After the upgrade, I manually run the systemd-sysusers command and see this.
root@j:~# SYSTEMD_LOG_LEVEL=debug systemd-sysusers polkit.conf
Failed to connect to /run/systemd/userdb/io.systemd.DynamicUser: Connection refused
Unable to connect to /run/systemd/userdb/io.systemd.DynamicUser: Connection refused
Failed to connect to /run/systemd/userdb/io.systemd.DynamicUser: Connection refused
Unable to connect to /run/systemd/userdb/io.systemd.DynamicUser: Connection refused
Failed to check if group polkitd already exists: Connection refused
So, the getgrnam() call in systemd-sysusers results in libnss-systemd attempting to make a varlink call to pid1 to check if the group exists as a dynamic group, but the varlink connection setup fails. This appears to go away after a reboot, but not a `systemctl daemon re-exec`.
I have yet to figure out the root cause on the systemd side. However, as a workaround, we could set SYSTEMD_NSS_BYPASS_DYNAMIC=1 when calling systemd-sysusers in polkitd.postinst. This should be safe because the polkitd package is creating a real user/group for polkitd, so a successful check from io.systemd.DynamicUser is irrelevant.
I have prepared a patch with this proposed workaround, but will continue to look into this from the systemd side.
After the upgrade, I manually run the systemd-sysusers command and see this.
root@j:~# SYSTEMD_ LOG_LEVEL= debug systemd-sysusers polkit.conf userdb/ io.systemd. DynamicUser: Connection refused userdb/ io.systemd. DynamicUser: Connection refused userdb/ io.systemd. DynamicUser: Connection refused userdb/ io.systemd. DynamicUser: Connection refused
Failed to connect to /run/systemd/
Unable to connect to /run/systemd/
Failed to connect to /run/systemd/
Unable to connect to /run/systemd/
Failed to check if group polkitd already exists: Connection refused
So, the getgrnam() call in systemd-sysusers results in libnss-systemd attempting to make a varlink call to pid1 to check if the group exists as a dynamic group, but the varlink connection setup fails. This appears to go away after a reboot, but not a `systemctl daemon re-exec`.
I have yet to figure out the root cause on the systemd side. However, as a workaround, we could set SYSTEMD_ NSS_BYPASS_ DYNAMIC= 1 when calling systemd-sysusers in polkitd.postinst. This should be safe because the polkitd package is creating a real user/group for polkitd, so a successful check from io.systemd. DynamicUser is irrelevant.
I have prepared a patch with this proposed workaround, but will continue to look into this from the systemd side.