Hi Christian,
On Tue, Feb 13, 2024 at 05:45:47PM +0100, Christian Brauner wrote:
> This moves pidfds from the anonymous inode infrastructure to a tiny
> pseudo filesystem. This has been on my todo for quite a while as it will
> unblock further work that we weren't able to do simply because of the
> very justified limitations of anonymous inodes. Moving pidfds to a tiny
> pseudo filesystem allows:
>
> * statx() on pidfds becomes useful for the first time.
> * pidfds can be compared simply via statx() and then comparing inode
> numbers.
> * pidfds have unique inode numbers for the system lifetime.
> * struct pid is now stashed in inode->i_private instead of
> file->private_data. This means it is now possible to introduce
> concepts that operate on a process once all file descriptors have been
> closed. A concrete example is kill-on-last-close.
> * file->private_data is freed up for per-file options for pidfds.
> * Each struct pid will refer to a different inode but the same struct
> pid will refer to the same inode if it's opened multiple times. In
> contrast to now where each struct pid refers to the same inode. Even
> if we were to move to anon_inode_create_getfile() which creates new
> inodes we'd still be associating the same struct pid with multiple
> different inodes.
> * Pidfds now go through the regular dentry_open() path which means that
> all security hooks are called unblocking proper LSM management for
> pidfds. In addition fsnotify hooks are called and allow for listening
> to open events on pidfds.
>
> The tiny pseudo filesystem is not visible anywhere in userspace exactly
> like e.g., pipefs and sockfs. There's no lookup, there's no complex
> inode operations, nothing. Dentries and inodes are always deleted when
> the last pidfd is closed.
>
> The code is entirely optional and fairly small. If it's not selected we
> fallback to anonymous inodes. Heavily inspired by nsfs which uses a
> similar stashing mechanism just for namespaces.
>
> Signed-off-by: Christian Brauner <brauner@xxxxxxxxxx>
Apologies if this has already been reported or fixed but I did not see
anything on the mailing list.
On next-20240221 and next-20240222, with CONFIG_FS_PID=y, some of my
services such as abrtd, dbus, and polkit fail to start on my Fedora
machines, which causes further isssues like failing to start network
interfaces with NetworkManager. I can easily reproduce this in a Fedora
39 QEMU virtual machine, which has:
# systemctl --version
systemd 254 (254.9-1.fc39)
+PAM +AUDIT +SELINUX -APPARMOR +IMA +SMACK +SECCOMP -GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN -IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 +PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD +BPF_FRAMEWORK +XKBCOMMON +UTMP +SYSVINIT
default-hierarchy=unified
Unfortunately, there does not really appear to be much information to
provide off bat but I am more than happy to try and gather whatever
information would be helpful if you are not able to reproduce locally.
# uname -r
6.8.0-rc1-00017-ga1a466d5af6c
# zgrep CONFIG_FS_PID /proc/config.gz
CONFIG_FS_PID=y
# systemctl status polkit.service
× polkit.service - Authorization Manager
Loaded: loaded (/usr/lib/systemd/system/polkit.service; static)
Drop-In: /usr/lib/systemd/system/service.d
└─10-timeout-abort.conf
Active: failed (Result: timeout) since Thu 2024-02-22 11:35:52 MST; 11min ago
Docs: man:polkit(8)
Process: 844 ExecStart=/usr/lib/polkit-1/polkitd --no-debug (code=killed, signal=TERM)
Main PID: 844 (code=killed, signal=TERM)
CPU: 116ms
Feb 22 11:34:22 qemu systemd[1]: Starting polkit.service - Authorization Manager...
Feb 22 11:34:22 qemu polkitd[844]: Started polkitd version 123
Feb 22 11:34:22 qemu polkitd[844]: Loading rules from directory /etc/polkit-1/rules.d
Feb 22 11:34:22 qemu polkitd[844]: Loading rules from directory /usr/share/polkit-1/rules.d
Feb 22 11:34:22 qemu polkitd[844]: Finished loading, compiling and executing 5 rules
Feb 22 11:34:22 qemu polkitd[844]: Acquired the name org.freedesktop.PolicyKit1 on the system bus
Feb 22 11:35:52 qemu systemd[1]: polkit.service: start operation timed out. Terminating.
Feb 22 11:35:52 qemu systemd[1]: polkit.service: Failed with result 'timeout'.
Feb 22 11:35:52 qemu systemd[1]: Failed to start polkit.service - Authorization Manager.
vs.
# uname -r
6.8.0-rc1-00016-gd68c1231c030
# systemctl status polkit.service
● polkit.service - Authorization Manager
Loaded: loaded (/usr/lib/systemd/system/polkit.service; static)
Drop-In: /usr/lib/systemd/system/service.d
└─10-timeout-abort.conf
Active: active (running) since Thu 2024-02-22 11:30:38 MST; 21s ago
Docs: man:polkit(8)
Main PID: 843 (polkitd)
Tasks: 4 (limit: 19010)
Memory: 5.0M
CPU: 169ms
CGroup: /system.slice/polkit.service
└─843 /usr/lib/polkit-1/polkitd --no-debug
Feb 22 11:30:38 qemu systemd[1]: Starting polkit.service - Authorization Manager...
Feb 22 11:30:38 qemu polkitd[843]: Started polkitd version 123
Feb 22 11:30:38 qemu polkitd[843]: Loading rules from directory /etc/polkit-1/rules.d
Feb 22 11:30:38 qemu polkitd[843]: Loading rules from directory /usr/share/polkit-1/rules.d
Feb 22 11:30:38 qemu polkitd[843]: Finished loading, compiling and executing 5 rules
Feb 22 11:30:38 qemu polkitd[843]: Acquired the name org.freedesktop.PolicyKit1 on the system bus
Feb 22 11:30:38 qemu systemd[1]: Started polkit.service - Authorization Manager.
or
# uname -r
6.8.0-rc1-00017-ga1a466d5af6c
# zgrep CONFIG_FS_PID /proc/config.gz
# CONFIG_FS_PID is not set
# systemctl status polkit.service
● polkit.service - Authorization Manager
Loaded: loaded (/usr/lib/systemd/system/polkit.service; static)
Drop-In: /usr/lib/systemd/system/service.d
└─10-timeout-abort.conf
Active: active (running) since Thu 2024-02-22 11:52:41 MST; 5min ago
Docs: man:polkit(8)
Main PID: 845 (polkitd)
Tasks: 4 (limit: 19010)
Memory: 5.0M
CPU: 177ms
CGroup: /system.slice/polkit.service
└─845 /usr/lib/polkit-1/polkitd --no-debug
Feb 22 11:52:41 qemu systemd[1]: Starting polkit.service - Authorization Manager...
Feb 22 11:52:41 qemu polkitd[845]: Started polkitd version 123
Feb 22 11:52:41 qemu polkitd[845]: Loading rules from directory /etc/polkit-1/rules.d
Feb 22 11:52:41 qemu polkitd[845]: Loading rules from directory /usr/share/polkit-1/rules.d
Feb 22 11:52:41 qemu polkitd[845]: Finished loading, compiling and executing 5 rules
Feb 22 11:52:41 qemu polkitd[845]: Acquired the name org.freedesktop.PolicyKit1 on the system bus
Feb 22 11:52:41 qemu systemd[1]: Started polkit.service - Authorization Manager.
I looked your most recent push of vfs.pidfd but I did not see anything
that would have appeared to fix this, so I did not test it.
Cheers,
Nathan
