Forum: >>> Magnum BBS <<<

Bug#1069162: Problem starting at boot, MAINPID to kill is a root-owned

From martin f krafft@21:1/5 to All on Wed Apr 17 11:00:01 2024

Package: puppetserver
Version: 7.9.5-2
Severity: normal

I found puppetserver failing to boot, because the `ExecStartPost`
line fails:

```
[Service]
ExecStartPost=sh -c "while ! head -c1 ${RUNTIME_DIRECTORY}/restart | grep -q '^1'; do kill -0 $MAINPID && sleep 1 || exit 1; done"
```

Adding a little debugging output, I find `$MAINPID` pointing to the wrong process, and the `kill` failing:

```
sh[653]: + ps -fp 652
sh[653]: UID PID PPID C STIME TTY TIME CMD
sh[653]: root 652 1 0 10:34 ? 00:00:00 (java)
sh[653]: + kill -0 652 Apr 17 10:18:27
sh[653]: sh: 1: kill: Operation not permitted
```

It's unclear to me why `$MAINPID` points at the root-owned `java` process, or why that process is even started as root, given that `User=puppet` is specified.

This only happens during boot, and not 100% of the time. When the service is restarted later, it works fine.

-- System Information:
Debian Release: trixie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 6.6.13-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=en_NZ, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8), LANGUAGE=en_NZ:en Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages puppetserver depends on:
ii default-jre-headless 2:1.17-75
pn jruby <none>
pn libclj-time-clojure <none>
pn libclojure-java <none>
pn libcomidi-clojure <none>
pn libcommons-exec-java <none>
ii libcommons-io-java 2.16.0-1
pn libcommons-lang-java <none>
pn libdropwizard-metrics-java <none>
pn libdujour-version-check-clojure <none>
pn libjruby-utils-clojure <none>
pn libkitchensink-clojure <none>
pn libliberator-clojure <none>
pn libprismatic-schema-clojure <none>
pn libpuppetlabs-http-client-clojure <none>
pn libpuppetlabs-i18n-clojure <none>
pn libpuppetlabs-ring-middleware-clojure <none>
pn libraynes-fs-clojure <none>
pn librbac-client-clojure <none>
pn libsemver-clojure <none>
pn libshell-utils-clojure <none>
pn libslingshot-clojure <none>
pn libssl-utils-clojure <none>
pn libtrapperkeeper-authorization-clojure <none>
pn libtrapperkeeper-clojure <none>
pn libtrapperkeeper-comidi-metrics-clojure <none>
pn libtrapperkeeper-filesystem-watcher-clojure <none>
pn libtrapperkeeper-metrics-clojure <none>
pn libtrapperkeeper-scheduler-clojure <none>
pn libtrapperkeeper-status-clojure <none>
pn libtrapperkeeper-webserver-jetty9-clojure <none>
pn libyaml-snake-java <none>
ii procps 2:4.0.4-4
pn puppet-agent <none>
ii ruby 1:3.1+nmu1
ii ruby-concurrent 1.2.3-2
pn ruby-deep-merge <none>
pn ruby-fast-gettext <none>
pn ruby-gettext <none>
pn ruby-hocon <none>
ii ruby-locale 2.1.3-1
pn ruby-puppet-resource-api <none>
pn ruby-puppetserver-ca-cli <none>
pn ruby-semantic-puppet <none>
pn ruby-text <none>

Versions of packages puppetserver recommends:
pn puppet-module-puppetlabs-mailalias-core <none>

puppetserver suggests no packages.

--
.''`. martin f. krafft <madduck@d.o>
: :' : proud Debian developer
`. `'` http://people.debian.org/~madduck
`- Debian - when you have better things to do than fixing systems

<!DOCTYPE html>

<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="content-type"/>
<meta content="width=device-width, initial-scale=1.0" name="viewport"/>
</head>
<body style="font-family: Lato, Calibri, Tahoma, sans-serif; max-width: 32em"> Package: puppetserver Version: 7.9.5-2 
Severity: normal
I found puppetserver failing to boot, because the <code>ExecStartPost</code> line fails:
<div class="codehilite" style="background: #f8f8f8"><pre style="line-height: 125%"><code>[Service]
ExecStartPost=sh -c "while ! head -c1 ${RUNTIME_DIRECTORY}/restart | grep -q '^1'; do kill -0 $MAINPID && sleep 1 || exit 1; done"
</code></pre></div>
Adding a little debugging output, I find <code>$MAINPID</code> pointing to the wrong 
process, and the <code>kill</code> failing:
<div class="codehilite" style="background: #f8f8f8"><pre style="line-height: 125%"><code>sh[653]: + ps -fp 652
sh[653]: UID PID PPID C STIME TTY TIME CMD
sh[653]: root 652 1 0 10:34 ? 00:00:00 (java)
sh[653]: + kill -0 652 Apr 17 10:18:27
sh[653]: sh: 1: kill: Operation not permitted
</code></pre></div>
It’s unclear to me why <code>$MAINPID</code> points at the root-owned <code>java</code> process, or 
why that process is even started as root, given that <code>User=puppet</code> is 
specified.
This only happens during boot, and not 100% of the time. When the service is 
restarted later, it works fine.
– System Information: 
Debian Release: trixie/sid 
APT prefers unstable 
APT policy: (500, ‘unstable’), (1, ‘experimental’) 
Architecture: amd64 (x86_64)
Kernel: Linux 6.6.13-amd64 (SMP w/8 CPU threads; PREEMPT) 
Locale: LANG=en_NZ, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8), LANGUAGE=en_NZ:en 
Shell: /bin/sh linked to /usr/bin/dash 
Init: systemd (via /run/systemd/system) 
LSM: AppArmor: enabled
Versions of packages puppetserver depends on: 
ii default-jre-headless 2:1.17-75 
pn jruby <none> 
pn libclj-time-clojure <none> 
pn libclojure-java <none> 
pn libcomidi-clojure <none> 
pn libcommons-exec-java <none> 
ii libcommons-io-java 2.16.0-1 
pn libcommons-lang-java <none> 
pn libdropwizard-metrics-java <none> 
pn libdujour-version-check-clojure <none> 
pn libjruby-utils-clojure <none> 
pn libkitchensink-clojure <none> 
pn libliberator-clojure <none> 
pn libprismatic-schema-clojure <none> 
pn libpuppetlabs-http-client-clojure <none> 
pn libpuppetlabs-i18n-clojure <none> 
pn libpuppetlabs-ring-middleware-clojure <none> 
pn libraynes-fs-clojure <none> 
pn librbac-client-clojure <none> 
pn libsemver-clojure <none> 
pn libshell-utils-clojure <none> 
pn libslingshot-clojure <none> 
pn libssl-utils-clojure <none> 
pn libtrapperkeeper-authorization-clojure <none> 
pn libtrapperkeeper-clojure <none> 
pn libtrapperkeeper-comidi-metrics-clojure <none> 
pn libtrapperkeeper-filesystem-watcher-clojure <none> 
pn libtrapperkeeper-metrics-clojure <none> 
pn libtrapperkeeper-scheduler-clojure <none> 
pn libtrapperkeeper-status-clojure <none> 
pn libtrapperkeeper-webserver-jetty9-clojure <none> 
pn libyaml-snake-java <none> 
ii procps 2:4.0.4-4 
pn puppet-agent <none> 
ii ruby 1:3.1+nmu1 
ii ruby-concurrent 1.2.3-2 
pn ruby-deep-merge <none> 
pn ruby-fast-gettext <none> 
pn ruby-gettext <none> 
pn ruby-hocon <none> 
ii ruby-locale 2.1.3-1 
pn ruby-puppet-resource-api <none> 
pn ruby-puppetserver-ca-cli <none> 
pn ruby-semantic-puppet <none> 
pn ruby-text <none></none></none></none></none></none></none></none></none></none></none></none></none></none></none></none></none></none></none></none></none></none></none></none></none></none></none></none></none></
none></none></none></none></none></none></none></none></none></none></none> Versions of packages puppetserver recommends: 
pn puppet-module-puppetlabs-mailalias-core <none></none>
puppetserver suggests no packages.
<div id="signature" style="font-family: Lato, Calibri, Tahoma, sans-serif; max-width: 32em">-- 

<dt>.’‘`. martin f. krafft <a href="mailto:madduck@d.o">madduck@d.o</a></dt>
<dd>:’ : proud Debian developer <code>.</code>‘<code>http://people.debian.org/~madduck</code>- Debian - when you have better things to do than fixing systems</dd>
</dl>
</div>
</body>
</html>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From =?UTF-8?Q?J=C3=A9r=C3=B4me?= Charao@21:1/5 to All on Wed Apr 17 14:40:02 2024

Thanks for the bug report, that's a strange one indeed!

One thing I'm wondering however, considering you're running unstable, is
if the problem also occurs with the latest version of the puppetserver
package, which is currently 8.4.0-3.

-- Jérôme

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Who's Online

System Info

Sysop:	Keyop
Location:	Huddersfield, West Yorkshire, UK
Users:	300
Nodes:	16 (2 / 14)
Uptime:	15:45:26
Calls:	6,706
Files:	12,239
Messages:	5,351,165

Bug#1069162: Problem starting at boot, MAINPID to kill is a root-owned

Who's Online

System Info