Bug 1913962

Summary: "dnf needs-restarting -r" work incorrectly inside systemd-nspawn containers
Product: Red Hat Enterprise Linux 8 Reporter: Gena Makhomed <makhomed>
Component: dnf-plugins-coreAssignee: Nicola Sella <nsella>
Status: CLOSED ERRATA QA Contact: Jan Blazek <jblazek>
Severity: high Docs Contact:
Priority: medium    
Version: 8.3CC: dstreit, james.antill, makhomed, nsella, pkratoch
Target Milestone: rcKeywords: Triaged
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: dnf-plugins-core-4.0.21-1.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-09 19:52:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1951414    
Bug Blocks:    

Description Gena Makhomed 2021-01-07 21:06:02 UTC 
Description of problem:

"dnf needs-restarting -r" work incorrectly inside systemd-nspawn containers

Version-Release number of selected component (if applicable):

binary: python3-dnf-plugins-core-4.0.17-5.el8.noarch.rpm
source: dnf-plugins-core-4.0.17-5.el8.src.rpm

How reproducible:

always

Steps to Reproduce:

1. Install RHEL 8.3 / CentOS 8.3 on host, install systemd-container package on host:

dnf install systemd-container

2. Install RHEL 8.3 / CentOS 8.3 inside systemd-nspawn container:

yum --installroot=/var/lib/machines/test --releasever=8 install dnf python3-dnf-plugins-core systemd

3. start container test:

machinectl start test

4. enter inside container test:

machinectl shell test

5. check if container needs restarting:

dnf needs-restarting -r

Actual results:

# dnf needs-restarting -r
Core libraries or services have been updated since boot-up:
  * dbus
  * dbus-daemon
  * glibc
  * systemd

Reboot is required to fully utilize these updates.

Expected results:

# dnf needs-restarting -r
No core libraries or services have been updated since boot-up.
Reboot should not be necessary.

Additional info:

Cause of bug located in file:

/usr/lib/python3.6/site-packages/dnf-plugins/needs_restarting.py

Linus Torvalds say: "Talk is cheap. Show me the code".

Ok.

Patch to solve this bug:

After this patch - command "dnf needs-restarting -r" will work correctly
inside and outside systemd-nspawn containers.

The first process start time could be used as container/host start time:

 int(os.stat('/proc/1/cmdline').st_mtime)

/proc/1/cmdline is a virtual file in the procfs, whose creation date is the same 
as the container creation date or linux host boot time, if no containers is used.

--- needs_restarting.py.orig    2020-08-12 00:06:14.000000000 +0300
+++ needs_restarting.py 2021-01-07 22:27:20.779006509 +0200
@@ -174,11 +174,7 @@

     @staticmethod
     def get_boot_time():
-        with open('/proc/stat') as stat_file:
-            for line in stat_file.readlines():
-                if not line.startswith('btime '):
-                    continue
-                return int(line[len('btime '):].strip())
+        return int(os.stat('/proc/1/cmdline').st_mtime)

     @staticmethod
     def get_sc_clk_tck():
Comment 1 Nicola Sella 2021-01-13 10:01:46 UTC 
Hello, thanks for the detailed explanation and solution proposed.

I am trying to reproduce the bug, but I am getting an error

$ machinectl start test
Job for systemd-nspawn failed because the control process exited with error code.
See "systemctl status systemd-nspawn" and "journalctl -xe" for details.

The error is related to SELinux policies, so I have to set SELinux Permissive to get through this error. Then, the bug seems reproducible. 
Do you have any specific SELinux configuration? I would like to reproduce it with your configuration if possible.

Thank you
Comment 2 Gena Makhomed 2021-01-13 11:42:00 UTC 
(In reply to nsella from comment #1)
> I am trying to reproduce the bug, but I am getting an error
> 
> $ machinectl start test
> Job for systemd-nspawn failed because the control process
> exited with error code.
> See "systemctl status systemd-nspawn" and "journalctl -xe" for
> details.
> 
> The error is related to SELinux policies, so I have to set SELinux
> Permissive to get through this error. Then, the bug seems reproducible. 
> Do you have any specific SELinux configuration? I would like to reproduce it
> with your configuration if possible.

Yes, sorry, I forgot to write about SELinux.

I reproduce this bug with SELinux disabled:

1. Install RHEL 8.3 / CentOS 8.3 on host, install systemd-container package on host:

dnf install systemd-container

1.1. disable SELinux in /etc/selinux/config, write SELINUX=disabled

1.2. reboot

2. Install RHEL 8.3 / CentOS 8.3 inside systemd-nspawn container:

dnf --installroot=/var/lib/machines/test --releasever=8 install dnf python3-dnf-plugins-core systemd

...
Comment 3 Nicola Sella 2021-01-13 15:14:01 UTC 
I added a PR with your patch
https://github.com/rpm-software-management/dnf-plugins-core/pull/422
Comment 4 Nicola Sella 2021-01-22 09:03:18 UTC 
tests: https://github.com/rpm-software-management/ci-dnf-stack/pull/938
Comment 12 errata-xmlrpc 2021-11-09 19:52:16 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: dnf security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:4464