Bug 1724651
| Summary: | machined: Start job for unit machine-test.scope failed with 'failed' | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Pavel Hrdina <phrdina> | ||||
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> | ||||
| Status: | CLOSED DUPLICATE | QA Contact: | BaseOS QE Security Team <qe-baseos-security> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 8.1 | CC: | dtardon, lvrabec, mmalik, plautrba, ssekidde, systemd-maint-list, yisun | ||||
| Target Milestone: | rc | Keywords: | Triaged | ||||
| Target Release: | 8.0 | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2020-06-03 11:53:27 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
*** This bug has been marked as a duplicate of bug 1819121 *** |
Created attachment 1585162 [details] reproducer shell script Description of problem: When cpuset controller is enabled together with cgroups v2 it will break systemd in a way that it's not able to move PIDs into scope cgroups. It will not break only for machined but it will stop working for other tasks, for example if you ssh into the broken system systemd will fail to start user session. Version-Release number of selected component (if applicable): systemd-239-15.el8.x86_64 How reproducible: 100% Steps to Reproduce: 1. Run the attached reproducer, the first run after clean reboot is successful. 2. Run the attached reproducer again, every other attempt will fail. Actual results: For some reason unknown to me (I did not spend too much time figuring it out) the first attempt will succeed and any other attempt will fail to move process into the created scope. Additional info: Logs from journalctl: Jun 27 15:05:36 rhel8 systemd-machined[979]: New machine test. Jun 27 15:05:36 rhel8 systemd[1]: Started Virtual Machine test. Jun 27 15:05:36 rhel8 kvm[1877]: 1 guest now active Jun 27 15:05:38 rhel8 kvm[1881]: 0 guests now active Jun 27 15:05:38 rhel8 systemd-machined[979]: Machine test terminated. Jun 27 15:05:40 rhel8 systemd-machined[979]: New machine test. Jun 27 15:05:40 rhel8 systemd[1]: machine-test.scope: Failed to add PIDs to scope's control group: Permission denied Jun 27 15:05:40 rhel8 systemd[1]: machine-test.scope: Failed with result 'resources'. Jun 27 15:05:40 rhel8 systemd[1]: Failed to start Virtual Machine test. Jun 27 15:05:40 rhel8 systemd-machined[979]: Machine test terminated. Jun 27 15:05:40 rhel8 kvm[1898]: 1 guest now active Jun 27 15:05:42 rhel8 kvm[1902]: 0 guests now active Jun 27 15:05:44 rhel8 setroubleshoot[1904]: SELinux is preventing systemd from using the setsched access on a process. For complete SELinux messages run: sealert -l 99e33992-d11e-4c24-a13e-43769e85001e From /var/log/audit/audit.log: type=AVC msg=audit(1561640992.773:174): avc: denied { setsched } for pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=process permissive=0