[Bug 1942276] Re: glibc 2.34 upgrade will break some essential services

Michael Hudson-Doyle 1942276 at bugs.launchpad.net
Thu Sep 2 00:05:20 UTC 2021 

What appears to be going on here is that systemd is not restarted as
part of the upgrade of glibc so it is still running glibc 2.33. When
starting a service that does anything even slightly funky with users and
groups (so things that use DynamicUser= like systemd-resolved but also
things like docker which just uses Group= on a socket) it forks itself
and calls Name Service Switch apis which dlopen nss modules like
/lib/x86_64-linux-gnu/libnss_files.so.2. But these now come from the
glibc 2.34 package and are not compatible with the libc already loaded
into the forked process and so the nss calls all fail.

I don't know why this didn't bite us for other glibc upgrades -- nss
modules are basically never cross version compatible afaik. Maybe
systemd has changed and used to have an execve between the fork and any
access to nss apis?

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to glibc in Ubuntu.
https://bugs.launchpad.net/bugs/1942276

Title:
  glibc 2.34 upgrade will break some essential services

Status in docker.io package in Ubuntu:
  New
Status in glibc package in Ubuntu:
  New

Bug description:
  Try this:

  $ lxc launch ubuntu-daily:impish test-docker
  $ lxc shell test-docker
  # cat <<EOF >/etc/apt/sources.list.d/ubuntu-$(lsb_release -cs)-proposed.list
  deb http://archive.ubuntu.com/ubuntu/ $(lsb_release -cs)-proposed restricted main multiverse universe
  EOF
  # apt update
  # apt install libc-bin -y
  ...
  (debconf query asking which services should be restarted.  Just select Ok)
  ...
  Restarting services...
   systemctl restart accounts-daemon.service console-getty.service cron.service packagekit.service polkit.service rsyslog.service snapd.service ssh.service systemd-journald.service systemd-networkd.service systemd-resolved.service systemd-udevd.service udisks2.service
  Job for systemd-networkd.service failed.
  See "systemctl status systemd-networkd.service" and "journalctl -xeu systemd-networkd.service" for details.
  Job for systemd-resolved.service failed because the control process exited with error code.
  See "systemctl status systemd-resolved.service" and "journalctl -xeu systemd-resolved.service" for details.
  Service restarts being deferred:
   /etc/needrestart/restart.d/dbus.service
   systemctl restart networkd-dispatcher.service
   systemctl restart systemd-logind.service
   systemctl restart unattended-upgrades.service
  # ping ubuntu.com
  ping: ubuntu.com: Temporary failure in name resolution
  # systemctl status systemd-networkd
  × systemd-networkd.service - Network Service
       Loaded: loaded (/lib/systemd/system/systemd-networkd.service; enabled; vendor preset: enabled)
       Active: failed (Result: exit-code) since Wed 2021-09-01 20:41:03 UTC; 36s ago
  TriggeredBy: × systemd-networkd.socket
         Docs: man:systemd-networkd.service(8)
      Process: 2411 ExecStart=/lib/systemd/systemd-networkd (code=exited, status=217/USER)
     Main PID: 2411 (code=exited, status=217/USER)

  Sep 01 20:41:03 test-docker systemd[1]: systemd-networkd.service: Scheduled restart job, restart counter is at 5.
  Sep 01 20:41:03 test-docker systemd[1]: Stopped Network Service.
  Sep 01 20:41:03 test-docker systemd[1]: systemd-networkd.service: Start request repeated too quickly.
  Sep 01 20:41:03 test-docker systemd[1]: systemd-networkd.service: Failed with result 'exit-code'.
  Sep 01 20:41:03 test-docker systemd[1]: Failed to start Network Service.

  
  The same can be reproduced inside a VM.  If the user reboots the system, it becomes usable again.

  [ Original Description ]

  This bug is blocking docker.io on update-excuses.

  I noticed that docker.io version 20.10.7-0ubuntu2 (currently in
  impish-proposed) is failing to start when installed inside an Impish
  LXD container.  You can reproduce the bug by doing:

  $ lxc launch ubuntu-daily:impish test-docker -c security.nesting=true
  $ lxc shell test-docker
  # cat <<EOF >/etc/apt/sources.list.d/ubuntu-$(lsb_release -cs)-proposed.list
  deb http://archive.ubuntu.com/ubuntu/ $(lsb_release -cs)-proposed restricted main multiverse universe
  EOF
  # apt update
  # apt install docker.io -y
  ...
  Setting up docker.io (20.10.7-0ubuntu2) ...
  Adding group `docker' (GID 120) ...
  Done.
  Created symlink /etc/systemd/system/multi-user.target.wants/docker.service → /lib/systemd/system/docker.service.
  Created symlink /etc/systemd/system/sockets.target.wants/docker.socket → /lib/systemd/system/docker.socket.
  A dependency job for docker.service failed. See 'journalctl -xe' for details.
  invoke-rc.d: initscript docker, action "start" failed.
  ○ docker.service - Docker Application Container Engine
       Loaded: loaded (/lib/systemd/system/docker.service; enabled; vendor preset: enabled)
       Active: inactive (dead)
  TriggeredBy: × docker.socket
         Docs: https://docs.docker.com

  Sep 01 01:52:47 test-docker systemd[1]: Dependency failed for Docker Application Container Engine.
  Sep 01 01:52:47 test-docker systemd[1]: docker.service: Job docker.service/start failed with result 'dependency'.
  ...

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1942276/+subscriptions

More information about the foundations-bugs mailing list