Bug 215596 - Commit 59ec715 breaks systemd LimitNPROC with PrivateUsers

Bug 215596 - Commit 59ec715 breaks systemd LimitNPROC with PrivateUsers

[Thorsten Leemhuis]

Hi, this is your Linux kernel regression tracker speaking.

About a week ago a regression was reported to bugzilla.kernel.org that
seems to be handled there already, nevertheless I'd like to add to the
tracking to ensure it's not forgotten.

#regzbot introduced: 59ec71575ab4
#regzbot from: Etienne Dechamps <etienne@edechamps.fr>
#regzbot title: Commit 59ec715 breaks systemd LimitNPROC with PrivateUsers
#regzbot link: https://bugzilla.kernel.org/show_bug.cgi?id=215596

Quote:

> Commit 59ec715 "ucounts: Fix rlimit max values check", first included in Linux 5.15.12, breaks systemd "LimitNPROC" (RLIMIT_NPROC) when combined with "PrivateUsers" (user namespacing).
> 
> This can be reproduced with a trivial systemd service file:
> 
> [Service]
> User=nobody
> PrivateUsers=yes
> LimitNPROC=4
> Type=oneshot
> ExecStart=/bin/true
> 
> Which, on 59ec715, fails with:
> 
> Failed to execute /bin/true: Resource temporarily unavailable
> Failed at step EXEC spawning /bin/true: Resource temporarily unavailable
> Main process exited, code=exited, status=203/EXEC
> 
> (Even though user `nobody` has no running processes besides this one)
> 
> A strace on PID 1 reveals the following sequence of calls (excerpt):
> 
> clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x40e60150) = 129
> [pid   129] prlimit64(0, RLIMIT_NPROC, {rlim_cur=4, rlim_max=4}, NULL) = 0
> [pid   129] unshare(CLONE_NEWUSER)      = 0
> [pid   129] setresuid(65534, 65534, 65534) = 0
> [pid   129] execve("/bin/true", ["/bin/true"], 0x552ad950a0 /* 7 vars */) = -1 EAGAIN (Resource temporarily unavailable)
> 
> On the parent commit of 59ec715 the service starts successfully.
> 
> This is still reproducible on current master (83e3966).
> 
> Relevant patch discussion: https://lore.kernel.org/lkml/87lf0g9xq7.fsf@email.froward.int.ebiederm.org/T/#m0a39edf27bc5aabca58b2c2a3d81704818d2c6fe
> 
> This more recent thread also seems highly relevant: https://lore.kernel.org/lkml/20220207121800.5079-1-mkoutny@suse.com/

See the ticket for details, there were a few replies already.

Ciao, Thorsten (wearing his 'the Linux kernel's regression tracker' hat)

P.S.: As the Linux kernel's regression tracker I'm getting a lot of
reports on my table. I can only look briefly into most of them and lack
knowledge about most of the areas they concern. I thus unfortunately
will sometimes get things wrong or miss something important. I hope
that's not the case here; if you think it is, don't hesitate to tell me
in a public reply, it's in everyone's interest to set the public record
straight.

-- 
Additional information about regzbot:

If you want to know more about regzbot, check out its web-interface, the
getting start guide, and the references documentation:

https://linux-regtracking.leemhuis.info/regzbot/
https://gitlab.com/knurd42/regzbot/-/blob/main/docs/getting_started.md
https://gitlab.com/knurd42/regzbot/-/blob/main/docs/reference.md

The last two documents will explain how you can interact with regzbot
yourself if your want to.

Hint for reporters: when reporting a regression it's in your interest to
CC the regression list and tell regzbot about the issue, as that ensures
the regression makes it onto the radar of the Linux kernel's regression
tracker -- that's in your interest, as it ensures your report won't fall
through the cracks unnoticed.

Hint for developers: you normally don't need to care about regzbot once
it's involved. Fix the issue as you normally would, just remember to
include 'Link:' tag in the patch descriptions pointing to all reports
about the issue. This has been expected from developers even before
regzbot showed up for reasons explained in
'Documentation/process/submitting-patches.rst' and
'Documentation/process/5.Posting.rst'.

Re: Bug 215596 - Commit 59ec715 breaks systemd LimitNPROC with PrivateUsers #forregzbot

[Thorsten Leemhuis]

TWIMC: this mail is primarily send for documentation purposes and for
regzbot, my Linux kernel regression tracking bot. These mails usually
contain '#forregzbot' in the subject, to make them easy to spot and filter.

#regzbot fixed-by: 0ac983f512033cb7b5e210c9589768ad25b1e36b

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0ac983f512033cb7b5e210c9589768ad25b1e36b

On 20.02.22 18:26, Thorsten Leemhuis wrote:
> Hi, this is your Linux kernel regression tracker speaking.
> 
> About a week ago a regression was reported to bugzilla.kernel.org that
> seems to be handled there already, nevertheless I'd like to add to the
> tracking to ensure it's not forgotten.
> 
> #regzbot introduced: 59ec71575ab4
> #regzbot from: Etienne Dechamps <etienne@edechamps.fr>
> #regzbot title: Commit 59ec715 breaks systemd LimitNPROC with PrivateUsers
> #regzbot link: https://bugzilla.kernel.org/show_bug.cgi?id=215596
> 
> Quote:
> 
>> Commit 59ec715 "ucounts: Fix rlimit max values check", first included in Linux 5.15.12, breaks systemd "LimitNPROC" (RLIMIT_NPROC) when combined with "PrivateUsers" (user namespacing).
>>
>> This can be reproduced with a trivial systemd service file:
>>
>> [Service]
>> User=nobody
>> PrivateUsers=yes
>> LimitNPROC=4
>> Type=oneshot
>> ExecStart=/bin/true
>>
>> Which, on 59ec715, fails with:
>>
>> Failed to execute /bin/true: Resource temporarily unavailable
>> Failed at step EXEC spawning /bin/true: Resource temporarily unavailable
>> Main process exited, code=exited, status=203/EXEC
>>
>> (Even though user `nobody` has no running processes besides this one)
>>
>> A strace on PID 1 reveals the following sequence of calls (excerpt):
>>
>> clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x40e60150) = 129
>> [pid   129] prlimit64(0, RLIMIT_NPROC, {rlim_cur=4, rlim_max=4}, NULL) = 0
>> [pid   129] unshare(CLONE_NEWUSER)      = 0
>> [pid   129] setresuid(65534, 65534, 65534) = 0
>> [pid   129] execve("/bin/true", ["/bin/true"], 0x552ad950a0 /* 7 vars */) = -1 EAGAIN (Resource temporarily unavailable)
>>
>> On the parent commit of 59ec715 the service starts successfully.
>>
>> This is still reproducible on current master (83e3966).
>>
>> Relevant patch discussion: https://lore.kernel.org/lkml/87lf0g9xq7.fsf@email.froward.int.ebiederm.org/T/#m0a39edf27bc5aabca58b2c2a3d81704818d2c6fe
>>
>> This more recent thread also seems highly relevant: https://lore.kernel.org/lkml/20220207121800.5079-1-mkoutny@suse.com/
> 
> See the ticket for details, there were a few replies already.
> 
> Ciao, Thorsten (wearing his 'the Linux kernel's regression tracker' hat)
> 
> P.S.: As the Linux kernel's regression tracker I'm getting a lot of
> reports on my table. I can only look briefly into most of them and lack
> knowledge about most of the areas they concern. I thus unfortunately
> will sometimes get things wrong or miss something important. I hope
> that's not the case here; if you think it is, don't hesitate to tell me
> in a public reply, it's in everyone's interest to set the public record
> straight.
>