2251843 – Journalctl --user returns no log entries for IDM users (i.e. users with high uids)

Bug 2251843 - Journalctl --user returns no log entries for IDM users (i.e. users with high uids)

Summary: Journalctl --user returns no log entries for IDM users (i.e. users with high ...

Keywords:
Status:	POST
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	systemd
Sub Component:
Version:	39
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	systemd-maint
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-11-28 03:03 UTC by Rodney Morris
Modified:	2024-01-26 16:53 UTC (History)
CC List:	9 users (show)
Fixed In Version:	systemd-255.3-1.fc40
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2024-01-26 00:03:12 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Rodney Morris 2023-11-28 03:03:28 UTC

journalctl --user returns no log entries for IDM users in my IDM realm for fresh installs of Fedora 39 or Fedora systems upgraded to Fedora 39. As of October 14, 2023, journalctl --user returns the user logs for IDM users on Fedora 38 and earlier systems.

Having no user-accessible log entries for IDM users breaks programs for IDM users that depend on user logs for information (e.g., distrobox) and makes debugging programs harder as the IDM user has no access to any crash information. For example, distrobox stalls on initial container initialization and destruction of container with an exported app because it depends on users logs for progress through those tasks.

Reproducible: Always

Steps to Reproduce:
1.Install Fedora 39 or upgrade system to Fedora 39;
2.Join system to IDM (freeipa or Red Hat Identity Management);
3.Sign in as a IDM user;
4.Open a terminal;and
5.Type "journalctl --user"
Actual Results:
On a newly installed system:

---Begin Output---

rmorris@regina:/var/home/rmorris$ id
uid=1518400001(rmorris) gid=1518400001(rmorris) groups=1518400001(rmorris),1518400006(media),1518400007(sysadmins),1518500500(virtaccess) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

rmorris@regina:/var/home/rmorris$ journalctl --user
Hint: You are currently not seeing messages from the system.
Users in groups 'adm', 'systemd-journal', 'wheel' can see all messages.
Pass -q to turn off this notice.
No journal files were opened due to insufficient permissions.

---End Output---

On a system upgraded to Fedora 39, the log entries for the IDM user before the system upgrade are displayed. No subsequent user log entries are shown.

Expected Results:
In both cases (new install or system upgrade), the IDM user logs should have been displayed.

Realm IDM range: 1518400000 - 1518599999
Realm IDM range randomly selected on IDM (here, freeipa) install in 2016.

IDM users not being able to access logs likely stems from the following commit that tosses IDM user log entries into the system log because of overlap in IDM uids with those of systemd-nspawn:

https://github.com/systemd/systemd/commit/115d5145a257c1a27330acf9f063b5f4d910ca4d

(h/t: Chris Williams on the Fedora Discussion Forum for finding the commit.)

Comment 1 Zbigniew Jędrzejewski-Szmek 2024-01-09 11:02:36 UTC

I created a patch to revert the part of the change: https://github.com/systemd/systemd/pull/30846.
The solution is not great, but it should restore behaviour for users.

Comment 2 Fedora Update System 2024-01-25 16:36:59 UTC

FEDORA-2024-d59a82cc50 has been submitted as an update to Fedora 40. https://bodhi.fedoraproject.org/updates/FEDORA-2024-d59a82cc50

Comment 3 Fedora Update System 2024-01-26 00:03:12 UTC

FEDORA-2024-d59a82cc50 has been pushed to the Fedora 40 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 4 Zbigniew Jędrzejewski-Szmek 2024-01-26 16:53:21 UTC

Reopening for F39.

Note You need to log in before you can comment on or make changes to this bug.