Comment # 1
on bug 1224120
from Andrei Borzenkov
(In reply to Matej Cepl from comment #0)
>
> I don’t see any actual negative effects.
>
For snapper it means stale systemd-boot loader entries are not removed.
10:~ # systemctl --no-pager --full status snapper-cleanup.service
○ snapper-cleanup.service - Daily Cleanup of Snapper Snapshots
Loaded: loaded (/usr/lib/systemd/system/snapper-cleanup.service; static)
Active: inactive (dead) since Fri 2024-05-10 15:26:13 MSK; 2min 57s ago
Duration: 5.210s
TriggeredBy: ● snapper-cleanup.timer
Docs: man:snapper(8)
man:snapper-configs(5)
Process: 1558 ExecStart=/usr/lib/snapper/systemd-helper --cleanup
(code=exited, status=0/SUCCESS)
Main PID: 1558 (code=exited, status=0/SUCCESS)
CPU: 40ms
May 10 15:26:08 10.0.2.15 systemd[1]: Started Daily Cleanup of Snapper
Snapshots.
May 10 15:26:08 10.0.2.15 systemd-helper[1558]: running cleanup for 'root'.
May 10 15:26:08 10.0.2.15 systemd-helper[1558]: running number cleanup for
'root'.
May 10 15:26:13 10.0.2.15 systemd-helper[1558]: running timeline cleanup for
'root'.
May 10 15:26:13 10.0.2.15 systemd-helper[1558]: running empty-pre-post cleanup
for 'root'.
May 10 15:26:13 10.0.2.15 systemd[1]: snapper-cleanup.service: Deactivated
successfully.
10:~ #
10:~ # ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts boot
----
time->Fri May 10 15:26:09 2024
type=AVC msg=audit(1715343969.102:141): avc: denied { unlink } for pid=1583
comm="bootctl" name="opensuse-microos-6.8.1-1-default-1.conf" dev="sda2" ino=49
scontext=system_u:system_r:snapperd_t:s0 tcontext=system_u:object_r:dosfs_t:s0
tclass=file permissive=0
----
time->Fri May 10 15:26:09 2024
type=AVC msg=audit(1715343969.222:142): avc: denied { unlink } for pid=1609
comm="bootctl" name="opensuse-microos-6.8.1-1-default-2.conf" dev="sda2" ino=50
scontext=system_u:system_r:snapperd_t:s0 tcontext=system_u:object_r:dosfs_t:s0
tclass=file permissive=0
----
time->Fri May 10 15:26:09 2024
type=AVC msg=audit(1715343969.369:143): avc: denied { unlink } for pid=1635
comm="bootctl" name="initrd-25524e3baa37a82db7896897867f56db6e135865"
dev="sda2" ino=92 scontext=system_u:system_r:snapperd_t:s0
tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=0
----
time->Fri May 10 15:26:09 2024
type=AVC msg=audit(1715343969.369:144): avc: denied { unlink } for pid=1635
comm="bootctl" name="opensuse-microos-6.8.1-1-default-3.conf" dev="sda2" ino=51
scontext=system_u:system_r:snapperd_t:s0 tcontext=system_u:object_r:dosfs_t:s0
tclass=file permissive=0
----
time->Fri May 10 15:26:09 2024
type=AVC msg=audit(1715343969.709:145): avc: denied { unlink } for pid=1661
comm="bootctl" name="linux-9c7dfa521c0156cccc5a09ea48b102e3a6b41a90" dev="sda2"
ino=98 scontext=system_u:system_r:snapperd_t:s0
tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=0
----
time->Fri May 10 15:26:09 2024
type=AVC msg=audit(1715343969.709:146): avc: denied { unlink } for pid=1661
comm="bootctl" name="initrd-e996573948a97ab30a6649fefe16d96b7f678b2e"
dev="sda2" ino=99 scontext=system_u:system_r:snapperd_t:s0
tcontext=system_u:object_r:dosfs_t:s0 tclass=file permissive=0
----
time->Fri May 10 15:26:09 2024
type=AVC msg=audit(1715343969.709:147): avc: denied { unlink } for pid=1661
comm="bootctl" name="opensuse-microos-6.8.2-1-default-4.conf" dev="sda2" ino=52
scontext=system_u:system_r:snapperd_t:s0 tcontext=system_u:object_r:dosfs_t:s0
tclass=file permissive=0
10:~ #
10:~ # snapper list
# | Type | Pre # | Date | User | Used Space | Cleanup |
Description | Userdata
----+--------+-------+--------------------------+------+------------+---------+------------------------+--------------
0 | single | | | root | | |
current |
5 | single | | Mon Apr 8 20:54:02 2024 | root | 62.62 MiB | number |
Snapshot Update of #4 | important=yes
6 | single | | Wed Apr 10 21:46:26 2024 | root | 35.80 MiB | number |
Snapshot Update of #5 | important=yes
7 | single | | Fri Apr 12 21:12:14 2024 | root | 35.04 MiB | number |
Snapshot Update of #6 | important=yes
8 | single | | Sat Apr 13 18:58:13 2024 | root | 194.71 MiB | number |
Snapshot Update of #7 | important=yes
9 | single | | Thu Apr 18 20:58:06 2024 | root | 226.73 MiB | number |
Snapshot Update of #8 | important=yes
10 | single | | Sun Apr 28 11:36:26 2024 | root | 1.19 MiB | number |
Snapshot Update of #9 | important=yes
11 | single | | Mon May 6 20:29:57 2024 | root | 852.00 KiB | number |
Snapshot Update of #10 | important=yes
12 | single | | Tue May 7 17:17:04 2024 | root | 836.00 KiB | number |
Snapshot Update of #11 | important=yes
13 | single | | Tue May 7 17:57:34 2024 | root | 612.00 KiB | number |
Snapshot Update of #12 | important=yes
14 | single | | Thu May 9 08:19:23 2024 | root | 1.05 MiB | number |
Snapshot Update of #13 | important=yes
15* | single | | Thu May 9 09:51:28 2024 | root | 334.57 MiB | number |
Snapshot Update of #14 |
10:~ #
So the earliest snapshot remaining is from Apr 8.
10:~ # ll /boot/efi/loader/entries
total 128
-rwxr-xr-x. 1 root root 588 Mar 31 15:45
opensuse-microos-6.8.1-1-default-1.conf
-rwxr-xr-x. 1 root root 588 Mar 31 15:49
opensuse-microos-6.8.1-1-default-2.conf
-rwxr-xr-x. 1 root root 588 Mar 31 15:57
opensuse-microos-6.8.1-1-default-3.conf
-rwxr-xr-x. 1 root root 588 Apr 6 06:59
opensuse-microos-6.8.2-1-default-4.conf
-rwxr-xr-x. 1 root root 600 Apr 8 20:56
opensuse-microos-6.8.4-rc1-1-default-5.conf
-rwxr-xr-x. 1 root root 600 Apr 10 21:47
opensuse-microos-6.8.4-rc1-1-default-6.conf
-rwxr-xr-x. 1 root root 600 Apr 12 21:13
opensuse-microos-6.8.4-rc1-1-default-7.conf
-rwxr-xr-x. 1 root root 588 Apr 13 19:05
opensuse-microos-6.8.5-1-default-8.conf
-rwxr-xr-x. 1 root root 590 Apr 26 21:28
opensuse-microos-6.8.6-1-default-10.conf
-rwxr-xr-x. 1 root root 588 Apr 26 21:31
opensuse-microos-6.8.6-1-default-9.conf
-rwxr-xr-x. 1 root root 590 Apr 28 11:40
opensuse-microos-6.8.7-1-default-10.conf
-rwxr-xr-x. 1 root root 590 May 6 20:33
opensuse-microos-6.8.7-1-default-11.conf
-rwxr-xr-x. 1 root root 590 May 7 17:18
opensuse-microos-6.8.7-1-default-12.conf
-rwxr-xr-x. 1 root root 590 May 7 17:58
opensuse-microos-6.8.7-1-default-13.conf
-rwxr-xr-x. 1 root root 590 May 9 08:19
opensuse-microos-6.8.7-1-default-14.conf
-rwxr-xr-x. 1 root root 590 May 9 09:55
opensuse-microos-6.8.8-1-default-15.conf
10:~ #
But
10:~ # ll /.snapshots/5/snapshot/usr/lib/modules
total 0
drwxr-xr-x. 1 root root 600 Apr 8 20:55 6.8.4-rc1-1-default
10:~ #
The snapper denials come from /usr/lib/snapper/plugins/10-sdbootutil.snapper
which tries to remove kernel entries.
2024-05-10 15:26:09 MIL libsnapper(1559) SystemCmd.cc(SystemCmd):48 -
constructor SystemCmd: /usr/lib/snapper/plugins/10-sdbootutil.snapper
delete-snapshot-pre / btrfs 4
2024-05-10 15:26:09 MIL libsnapper(1559) SystemCmd.cc(addLine):394 - Adding
Line 1 "Failed to remove
"/opensuse-microos/6.8.2-1-default/linux-9c7dfa521c0156cccc5a09ea48b102e3a6b41a90",
ignoring: Permission denied"
2024-05-10 15:26:09 MIL libsnapper(1559) SystemCmd.cc(addLine):394 - Adding
Line 2 "Failed to remove
"/opensuse-microos/6.8.2-1-default/initrd-e996573948a97ab30a6649fefe16d96b7f678b2e",
ignoring: Permission denied"
2024-05-10 15:26:09 MIL libsnapper(1559) SystemCmd.cc(addLine):394 - Adding
Line 3 "Failed to remove
"/boot/efi/loader/entries/opensuse-microos-6.8.2-1-default-4.conf": Permission
denied"
2024-05-10 15:26:09 MIL libsnapper(1559) SystemCmd.cc(getUntilEOF):358 -
pid:1639 added lines:3 stderr:true
2024-05-10 15:26:09 MIL libsnapper(1559) SystemCmd.cc(execute):180 - stopwatch
0.329812s for "/usr/lib/snapper/plugins/10-sdbootutil.snapper
delete-snapshot-pre / btrfs 4"
2024-05-10 15:26:09 MIL libsnapper(1559) SystemCmd.cc(execute):194 - system()
Returns:0
For systemd generators the likely consequence is incomplete sandbox. Not sure
how important it is with active SELinux, but having those errors on a clean
installation is certainly confusing.