Bug 890376
Summary: | Use KillMode=process for the sshd.service | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | GV <rhel> |
Component: | openssh | Assignee: | Petr Lautrbach <plautrba> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | urgent | Docs Contact: | |
Priority: | unspecified | ||
Version: | 18 | CC: | i, johannbg, lnykryn, mattias.ellert, metherid, mgrepl, mschmidt, msekleta, notting, plautrba, systemd-maint, tmraz, vpavlin |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-04-26 00:57:06 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
GV
2012-12-26 19:19:29 UTC
Do you have pam_systemd.so in /etc/pam.d/system-auth and /etc/pam.d/password-auth configuration files? Yes, I have. The problem was dbus. It was not started. And because of this systemd-logind was not running. Once I start the dbus service the update worked fine. Still, I don't think is normal that openssh + yum update to behave like this if dbus/systemd-logind is not running. We can't do much about this in openssh (well we could remove the restart of sshd in the openssh-server %post, but that would break years long practice of restarting daemons after it is updated). So this should be made more robust in systemd I suppose. No. Please don't do that. That would be madness! And I agree, systemd should handle this. (In reply to comment #2) > The problem was dbus. It was not started. The dbus package is required by systemd and dbus.service is enabled statically. Do you know why it was not started? Was the unit masked? (In reply to comment #3) > We can't do much about this in openssh (well we could remove the restart of > sshd in the openssh-server %post, but that would break years long practice > of restarting daemons after it is updated). One option could be to set KillMode=process in the [Service] section of sshd.service (see man systemd.kill). > So this should be made more robust in systemd I suppose. It's not obvious to me how. logind is needed to move the process to the /user/$USER/$SESSION_ID cgroup in the systemd hierarchy. This way the process ceases to be a part of sshd.service. Suppose that pam_systemd detects a failure to communicate with logind. Currently it just logs the error and returns an error code to the caller. What action should it take to make it more robust? Should it move the process by itself to some fallback cgroup? I think that would be weird behaviour. > The dbus package is required by systemd and dbus.service is enabled > statically. dbus may not run for various reasons. It could crash. Being required to run not necessarily mean it will run all the time. > Do you know why it was not started? Because it was masked for some test I forget about when I filled the bug. Because those days X start most of the time before every service is started I was unable to see the error message from terminal. > It's not obvious to me how. Well, before systemd this was not an issue. Why is this a problem now? (In reply to comment #6) > Well, before systemd this was not an issue. Why is this a problem now? It's due to the way systemd stops services by default (by signalling the whole cgroup). See the man page I referenced in my previous comment. (In reply to comment #5) > One option could be to set KillMode=process in the [Service] section of > sshd.service (see man systemd.kill). Yes, that seems like an obvious workaround which should be applied. I'm moving this bug back to openssh. There's a scenario for this to happen not just when dbus is dead. You just need to use non-default DefaultControllers= in systemd/system.conf The default value is cpu, but I'm using cpu memory blkio Then, for the default values in logind.conf (ResetControllers=cpu, Controllers=) we have logind moving children to / in cpu:, but leaving them in sshd.service in memory: and blkio: But I will probably agree with you when you'll tell me that such setup is wrong, and [Reset]Controllers in logind.conf shall match [Default]Controllers in systemd/sshd.service. (In reply to comment #9) > There's a scenario for this to happen not just when dbus is dead. > You just need to use non-default DefaultControllers= in systemd/system.conf I don't know why this influences what gets killed. Looks like a systemd bug. openssh-6.2p1-3.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/openssh-6.2p1-3.fc19 openssh-6.1p1-7.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/openssh-6.1p1-7.fc18 Package openssh-6.1p1-7.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing openssh-6.1p1-7.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-5918/openssh-6.1p1-7.fc18 then log in and leave karma (feedback). openssh-6.2p1-4.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. openssh-6.1p1-8.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report. |