Bug 2022041 - systemd-run --user --scope fails from ssh or getty since Fedora 35
Summary: systemd-run --user --scope fails from ssh or getty since Fedora 35
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: systemd
Version: 35
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: ---
Assignee: systemd-maint
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-11-10 15:50 UTC by Rene Lehfeld
Modified: 2021-11-18 01:14 UTC (History)
14 users (show)

Fixed In Version: systemd-249.7-2.fc35
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-11-18 01:14:04 UTC
Type: Bug


Attachments (Terms of Use)
Fix scope activation from a user instance (4.09 KB, patch)
2021-11-11 23:17 UTC, Kir Kolyshkin
no flags Details | Diff

Description Rene Lehfeld 2021-11-10 15:50:08 UTC
Description of problem:
Since update of my PC to fedora 35, when I login to my PC via ssh or directly on a getty console, a simple command, e.g.

systemd-run --scope --user ls

return with the error:
Job failed. See "journalctl -xe" for details.

Nov 10 16:33:59 hostname systemd[198]: run-r6bdcfd10d55c4c78a19afbb516c04170.scope: No PIDs left to attach to the scope's control group, refusi>
Nov 10 16:33:59 hostname systemd[198]: run-r6bdcfd10d55c4c78a19afbb516c04170.scope: Failed with result 'resources'.
░░ Subject: Unit failed
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░
░░ The unit UNIT has entered the 'failed' state with result 'resources'.
Nov 10 16:33:59 container-lehfeld-f35-ci-rack2-1 systemd[198]: Failed to start /usr/bin/ls.
░░ Subject: A start job for unit UNIT has failed
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░
░░ A start job for unit UNIT has finished with a failure.
░░
░░ The job identifier is 104 and the job result is failed.


Version-Release number of selected component (if applicable):
systemd-249.6-2.fc35.x86_64


How reproducible:
In order to easier reproduce the problem, I used the ls command as an example.

Steps to Reproduce:
1. ssh localhost
2. systemd-run --user --scope ls
3.

Actual results:
Job failed. See "journalctl -xe" for details.


Expected results:
ls is getting executed and shows the content of the current folder. This used to work with fedora 34 on ssh and getty logins

Additional info:
According to my tests, this was still working on the pre-release of Fedora 35 when testing the same scenario on the 25th of october.

Comment 1 Rene Lehfeld 2021-11-10 15:52:09 UTC
One additional comment. When using gdm login, it works as expected. So something is not as expected with the user session for ssh and gettys I guess.

Comment 2 ojab 2021-11-11 09:02:38 UTC
Looks like I have the same issue after update to systemd-249.6-2.fc35.x86_64, 249.4-2.fc35 works fine (in my case it's not ssh, but a sway graphical session). 
Please check if it works for you after `dnf install systemd-249.4-2.fc35.x86_64` & reboot, I'll fill a separate bugreport if it's not the same.

Comment 4 Rene Lehfeld 2021-11-11 15:07:04 UTC
@ojab I just tested with the proposed version and problem disappeared. Thus it indeed looks like it is the very same problem.

Comment 5 Kir Kolyshkin 2021-11-11 16:56:00 UTC
This bug prevents runc to run rootless containers when systemd cgroup manager is used (https://github.com/opencontainers/runc/issues/3266).

Since the fix (https://github.com/systemd/systemd/pull/21298) was just merged upstream, it makes sense to update systemd in Fedora to fix this rather critical bug.

Comment 6 Kir Kolyshkin 2021-11-11 16:57:48 UTC
I have also tested the fix myself yesterday by rebuilding systemd-249.6-4 fc35 rpm with the same patch as in https://github.com/systemd/systemd/pull/21298, and it fixed the issue.

Comment 7 Kir Kolyshkin 2021-11-11 23:17:08 UTC
Created attachment 1841294 [details]
Fix scope activation from a user instance

Here's the fix.

Comment 8 ojab 2021-11-11 23:24:36 UTC
Like @ retweet https://github.com/systemd/systemd-stable/pull/142
Without openssl-3.0 fixes it would fail on rawhide and `creds-util: switch to OpenSSL 3.0 APIs` commit couldn't be applied cleanly to the `-stable`, so no PR to systemd.spec because dunno how it should be handled there.

Comment 9 Kir Kolyshkin 2021-11-11 23:46:22 UTC
I'm not quite sure how to propose package updates, so I have created PRs:

 - rawhide: https://src.fedoraproject.org/rpms/systemd/pull-request/65
 - f35:     https://src.fedoraproject.org/rpms/systemd/pull-request/66

Comment 10 Fedora Update System 2021-11-14 16:11:48 UTC
FEDORA-2021-a77b44ab13 has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2021-a77b44ab13

Comment 11 Fedora Update System 2021-11-15 13:45:22 UTC
FEDORA-2021-a77b44ab13 has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2021-a77b44ab13

Comment 12 Fedora Update System 2021-11-16 15:51:39 UTC
FEDORA-2021-a77b44ab13 has been pushed to the Fedora 35 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-a77b44ab13`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-a77b44ab13

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 13 Rene Lehfeld 2021-11-17 16:53:41 UTC
Many thanks for the update. I tested the rpm in testing and it is working for me.

Comment 14 Fedora Update System 2021-11-18 01:14:04 UTC
FEDORA-2021-a77b44ab13 has been pushed to the Fedora 35 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.