemd-journal'.
Sep 21 15:51:51 systemd-tmpfiles[498]: [/usr/lib/tmpfiles.d/systemd.conf:34] Unknown group 'systemd-journal'.
Sep 21 15:51:51 systemd-tmpfiles[498]: Failed to parse ACL "d:group::r-x,d:group:adm:r-x,d:group:wheel:r-x": Invalid argument. Ignoring
Sep 21 15:51:51 systemd-tmpfiles[498]: Failed to parse ACL "group::r-x,group:adm:r-x,group:wheel:r-x": Invalid argument. Ignoring
Sep 21 15:51:51 systemd-tmpfiles[498]: Failed to parse ACL "d:group:adm:r-x,d:group:wheel:r-x": Invalid argument. Ignoring
Sep 21 15:51:51 systemd-tmpfiles[498]: Failed to parse ACL "group:adm:r-x,group:wheel:r-x": Invalid argument. Ignoring
Sep 21 15:51:51 systemd-tmpfiles[498]: Failed to parse ACL "group:adm:r--,group:wheel:r--": Invalid argument. Ignoring
Sep 21 15:51:52 systemd-tmpfiles[607]: [/usr/lib/tmpfiles.d/mdadm.conf:1] Line references path below legacy directory /var/run/, updating /var/run/mdadm → /run/mdadm; please update the tmpfiles.d/ drop-in file accordingly.
Sep 21 15:51:52 systemd-tmpfiles[607]: [/usr/lib/tmpfiles.d/pptp.conf:1] Line references path below legacy directory /var/run/, updating /var/run/pptp → /run/pptp; please update the tmpfiles.d/ drop-in file accordingly.
Sep 21 15:51:52 systemd-tmpfiles[607]: [/usr/lib/tmpfiles.d/samba.conf:1] Line references path below legacy directory /var/run/, updating /var/run/samba → /run/samba; please update the tmpfiles.d/ drop-in file accordingly.
Sep 21 15:51:52 systemd-tmpfiles[607]: [/usr/lib/tmpfiles.d/spice-vdagentd.conf:2] Line references path below legacy directory /var/run/, updating /var/run/spice-vdagentd → /run/spice-vdagentd; please update the tmpfiles.d/ drop-in file accordingly.
Sep 21 15:51:52 systemd-tmpfiles[607]: [/etc/tmpfiles.d/vpnc.conf:1] Line references path below legacy directory /var/run/, updating /var/run/vpnc → /run/vpnc; please update the tmpfiles.d/ drop-in file accordingly.
Sep 21 15:51:53 systemd-tmpfiles[667]: [/usr/lib/tmpfiles.d/mdadm.conf:1] Line references path below legacy directory /var/run/, updating /var/run/mdadm → /run/mdadm; please update the tmpfiles.d/ drop-in file accordingly.
Sep 21 15:51:53 systemd-tmpfiles[667]: [/usr/lib/tmpfiles.d/pptp.conf:1] Line references path below legacy directory /var/run/, updating /var/run/pptp → /run/pptp; please update the tmpfiles.d/ drop-in file accordingly.
Sep 21 15:51:53 systemd-tmpfiles[667]: [/usr/lib/tmpfiles.d/rpm-ostree-1-autovar.conf:3] Duplicate line for path "/var/spool/cups/tmp", ignoring.
Sep 21 15:51:53 systemd-tmpfiles[667]: [/usr/lib/tmpfiles.d/rpm-ostree-1-autovar.conf:33] Duplicate line for path "/var/cache/man", ignoring.
Sep 21 15:51:53 systemd-tmpfiles[667]: [/usr/lib/tmpfiles.d/rpm-ostree-1-autovar.conf:83] Duplicate line for path "/var/lib/portables", ignoring.
Sep 21 15:51:53 systemd-tmpfiles[667]: [/usr/lib/tmpfiles.d/rpm-ostree-1-autovar.conf:85] Duplicate line for path "/var/lib/dbus", ignoring.

Those users are indeed not defined:
$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
fedora:x:1000:1000:fedora:/home/fedora:/bin/bash

The tmpfiles should be adjusted to not have duplicates, and the missing users should be added so that e.g. journalctl can show system logs for normal users.

Version-Release number of selected component (if applicable):
Fedora-Silverblue-ostree-x86_64-29_Beta-1.5.iso
Comment 1 Jonathan Lebon 2018-09-21 15:34:14 UTC 
OK, there are two things at play here.

The duplicate warnings are due to the way rpm-ostree works. We auto-generate tmpfiles entries for `/var` directories because the OSTree model requires `/var` to be empty. Right now, we don't really check if the entries we synthesize are already included in other tmpfiles configs from other packages. We *could* do that, though not sure of the cost/benefit given that dupes are safely ignored.

> Those users are indeed not defined:

They should be in `/usr/lib/{passwd,group}`. See https://ostree.readthedocs.io/en/latest/manual/adapting-existing/#usrlibpasswd.

Those errors shouldn't happen post-pivot -- can you confirm that they come from systemd-tmpfiles in the initramfs?
Comment 2 Zbigniew Jędrzejewski-Szmek 2018-09-21 15:47:20 UTC 
> Those errors shouldn't happen post-pivot -- can you confirm that they come from systemd-tmpfiles in the initramfs?

Indeed, this was in the initramfs. I guess we might want to exclude that tmpfiles config from the initramfs, but that's something to handle in systemd.

I can confirm that e.g. wheel and adm groups are resolved properly by 'getent group'

> We auto-generate tmpfiles entries for `/var` directories because the OSTree model requires `/var` to be empty.

Ack. I'd like to see a completely error-free boot, but this is indeed minor issue.

I see another mini-problem though:
$ ls -l /usr/lib/tmpfiles.d/rpm-ostree-1-autovar.conf
-rw-------. 2 root root 6134 Jan  1  1970 /usr/lib/tmpfiles.d/rpm-ostree-1-autovar.conf

The permissions should be rw-r--r-- so that users don't see errors.

Feel free to close this though bug though, it seems that things are working mostly as intended.
Comment 3 Colin Walters 2018-09-21 15:52:59 UTC 
https://github.com/projectatomic/rpm-ostree/pull/1571