Created attachment 96119 [details] strace for first issue I updated to systemd 211 (which should have the fix for bug 75733, if I'm not mistaken) from rawhide on my base Fedora 20 x86_64 OS, then rebooted. I am now having a few new issues when trying to run commands as a user in a 32-bit (i686) container on an x86_64 host OS. These issues do not happen if the container is a 64-bit (x86_64) container. #### Issue 1 #### Running systemd-nspawn with -u <user> option to execute a command when <user> is part of the "wheel" group in the container. $ uname -r 3.13.6-200.fc20.x86_64 $ su - $ mkdir /srv/mycontainer-i686 $ mkdir -p /srv/mycontainer-i686/etc/yum/vars $ echo i386 > /srv/mycontainer-i686/etc/yum/vars/basearch $ echo i686 > /srv/mycontainer-i686/etc/yum/vars/arch $ yum -y --releasever=20 --nogpg --installroot=/srv/mycontainer-i686 --disablerepo='*' --enablerepo=fedora install systemd passwd yum fedora-release vim-minimal sudo $ systemd-nspawn -D /srv/mycontainer-i686 adduser jail $ systemd-nspawn -D /srv/mycontainer-i686 passwd -d jail $ systemd-nspawn -u jail -D /srv/mycontainer-i686 whoami Spawning container mycontainer-i686 on /srv/mycontainer-i686. Press ^] three times within 1s to abort execution. jail $ systemd-nspawn -D /srv/mycontainer-i686 usermod -a -G wheel jail $ systemd-nspawn -u jail -D /srv/mycontainer-i686 whoami Spawning container mycontainer-i686 on /srv/mycontainer-i686. Press ^] three times within 1s to abort execution. Out of memory. Container mycontainer-i686 failed with error code 1. #### Issue 2 #### Running systemd-nspawn as root to execute an "su <user> -c <command>" command. $ uname -r 3.13.6-200.fc20.x86_64 $ su - $ mkdir /srv/mycontainer-i686 $ mkdir -p /srv/mycontainer-i686/etc/yum/vars $ echo i386 > /srv/mycontainer-i686/etc/yum/vars/basearch $ echo i686 > /srv/mycontainer-i686/etc/yum/vars/arch $ yum -y --releasever=20 --nogpg --installroot=/srv/mycontainer-i686 --disablerepo='*' --enablerepo=fedora install systemd passwd yum fedora-release vim-minimal sudo $ systemd-nspawn -D /srv/mycontainer-i686 adduser jail $ systemd-nspawn -D /srv/mycontainer-i686 passwd -d jail $ systemd-nspawn -D /srv/mycontainer-i686 su jail -c whoami Spawning container mycontainer-i686 on /srv/mycontainer-i686. Press ^] three times within 1s to abort execution. su: System error Container mycontainer-i686 failed with error code 1. I've attached straces for both of the issues if that helps.
Created attachment 96120 [details] strace for second issue
Ok, so if I add "audit=0" to the kernel command line then I don't encounter Issue 2. However, I still encounter Issue 1.
The second issue is caused by audit being stupid, and needs to be fixed in the kernel, use audit=0 for that, as you found out. For the first issue, could you please run nspawn through "strace -s255 -f -o log" when this fails, and attach the file it generates here?
Created attachment 99963 [details] strace -s255 -f -o log
I'm guessing this: commit a9dd39d9b482c99da6b3af3a7394b290e2019cb2 Author: Philip Lorenz <philip@bithub.de> Date: Wed Apr 9 19:08:45 2014 +0200 nspawn: Fix erroneous OOM when building group list change_uid_gid() never initialises sz which may cause greedy_realloc to skip the initial buffer allocation. Can you try with the latest git or with this patch packported (it applies cleanly to v211)?
(In reply to comment #5) > I'm guessing this: > > commit a9dd39d9b482c99da6b3af3a7394b290e2019cb2 > Author: Philip Lorenz <philip@bithub.de> > Date: Wed Apr 9 19:08:45 2014 +0200 > > nspawn: Fix erroneous OOM when building group list > > change_uid_gid() never initialises sz which may cause greedy_realloc to > skip the initial buffer allocation. > > Can you try with the latest git or with this patch packported (it applies > cleanly to v211)? This patch is not on master
(In reply to comment #6) > (In reply to comment #5) > > I'm guessing this: > > > > commit a9dd39d9b482c99da6b3af3a7394b290e2019cb2 > > Author: Philip Lorenz <philip@bithub.de> > > Date: Wed Apr 9 19:08:45 2014 +0200 > > > > nspawn: Fix erroneous OOM when building group list > > > > change_uid_gid() never initialises sz which may cause greedy_realloc to > > skip the initial buffer allocation. > > > > Can you try with the latest git or with this patch packported (it applies > > cleanly to v211)? > > This patch is not on master Nevermind, I found it... I was searching for the hash initially.
(In reply to comment #5) > I'm guessing this: > > commit a9dd39d9b482c99da6b3af3a7394b290e2019cb2 > Author: Philip Lorenz <philip@bithub.de> > Date: Wed Apr 9 19:08:45 2014 +0200 > > nspawn: Fix erroneous OOM when building group list > > change_uid_gid() never initialises sz which may cause greedy_realloc to > skip the initial buffer allocation. > > Can you try with the latest git or with this patch packported (it applies > cleanly to v211)? Hmm... so I actually downloaded the v212 source rpm from Fedora rawhide (systemd-212-5.fc21.src.rpm). Without backporting the aforementioned patch I recompiled and installed from that source on F20 and now I don't encounter the first issue anymore. The systemd.spec indicates source is from commit f01de96.
I can't reproduce this either. valgrind doesn't yield anything useful. Nevertheless, my hypothesis still stands because the error fixed by this patch is compilation dependant, so it is still likely that this is the problem. I'm closing for now, please reopen if you encounter this again.
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.