1645308 – No user slice created for non-root users

Bug 1645308 - No user slice created for non-root users

Summary: No user slice created for non-root users

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	nss_nis
Sub Component:
Version:	29
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Matej Mužila
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1647911
TreeView+	depends on / blocked

Reported:	2018-11-01 22:05 UTC by whatdoineed2do
Modified:	2018-11-19 21:55 UTC (History)
CC List:	8 users (show)
Fixed In Version:	nss_nis-3.0-8.fc29
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1647911 (view as bug list)
Environment:
Last Closed:	2018-11-19 21:55:52 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description whatdoineed2do 2018-11-01 22:05:51 UTC

Description of problem:
No user slice created when non root user logs in to minimal install of F29 - running in VM.

Version-Release number of selected component (if applicable):
F29

How reproducible:
Every time

Steps to Reproduce:
1. login
2. check systemd-cgls

Actual results:
Non-root login (no user slice)
---
$ systemd-cgls
Control group /:
-.slice
├─init.scope
│ └─1 /usr/lib/systemd/systemd --switched-root --system --deserialize 33
└─system.slice
  ├─systemd-udevd.service
  │ └─477 /usr/lib/systemd/systemd-udevd
  ├─nfs-mountd.service
  │ └─757 /usr/sbin/rpc.mountd
  ├─vgauthd.service
  │ └─548 /usr/bin/VGAuthService -s
  ├─polkit.service
  │ └─632 /usr/lib/polkit-1/polkitd --no-debug
  ├─chronyd.service
  │ └─557 /usr/sbin/chronyd
  ├─auditd.service
  │ └─529 /sbin/auditd
  ├─systemd-journald.service
  │ └─445 /usr/lib/systemd/systemd-journald
  ├─sshd.service
  │ ├─603 /usr/sbin/sshd -D -oCiphers=aes256-gcm,chacha20-poly1305,aes256-ctr,aes256-cbc,aes128-gcm@opens>
  │ ├─803 sshd: me [priv]
  │ ├─805 sshd: me@pts/0
  │ ├─806 -bash
  │ ├─832 systemd-cgls
  │ └─833 less
  ├─NetworkManager.service
  │ ├─584 /usr/sbin/NetworkManager --no-daemon
  │ └─733 /sbin/dhclient -d -q -sf /usr/libexec/nm-dhcp-helper -pf /var/run/dhclient-ens33.pid -lf /var/lib/NetworkManager/dhclie>
  ├─rpc-statd.service
  │ └─751 /usr/sbin/rpc.statd
  ├─gssproxy.service
  │ └─776 /usr/sbin/gssproxy -D
  ├─firewalld.service
  │ └─560 /usr/bin/python3 /usr/sbin/firewalld --nofork --nopid
  ├─vmtoolsd.service
  │ └─553 /usr/bin/vmtoolsd
  ├─rpcbind.service
  │ └─524 /usr/bin/rpcbind -w -f
  ├─sssd.service
  │ ├─550 /usr/sbin/sssd -i --logger=files
  │ ├─577 /usr/libexec/sssd/sssd_be --domain implicit_files --uid 0 --gid 0 --logger=files
  │ └─583 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files
  ├─nfs-idmapd.service
  │ └─528 /usr/sbin/rpc.idmapd
  ├─lvm2-lvmetad.service
  │ └─469 /usr/sbin/lvmetad -f -t 3600
  ├─ypbind.service
  │ └─573 /usr/sbin/ypbind -n
  ├─dbus.service
  │ └─552 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
  ├─system-getty.slice
  │ └─getty
  │   └─801 /sbin/agetty -o -p -- \u --noclear tty1 linux
  └─systemd-logind.service
    └─792 /usr/lib/systemd/systemd-logind
$ id
uid=500(me) gid=100(users) groups=100(users),1000(pi)
$ 
---

Root login, creates user slice for root.
---
# systemd-cgls
Control group /:
-.slice
├─user.slice
│ └─user-0.slice
│   ├─session-2.scope
│   │ ├─835 sshd: root [priv]
│   │ ├─844 sshd: root@pts/0
│   │ ├─845 -bash
│   │ ├─866 systemd-cgls
│   │ └─867 less
│   └─user
│     └─init.scope
│       ├─838 /usr/lib/systemd/systemd --user
│       └─839 (sd-pam)
├─init.scope
│ └─1 /usr/lib/systemd/systemd --switched-root --system --deserialize 33
└─system.slice
 ...

Expected results:
User slice to be available - this is results from VM host running F28

$ systemd-cgls 
Control group /:
-.slice
├─user.slice
│ └─user-500.slice
│   ├─user
│   │ ├─gvfs-goa-volume-monitor.service
│   │ │ └─2387 /usr/libexec/gvfs-goa-volume-monitor
│   │ ├─pulseaudio.service
│   │ │ └─2338 /usr/bin/pulseaudio --daemonize=no
│   │ ├─gvfs-daemon.service
│   │ │ ├─2124 /usr/libexec/gvfsd
│   │ │ ├─2129 /usr/libexec/gvfsd-fuse /run/user/500/gvfs -f -o big_writes
│   │ │ └─2577 /usr/libexec/gvfsd-trash --spawner :1.5 /org/gtk/gvfs/exec_spaw/0
│   │ ├─gvfs-udisks2-volume-monitor.service
│   │ │ └─2330 /usr/libexec/gvfs-udisks2-volume-monitor
│   │ ├─init.scope
│   │ │ ├─2040 /usr/lib/systemd/systemd --user
│   │ │ └─2041 (sd-pam)
│   │ ├─gvfs-gphoto2-volume-monitor.service
│   │ │ └─2379 /usr/libexec/gvfs-gphoto2-volume-monitor
│   │ ├─at-spi-dbus-bus.service
│   │ │ ├─2219 /usr/libexec/at-spi-bus-launcher
│   │ │ ├─2224 /usr/bin/dbus-daemon --config-file=/usr/share/defaults/at-spi2/accessibility.conf --nofork --print-address 3
│   │ │ └─2226 /usr/libexec/at-spi2-registryd --use-gnome-session
│   │ ├─gvfs-metadata.service
│   │ │ └─2587 /usr/libexec/gvfsd-metadata
│   │ ├─dbus.service
│   │ │ ├─2058 /usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
│   │ │ ├─2121 /usr/libexec/imsettings-daemon
│   │ │ ├─2302 /usr/libexec/dconf-service
│   │ │ ├─2391 /usr/libexec/goa-daemon
│   │ │ ├─2398 /usr/libexec/goa-identity-service
│   │ │ └─2901 /usr/libexec/gconfd-2
│   │ ├─gvfs-mtp-volume-monitor.service
│   │ │ └─2383 /usr/libexec/gvfs-mtp-volume-monitor
│   │ └─gvfs-afc-volume-monitor.service
│   │   └─2374 /usr/libexec/gvfs-afc-volume-monitor
│   └─session-2.scope
│     ├─2027 lightdm --session-child 12 19
│     ├─2046 cinnamon-session -


Additional info:
F29 has no local users created - user credentials on via NIS served from the F28 machine.

Comment 1 James Szinger 2018-11-06 16:40:06 UTC

This might be caused by changes to the systemd-logind.service RestrictAddressFamilies default in F29.  I created an override and it now works for me. 

# /etc/systemd/system/systemd-logind.service.d/nss_nis.conf
[Service]
IPAddressAllow=any
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6

If this works for you then the fix belongs in nss_nis

Comment 2 whatdoineed2do 2018-11-06 20:10:20 UTC

(In reply to James Szinger from comment #1)
> This might be caused by changes to the systemd-logind.service
> RestrictAddressFamilies default in F29.  I created an override and it now
> works for me. 
> 
> # /etc/systemd/system/systemd-logind.service.d/nss_nis.conf
> [Service]
> IPAddressAllow=any
> RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
> 
> If this works for you then the fix belongs in nss_nis

Perfect.  Yes, this fixes the issue for me: user slice now exists.

Comment 4 Fedora Update System 2018-11-09 14:26:39 UTC

nss_nis-3.0-8.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-08d9ec5bd1

Comment 5 Fedora Update System 2018-11-10 05:01:00 UTC

nss_nis-3.0-8.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-08d9ec5bd1

Comment 6 Zbigniew Jędrzejewski-Szmek 2018-11-14 15:40:23 UTC

Ack. That's not very pretty, but I think it's the appropriate solution in this case.

Comment 7 Matej Mužila 2018-11-15 13:26:16 UTC

(In reply to Zbigniew Jędrzejewski-Szmek from comment #6)
> Ack. That's not very pretty, but I think it's the appropriate solution in
> this case.

This solution was proposed by systemd [1-2].

[1] https://github.com/systemd/systemd/pull/9076/commits/a161a3c0083b8d0a8129c2dd9b502ea0b1d924c1
[2] https://github.com/systemd/systemd/issues/9072

Comment 8 Fedora Update System 2018-11-19 21:55:52 UTC

nss_nis-3.0-8.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.