Bug 980574
| Summary: | git-daemon does not start under systemd because git.service needs to be a template unit | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | David Shea <dshea> | ||||||
| Component: | git | Assignee: | Jitka Plesnikova <jplesnik> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
| Severity: | unspecified | Docs Contact: | |||||||
| Priority: | unspecified | ||||||||
| Version: | rawhide | CC: | amessina, chalbersma.12, chrisw, fabrice, jbowes, pingou, puiterwijk, ralf, simon, suckfish, tmz, vonsch, wwoods, zbyszek | ||||||
| Target Milestone: | --- | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | git-2.1.0-2.fc21 | Doc Type: | Bug Fix | ||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | |||||||||
| : | 1135071 1246735 (view as bug list) | Environment: | |||||||
| Last Closed: | 2014-11-05 03:58:32 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Bug Depends On: | |||||||||
| Bug Blocks: | 1135071, 1246735 | ||||||||
| Attachments: |
|
||||||||
Note that this alone won't fix the git service, since access to the port appears to be blocked by current SELinux policy:
type=AVC msg=audit(1378750077.318:169825): avc: denied { name_bind } for pid=1 comm="systemd" src=9418 scontext=system_u:system_r:git_system_t:s0 tcontext=system_u:object_r:git_port_t:s0 tclass=tcp_socket
I feel like git_system_t should be allowed to access git_port_t, but maybe my labeling is off somewhere..
For what it's worth, on a fresh F20 system with my patch applied, I don't get a selinux denial for the port, but I can't get it to be able to read my home directory without mucking around with the policy (see bug 1034412) Ping? Ping ? @Chris, if you do not have the time, I can push the file name change and just rebuild the package. Having a gitd-daemon working on F21, rawhide would be nice :) ping? looks fine, resetting to default owner Chris, shall I do it, or are you doing it? Created attachment 950326 [details]
Patch fixing the issue described in this bug
I attached to this ticket a git format-patch to apply on master and fixing this bug (based on the patch from David Shea). I will push it in a few days if I do not hear anything against it :) Cheers! Why did you assign the BZ to me? I am not maintainer of git. Because you're the last one that touched the git spec since July and Chris Wright who is the default assignee in bugzilla git not touch it since:
> git.spec:* Fri Mar 30 2007 Chris Wright <chrisw> 1.5.0.6-1
I'm happy to pass the bug along, I'm just trying to get someone's attention to my patch to see if I should push it or not :)
pingou, please push it, but apply the following fixup: --- /usr/lib/systemd/system/git@.service 2014-09-08 04:44:45.000000000 -0400 +++ /etc/systemd/system/git@.service 2014-10-24 11:25:59.303000000 -0400 @@ -1,9 +1,8 @@ [Unit] Description=Git Repositories Server Daemon Documentation=man:git-daemon(1) -Wants=git.socket [Service] User=nobody -ExecStart=/usr/libexec/git-core/git-daemon --base-path=/var/lib/git --export-all --user-path=public_git --syslog --inetd --verbose +ExecStart=-/usr/libexec/git-core/git-daemon --base-path=/var/lib/git --export-all --user-path=public_git --syslog --inetd --verbose StandardInput=socket (Wants is not needed, and without the "-" all failed connections would leave the instance units hanging around.) Adjusted and pushed, thanks! Does anybody mind if I cherry-pick it in F21 and F20 to fix git-daemon? git-1.9.3-2.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/git-1.9.3-2.fc20 git-2.1.0-2.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/git-2.1.0-2.fc21 Package git-1.9.3-2.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing git-1.9.3-2.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-13885/git-1.9.3-2.fc20 then log in and leave karma (feedback). git-1.9.3-2.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. git-2.1.0-2.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report. |
Created attachment 767889 [details] Make git service a template unit and ignore non-zero exit status Description of problem: Using the systemd unit files for git-daemon, the git service fails to start on connections to port 9418. This is because "Accept=true" in the .socket file expects a template unit for the service file, so this can be fixed by renaming git.service to git@.service. Version-Release number of selected component (if applicable): git-daemon-1.8.3.1-1.fc19.x86_64 How reproducible: Always Steps to Reproduce: 1. systemctl enable git.socket 2. Connect to 9418 Actual results: git.socket failed to queue service startup job (Maybe the service file is missing or not a template unit?): Invalid argument Additional info: It would also be helpful to add a - to the ExecStart command in the .service to prevent non-zero exit statuses from tripping things up. Attached a patch that renames git.service and adds a - to ExecStart.