Project

General

Profile

Bug #3172

[murmur] Extra systemd options in config prevent start

ryry - 4 months ago - . Updated 4 months ago.

Status:
not-a-bug
Priority:
bug
Assignee:
-
% Done:

0%


Description

I thought this might have been related to https://bugs.archlinux.org/task/73466 , however on removing the affected parameter a similar problem still exists as follows:

Steps to reproduce.
Upgrade to 1.4.230-1
comment out SystemCallFilter=~@resources @privileged, /usr/lib/systemd/system/murmur.service
reload the systemctl daemon.

Outcome after restarting the systemd unit is that murmur fails to start and fails with exit code.

If you comment out all the new parameters added in the update so that the systemd unit file looks like the one in versions below 1.4.230 and reload and restart then murmur starts normally and as expected. If the user and group murmur are commented out but all the new ones left in, murmur starts but hangs and reports as active but the daemon is not up. Considering that the user and group murmur are already specified in /etc/murmur/murmur.ini and I believe it starts as root and drops to the less privileged murmur user, maybe that is part of the issue?

ryry

History

#1

Updated by bill-auger 4 months ago

  • Status changed from unconfirmed to forwarded upstream

from: https://bugs.archlinux.org/task/73466

(dvzrv) - Monday, 24 January 2022, 15:29 GMT
I will fix this in a pkgrel bump.

anyone experiencing the problem today needs to apply the change manually, or run the service manually, or wait another day or so

#2

Updated by ryry 4 months ago

Indeed, however the latest upstream from arch 1.4.230-2, only seems to remove the one line SystemCallFilter=~@resources @privileged, /usr/lib/systemd/system/murmur.service, which will still result in it failing to start, unless all the other parameters are removed from the unit file. So the problem may still persist after the upstream hits parabola repos? The orginal issue talks of crashing when a client tries to connect, which isn't the issue here, but given how many extra parameters there now are in the unit file compared to pre 1.4 versions, it may well part of a similar issue?

ryry

#3

Updated by ryry 4 months ago

It turns out this issue is now up-streamed to, here:
https://bugs.archlinux.org/task/73496

It appears that the change to the systemd unit was one for a better security/privileges situation. Before murmur would run as root and drop to the murmur user, whereas now it runs as the murmur user for the start and the systemd settings re privileges, prevents any change of privilege, which causes issues with the lets encrypt privkey and cert permissions and hence it exits with a failure. The above arch bug page lists how to deal with this change using either acl (and thus allowing murmur user strict access to only the files it needs or by deploying a hook/coping certs to another folder, the location off which is under discussion (according to the bug report disscussions at the bottom).

I can confirm after using acl, and using the new systemd unit config, murmur starts fine and can use the lets encrypt certs without any issue.

ryry

#4

Updated by nona 4 months ago

Small question off-topic: could this be prevented with another init system (e.g. OpenRC)? Not advocating for anything, trolling nor looking for a flame war. I just want to know. Thanks.

#5

Updated by ryry 4 months ago

I haven't used any other init systems myself, at least not day to day and with murmur. However It may work differently with them, as murmur daemon runs can be started and back grounded in the terminal and in that sense I guess is unaffected by the init system, but I don't personally know if openrc etc have similar settings or defaults as to the added settings in the systemd unit file?

ryry

#6

Updated by oaken-source 4 months ago

  • Status changed from forwarded upstream to not-a-bug

looking through the upstream ticket linked above, it seems like the new behavior is the expected one, so I'm closing this issue.

#7

Updated by bill-auger 4 months ago

yes, there never was anything for parabola to do about this - i
believe the OP opened this mainly as documentation, to share the
solution, for benefit of others who may have the same problem

#8

Updated by ryry 4 months ago

Indeed at first I wasn't sure if it was parabola specific issue as there where two separate issues and the latter hadn't been up streamed when I added the report, but both where upstreamed soon after, needless to say I added the solution I found upstream for the benefit of anyone else having the same problem.

Also available in: Atom PDF