[Bug 828207] New: review new dbus services in systemd
https://bugzilla.novell.com/show_bug.cgi?id=828207 https://bugzilla.novell.com/show_bug.cgi?id=828207#c0 Summary: review new dbus services in systemd Classification: openSUSE Product: openSUSE Factory Version: 13.1 Milestone 2 Platform: Other OS/Version: Other Status: NEW Severity: Major Priority: P5 - None Component: Basesystem AssignedTo: security-team@suse.de ReportedBy: fcrozat@suse.com QAContact: qa-bugs@suse.de Found By: --- Blocker: --- systemd v205 is now shipping with a new daemon "systemd-machined" which is used through dbus-system : [ 507s] systemd.x86_64: E: suse-dbus-unauthorized-service (Badness: 10000) /usr/share/dbus-1/system-services/org.freedesktop.machine1.service [ 507s] systemd.x86_64: E: suse-dbus-unauthorized-service (Badness: 10000) /etc/dbus-1/system.d/org.freedesktop.machine1.conf please review (systemd v205 has been sr to Base:System : 182204) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=828207
https://bugzilla.novell.com/show_bug.cgi?id=828207#c
Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=828207
https://bugzilla.novell.com/show_bug.cgi?id=828207#c1
--- Comment #1 from Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=828207
https://bugzilla.novell.com/show_bug.cgi?id=828207#c2
--- Comment #2 from Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=828207
https://bugzilla.novell.com/show_bug.cgi?id=828207#c
Sebastian Krahmer
https://bugzilla.novell.com/show_bug.cgi?id=828207
https://bugzilla.novell.com/show_bug.cgi?id=828207#c
Sebastian Krahmer
https://bugzilla.novell.com/show_bug.cgi?id=828207
https://bugzilla.novell.com/show_bug.cgi?id=828207#c3
Matthias Weckbecker
https://bugzilla.novell.com/show_bug.cgi?id=828207
https://bugzilla.novell.com/show_bug.cgi?id=828207#c4
Frederic Crozat
I will be trying to work on this. For the time being you may be able to help me with the following:
1) What deadline am I supposed to honor / meet? (a deadline in the future is preferred)
Unfortunately, it is ASAP, since it is blocking pushing new systemd release in Factory (we are stucked to version 204 ATM)
2) Can you provide a test setup with the new features set up?
I can try to work on that (I basically need to install a system and inside that system, install a chroot system (or application) to use systemd-nspawn to demonstrate machined usage.
Can you possibly confirm the following documentation to be accurate, please?
It is accurate. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=828207
https://bugzilla.novell.com/show_bug.cgi?id=828207#c5
--- Comment #5 from Matthias Weckbecker
(In reply to comment #3)
I will be trying to work on this. For the time being you may be able to help me with the following:
1) What deadline am I supposed to honor / meet? (a deadline in the future is preferred)
Unfortunately, it is ASAP, since it is blocking pushing new systemd release in Factory (we are stucked to version 204 ATM)
OK. I will try my very best (as usual), but I have to say I'm a novice with DBus and systemd, so it might take a little longer. I discussed with Sebastian the day before yesterday. He said that there are functions in code that are not in org.freedesktop.machine1.conf. Could you possibly comment on that, please? 'KillMachine' and 'CreateMachine' are for example not included.
2) Can you provide a test setup with the new features set up?
I can try to work on that (I basically need to install a system and inside that system, install a chroot system (or application) to use systemd-nspawn to demonstrate machined usage.
Considering that this sounds very complex, I think a review makes even more sense. But again, no worries, I will try to be as fast as I can of course.
Can you possibly confirm the following documentation to be accurate, please?
http://www.freedesktop.org/wiki/Software/systemd/machined/ It is accurate.
That's good to know. I will look at this. Thanks. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=828207
https://bugzilla.novell.com/show_bug.cgi?id=828207#c6
--- Comment #6 from Matthias Weckbecker
https://bugzilla.novell.com/show_bug.cgi?id=828207
https://bugzilla.novell.com/show_bug.cgi?id=828207#c7
--- Comment #7 from Matthias Weckbecker
https://bugzilla.novell.com/show_bug.cgi?id=828207
https://bugzilla.novell.com/show_bug.cgi?id=828207#c8
--- Comment #8 from Frederic Crozat
I discussed with Sebastian the day before yesterday. He said that there are functions in code that are not in org.freedesktop.machine1.conf. Could you possibly comment on that, please? 'KillMachine' and 'CreateMachine' are for example not included.
This is wanted (I've checked with upstream). They are supposed to be only used by root, therefore, aren't added in the dbus policy, to ensure nobody else can call them.
2) Can you provide a test setup with the new features set up?
I can try to work on that (I basically need to install a system and inside that system, install a chroot system (or application) to use systemd-nspawn to demonstrate machined usage.
Considering that this sounds very complex, I think a review makes even more sense. But again, no worries, I will try to be as fast as I can of course.
Well, it was much easier than expected (thanks to coolo for helping me quickly setup a chroot) ;) (In reply to comment #6)
One additional question: 'KillMachine'`s job apparently is to kill processes (unix processes) (vms). Is this correct?
Yes, KillMachine will cause systemd to kill the scope of the machine, ie either killing its main PID or control PID (or all PID, depending on the configuration) or removing the cgroup for this scope, causing all processes in it to be terminated.
Can this result in an issue? I'm thinking of an malicious user (operating locally) who kills virtual machines of other users on the same system. Or, even killing a process that is not a vm at all.
that's why KillMachine is restricted to root. Nobody else can call it. (In reply to comment #7)
Will there possibly be files created in 'RootDirectory' (member of Machine objects) upon CreateMachine()?
CreateMachine itself doesn't write anything in RootDirectory, it will only setup the needed cgroup for the container and use root_directory as "chroot". -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=828207
https://bugzilla.novell.com/show_bug.cgi?id=828207#c10
--- Comment #10 from Matthias Weckbecker
https://bugzilla.novell.com/show_bug.cgi?id=828207
https://bugzilla.novell.com/show_bug.cgi?id=828207#c
Matthias Weckbecker
https://bugzilla.novell.com/show_bug.cgi?id=828207
https://bugzilla.novell.com/show_bug.cgi?id=828207#c11
Frederic Crozat
https://bugzilla.novell.com/show_bug.cgi?id=828207
https://bugzilla.novell.com/show_bug.cgi?id=828207#c12
--- Comment #12 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=828207
https://bugzilla.novell.com/show_bug.cgi?id=828207#c13
Frederic Crozat
http://bugzilla.novell.com/show_bug.cgi?id=828207
Swamp Workflow Management
http://bugzilla.novell.com/show_bug.cgi?id=828207
Swamp Workflow Management
http://bugzilla.novell.com/show_bug.cgi?id=828207
http://bugzilla.novell.com/show_bug.cgi?id=828207#c14
--- Comment #14 from Swamp Workflow Management
participants (1)
-
bugzilla_noreply@novell.com