Ubuntu
systemd package

wrong sysrq value in /usr/lib/sysctl.d/50-default.conf

Bug #1962038 reported by Steve Langasek
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
procps (Ubuntu)
Fix Released
Undecided
Unassigned
Impish
Won't Fix
Undecided
Unassigned
Jammy
Fix Released
Undecided
Unassigned
systemd (Ubuntu)
Fix Released
High
Lukas Märdian
Impish
Fix Released
Undecided
Unassigned
Jammy
Fix Released
High
Lukas Märdian

Bug Description

[Impact]

I've just learned that systemd is setting kernel.sysrq to 16 in /usr/lib/sysctl.d/50-default.conf. This is inconsistent with /etc/sysctl.d/10-magic-sysrq.conf which intentionally sets it to 176 by default. systemd should drop its setting to defer to the file that we have been carrying in procps for a very long time.

Therefore, users can only sync their storage but not do any other actions using the magic sysrq key.

[Test Plan]

$ sysctl kernel.sysrq
=> This should show "kernel.sysrq = 176" as set by /etc/sysctl.d/10-magic-sysrq.conf
$ sysctl net.ipv4.conf.all.rp_filter
=> This should show "net.ipv4.conf.all.rp_filter=2" as set by /etc/sysctl.d/10-network-security.conf

[Where problems could occur]

 * This patch changes systemd's sysctl configuration in /lib/sysctl.d/*.conf
 * If something is broken it could fail to apply any of systemd's sysctl configuration, but Ubuntu's defaults from /etc/sysctl.d/*.conf would still be in place.

[Other Info]

 * None

See original description
Revision history for this message
Steve Langasek (vorlon) wrote :

we may want to audit /usr/lib/sysctl.d vs /etc/sysctl.d to verify if there are any other settings that are being shadowed.

Changed in systemd (Ubuntu):
importance: Undecided → High
Lukas Märdian (slyon)
tags: added: rls-jj-incoming
Revision history for this message
Lukas Märdian (slyon) wrote :
Download full text (3.8 KiB)

I've analyzed the situation on Jammy, Impish and Focal and got the following result:

Jammy+Impish:
/usr/lib/sysctl.d/50-default.conf:net.ipv4.conf.default.rp_filter = 2
=> shadowed but equal value
/usr/lib/sysctl.d/50-default.conf:net.ipv4.conf.*.rp_filter = 2
=> shadows default.rp_filter & all.rp_filter (equal value)
/usr/lib/sysctl.d/50-default.conf:-net.ipv4.conf.all.rp_filter
/usr/lib/sysctl.d/50-default.conf:kernel.sysrq = 16

Focal (shadowed, but equal value):
fs.protected_hardlinks = 1
fs.protected_symlinks = 1

So the critical ones seem to be kernel.sysrq = 16 and the removal of -net.ipv4.conf.all.rp_filter

Settings shipped by procps:

Jammy:
root@jj:~# grep -v '^\s*$\|^\s*\#' -R /etc/sysctl.* # (excluding README.sysctl)
/etc/sysctl.d/10-zeropage.conf:vm.mmap_min_addr = 65536
/etc/sysctl.d/10-network-security.conf:net.ipv4.conf.default.rp_filter=2
/etc/sysctl.d/10-network-security.conf:net.ipv4.conf.all.rp_filter=2
/etc/sysctl.d/10-kernel-hardening.conf:kernel.kptr_restrict = 1
/etc/sysctl.d/99-cloudimg-ipv6.conf:net.ipv6.conf.all.use_tempaddr = 0
/etc/sysctl.d/99-cloudimg-ipv6.conf:net.ipv6.conf.default.use_tempaddr = 0
/etc/sysctl.d/10-ptrace.conf:kernel.yama.ptrace_scope = 1
/etc/sysctl.d/10-console-messages.conf:kernel.printk = 4 4 1 7
/etc/sysctl.d/10-ipv6-privacy.conf:net.ipv6.conf.all.use_tempaddr = 2
/etc/sysctl.d/10-ipv6-privacy.conf:net.ipv6.conf.default.use_tempaddr = 2
/etc/sysctl.d/10-magic-sysrq.conf:kernel.sysrq = 176

Impish:
- same as Jammy

Focal:
- same as Jammy, plus:
/etc/sysctl.d/10-link-restrictions.conf:fs.protected_hardlinks = 1
/etc/sysctl.d/10-link-restrictions.conf:fs.protected_symlinks = 1

Settings shipped by systemd:

Jammy:
root@jj:~# grep -v '^\s*$\|^\s*\#' -R /usr/lib/sysctl*
/usr/lib/sysctl.d/50-default.conf:kernel.sysrq = 16
/usr/lib/sysctl.d/50-default.conf:kernel.core_uses_pid = 1
/usr/lib/sysctl.d/50-default.conf:net.ipv4.conf.default.rp_filter = 2
/usr/lib/sysctl.d/50-default.conf:net.ipv4.conf.*.rp_filter = 2
/usr/lib/sysctl.d/50-default.conf:-net.ipv4.conf.all.rp_filter
/usr/lib/sysctl.d/50-default.conf:net.ipv4.conf.default.accept_source_route = 0
/usr/lib/sysctl.d/50-default.conf:net.ipv4.conf.*.accept_source_route = 0
/usr/lib/sysctl.d/50-default.conf:-net.ipv4.conf.all.accept_source_route
/usr/lib/sysctl.d/50-default.conf:net.ipv4.conf.default.promote_secondaries = 1
/usr/lib/sysctl.d/50-default.conf:net.ipv4.conf.*.promote_secondaries = 1
/usr/lib/sysctl.d/50-default.conf:-net.ipv4.conf.all.promote_secondaries
/usr/lib/sysctl.d/50-default.conf:-net.ipv4.ping_group_range = 0 2147483647
/usr/lib/sysctl.d/50-default.conf:-net.core.default_qdisc = fq_codel
/usr/lib/sysctl.d/50-default.conf:fs.protected_hardlinks = 1
/usr/lib/sysctl.d/50-default.conf:fs.protected_symlinks = 1
/usr/lib/sysctl.d/50-default.conf:fs.protected_regular = 1
/usr/lib/sysctl.d/50-default.conf:fs.protected_fifos = 1
/usr/lib/sysctl.d/50-pid-max.conf:kernel.pid_max = 4194304

Impish:
- same as Jammy

Focal:
root@ff:~# grep -v '^\s*$\|^\s*\#' -R /usr/lib/sysctl*
/usr/lib/sysctl.d/50-default.conf:net.ipv4.conf.default.promote_secondaries = 1
/usr/lib/sysctl.d/50-default.conf:net.ipv4.conf.*.promote_secondaries = 1
/us...

Read more...

Changed in systemd (Ubuntu):
status: New → Triaged
Matthieu Clemenceau (mclemenceau)
tags: added: fr-2083
Brian Murray (brian-murray)
tags: removed: rls-jj-incoming
Lukas Märdian (slyon)
description: updated
Lukas Märdian (slyon)
Changed in procps (Ubuntu Impish):
status: New → Won't Fix
tags: added: update-excuse
Revision history for this message
Dan Streetman (ddstreet) wrote :

> systemd should drop its setting to defer to the file that we have been carrying in procps for a very long time.

at some point it would be a better idea to drop the procps files and adjust the systemd defaults where/if needed. The sysctl configuration hasn't been applied by procps since upstart; with systemd, the systemd-sysctl service is what applies all the sysctl settings.

Revision history for this message
Lukas Märdian (slyon) wrote :

>> systemd should drop its setting to defer to the file that we have been carrying in procps for a very long time.
>
> at some point it would be a better idea to drop the procps files and adjust the systemd defaults where/if needed. The sysctl configuration hasn't been applied by procps since upstart; with systemd, the systemd-sysctl service is what applies all the sysctl settings.

We discussed this possibility during the Foundation team's meeting. But Steve wants to keep the policy in procps, as it has been in the past.

Changed in systemd (Ubuntu Jammy):
assignee: nobody → Lukas Märdian (slyon)
status: Triaged → In Progress
Revision history for this message
Steve Langasek (vorlon) wrote : Re: [Bug 1962038] Re: wrong sysrq value in /usr/lib/sysctl.d/50-default.conf

On Tue, Mar 08, 2022 at 04:11:45PM -0000, Lukas Märdian wrote:

> >> systemd should drop its setting to defer to the file that we have been
> >> carrying in procps for a very long time.

> > at some point it would be a better idea to drop the procps files and
> > adjust the systemd defaults where/if needed. The sysctl configuration
> > hasn't been applied by procps since upstart; with systemd, the
> > systemd-sysctl service is what applies all the sysctl settings.

> We discussed this possibility during the Foundation team's meeting. But
> Steve wants to keep the policy in procps, as it has been in the past.

That's my current preference; but regardless, any moving of this to systemd
would need to handle a proper migration of the config files on upgrade,
which has not been done here today.

Revision history for this message
Steve Langasek (vorlon) wrote :

dropping the update-excuse tag, since this bug has nothing to do with why the packages are or aren't migrating out of -proposed AFAIK

tags: removed: update-excuse
tags: added: update-excuse
Revision history for this message
Steve Langasek (vorlon) wrote :

oh correction, it does because of the added autopkgtest :)

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package systemd - 249.10-0ubuntu2

---------------
systemd (249.10-0ubuntu2) jammy; urgency=medium

  * Fix deadlock between pid1 and dbus-daemon (LP: #1871538)
    File: debian/patches/pid1-set-SYSTEMD_NSS_DYNAMIC_BYPASS-1-env-var-for-dbus-da.patch
    https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=100a7bfc2d0f82c3afbede04a022c655529cffac
  * Don't override Ubuntu's default sysctl values (LP: #1962038)
    File: debian/patches/debian/UBUNTU-Don-t-override-Ubuntu-s-default-sysctl-values-LP-1962038.patch
    https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=b10cdb7da3539b3a3c3e619b470a75c83e46ef11

 -- Lukas Märdian <email address hidden> Tue, 08 Mar 2022 14:58:00 +0100

Changed in systemd (Ubuntu Jammy):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package procps - 2:3.3.17-6ubuntu2

---------------
procps (2:3.3.17-6ubuntu2) jammy; urgency=medium

  * Add basic autopkgtest to validate sysctl-defaults (LP: #1962038)

 -- Lukas Märdian <email address hidden> Fri, 25 Feb 2022 12:57:56 +0100

Changed in procps (Ubuntu Jammy):
status: New → Fix Released
Revision history for this message
Brian Murray (brian-murray) wrote : Please test proposed package

Hello Steve, or anyone else affected,

Accepted systemd into impish-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/systemd/248.3-1ubuntu8.4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-impish to verification-done-impish. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-impish. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in systemd (Ubuntu Impish):
status: New → Fix Committed
tags: added: verification-needed verification-needed-impish
Revision history for this message
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (systemd/248.3-1ubuntu8.4)

All autopkgtests for the newly accepted systemd (248.3-1ubuntu8.4) for impish have finished running.
The following regressions have been reported in tests triggered by the package:

systemd/248.3-1ubuntu8.4 (arm64, ppc64el)
debspawn/0.5.0-1 (s390x)
diaspora-installer/0.7.15.0+debian1 (s390x, arm64)
swupdate/2020.11-2 (ppc64el)
snapd/2.54.3+21.10.1ubuntu0.2 (s390x, ppc64el)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/impish/update_excuses.html#systemd

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Revision history for this message
Nick Rosbrook (enr0n) wrote :

I tested systemd 248.3-1ubuntu8.4 from impish-proposed to verify the fix:

$ systemctl --version
systemd 248 (248.3-1ubuntu8.4)
+PAM +AUDIT +SELINUX +APPARMOR +IMA +SMACK +SECCOMP +GCRYPT +GNUTLS -OPENSSL +ACL +BLKID +CURL +ELFUTILS -FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP -LIBFDISK +PCRE2 -PWQUALITY -P11KIT -QRENCODE +BZIP2 +LZ4 +XZ +ZLIB +ZSTD -XKBCOMMON +UTMP +SYSVINIT default-hierarchy=unified

$ sysctl kernel.sysrq
kernel.sysrq = 176

$ sysctl net.ipv4.conf.all.rp_filter
net.ipv4.conf.all.rp_filter = 2

I am also currently investigating the autopkgtest regressions.

tags: added: verification-done-impish
removed: verification-needed-impish
Revision history for this message
Brian Murray (brian-murray) wrote : Please test proposed package

Hello Steve, or anyone else affected,

Accepted systemd into impish-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/systemd/248.3-1ubuntu8.5 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-impish to verification-done-impish. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-impish. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

tags: added: verification-needed-impish
removed: verification-done-impish
Revision history for this message
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (systemd/248.3-1ubuntu8.4)

All autopkgtests for the newly accepted systemd (248.3-1ubuntu8.4) for impish have finished running.
The following regressions have been reported in tests triggered by the package:

systemd/248.3-1ubuntu8.4 (arm64, ppc64el)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/impish/update_excuses.html#systemd

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Revision history for this message
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (systemd/248.3-1ubuntu8.5)

All autopkgtests for the newly accepted systemd (248.3-1ubuntu8.5) for impish have finished running.
The following regressions have been reported in tests triggered by the package:

snapd/2.54.3+21.10.1ubuntu0.2 (s390x, ppc64el, arm64, amd64)
casper/1.465 (amd64)
tpm2-abrmd/unknown (ppc64el)
corosync-qdevice/unknown (ppc64el)
nftables/unknown (ppc64el)
udisks2/2.9.4-1 (arm64)
diaspora-installer/0.7.15.0+debian1 (arm64, s390x)
systemd/248.3-1ubuntu8.5 (armhf)
swupdate/2020.11-2 (s390x)
munin/2.0.57-1ubuntu1 (arm64, amd64)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/impish/update_excuses.html#systemd

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Revision history for this message
Nick Rosbrook (enr0n) wrote :

The autopkgtest regressions blocking systemd 248.3-1ubuntu8.5 in impish-proposed have been resolved. The regressions were caused either by (1) network/infrastructure issues and succeeded on retry, or by (2) unrelated snapd regressions. The systemd 248.3-1ubuntu8.5 upload added an autopkgtest change for systemd to ignore failed snap mount units which are caused by unrelated snapd issues.

Given the nature of the 248.3-1ubuntu8.5 upload, the previous verification for 248.3-1ubuntu8.4 is still valid.

tags: added: verification-done verification-done-impish
removed: verification-needed verification-needed-impish
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package systemd - 248.3-1ubuntu8.5

---------------
systemd (248.3-1ubuntu8.5) impish; urgency=medium

  * debian/tests/boot-and-services: Ignore failed snap mount units in test_no_failed (LP: #1967576)

systemd (248.3-1ubuntu8.4) impish; urgency=medium

  [ Lukas Märdian ]
  * Fix deadlock between pid1 and dbus-daemon (LP: #1871538)
    Author: Lukas Märdian
    File: debian/patches/pid1-set-SYSTEMD_NSS_DYNAMIC_BYPASS-1-env-var-for-dbus-da.patch
    https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=f79535077473902bad911dc2652a2fff4066fa30
  * Don't override Ubuntu's default sysctl values (LP: #1962038)
    Author: Lukas Märdian
    File: debian/patches/debian/UBUNTU-Don-t-override-Ubuntu-s-default-sysctl-values-LP-1962038.patch
    https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=3ba2764d8f77e616461c9722923f685fad79f8c6

systemd (248.3-1ubuntu8.3) impish; urgency=medium

  [ Jeremy Szu ]
  * Add a allowlist to unblock intel-hid on new HP machines (LP: #1955997)
    Author: Jeremy Szu
    File: debian/patches/lp1955997-add-a-allowlist-to-unblock-intel-hid-on-HP-mach.patch
    https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=554d46e6a6ab80befd424ead7ffa8e6f993b5f66

 -- Nick Rosbrook <email address hidden> Fri, 01 Apr 2022 16:39:25 -0400

Changed in systemd (Ubuntu Impish):
status: Fix Committed → Fix Released
Revision history for this message
Brian Murray (brian-murray) wrote : Update Released

The verification of the Stable Release Update for systemd has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.