Looks mostly like a networkd issue though it’s unclear exactly what the problem is there…
Can you show:
- ls -lh /
- ls -lh /run
- ls -lh /run/systemd
- ls -lh /run/systemd/journal
- systemctl cat systemd-networkd
Looks mostly like a networkd issue though it’s unclear exactly what the problem is there…
Can you show:
# ls -lh /
total 16K
drwxr-xr-x 1 root root 2.4K Sep 23 06:05 bin
drwxr-xr-x 1 root root 0 Jul 14 11:54 boot
drwxr-xr-x 8 root root 500 Oct 6 15:26 dev
drwxr-xr-x 1 root root 3.2K Sep 24 15:25 etc
drwxr-xr-x 1 root root 72 Sep 8 15:46 home
drwxr-xr-x 1 root root 462 Jul 15 19:43 lib
drwxr-xr-x 1 root root 40 Jul 14 11:50 lib64
drwxr-xr-x 1 root root 26 Sep 15 16:18 media
drwxr-xr-x 1 root root 0 Jul 14 11:49 mnt
drwxr-xr-x 1 root root 0 Jul 14 11:49 opt
dr-xr-xr-x 407 nobody nogroup 0 Oct 6 15:26 proc
drwx------ 1 root root 130 Sep 23 11:48 root
drwxr-xr-x 25 root root 820 Oct 6 16:11 run
drwxr-xr-x 1 root root 3.7K Sep 18 08:53 sbin
drwxr-xr-x 1 root root 46 Sep 15 16:16 snap
drwxr-xr-x 1 root root 0 Jul 14 11:49 srv
dr-xr-xr-x 13 nobody nogroup 0 Oct 6 15:26 sys
drwxrwxrwt 1 root root 410 Oct 6 16:11 tmp
drwxr-xr-x 1 root root 70 Jul 14 11:49 usr
drwxr-xr-x 1 root root 114 Sep 8 15:47 var
# ls -lh /run
total 20K
drwxr-xr-x 3 root root 60 Oct 6 15:26 NetworkManager
srw-rw-rw- 1 root root 0 Oct 6 15:26 acpid.socket
-rw------- 1 root root 0 Oct 6 15:31 agetty.reload
drwxr-xr-x 2 root root 60 Oct 6 15:28 apache2
-rw------- 1 root root 0 Oct 6 15:32 apport.lock
srw------- 1 root root 0 Oct 6 15:26 apport.socket
drwxr-xr-x 2 root root 240 Oct 6 15:34 cloud-init
drwxr-xr-x 2 root root 60 Oct 6 15:26 console-setup
-rw-r--r-- 1 root root 4 Oct 6 15:28 crond.pid
---------- 1 root root 0 Oct 6 15:28 crond.reboot
drwx------ 2 root root 40 Oct 6 15:26 cryptsetup
drwxr-xr-x 2 root root 60 Oct 6 15:26 dbus
prw------- 1 root root 0 Oct 6 15:26 dmeventd-client
prw------- 1 root root 0 Oct 6 15:26 dmeventd-server
drwxr-xr-x 2 glances glances 40 Oct 6 15:28 glances
lrwxrwxrwx 1 root root 25 Oct 6 15:26 initctl -> /run/systemd/initctl/fifo
drwxrwxrwt 5 root root 100 Oct 6 15:28 lock
drwxr-xr-x 2 root root 40 Oct 6 15:26 log
drwx------ 2 root root 80 Oct 6 15:26 lvm
drwxr-xr-x 2 root root 80 Oct 6 15:26 mount
drwxr-xr-x 2 mysql mysql 40 Oct 6 16:11 mysqld
drwxr-xr-x 2 root root 40 Oct 6 15:28 netns
-rw-r--r-- 1 root root 5 Oct 6 16:10 rsyslogd.pid
drwxr-xr-x 3 root root 60 Oct 6 15:28 salt
-rw-r--r-- 1 root root 3 Oct 6 15:28 salt-minion.pid
drwxrwxrwt 2 root utmp 40 Oct 6 15:26 screen
drwxr-xr-x 2 root root 40 Oct 6 15:26 sendsigs.omit.d
lrwxrwxrwx 1 root root 8 Oct 6 15:26 shm -> /dev/shm
drwxr-xr-x 4 root root 80 Oct 6 15:28 snapd
srw-rw-rw- 1 root root 0 Oct 6 15:26 snapd-snap.socket
srw-rw-rw- 1 root root 0 Oct 6 15:26 snapd.socket
drwxr-xr-x 2 root root 40 Oct 6 15:28 sshd
-rw-r--r-- 1 root root 4 Oct 6 15:28 sshd.pid
drwx--x--x 3 root root 60 Oct 6 15:26 sudo
drwxr-xr-x 20 root root 480 Oct 6 15:26 systemd
drwxr-xr-x 2 root root 60 Oct 6 15:26 udev
drwxr-xr-x 2 root root 40 Oct 6 15:26 user
-rw-rw-r-- 1 root utmp 768 Oct 6 15:31 utmp
drwxr-xr-x 2 root root 60 Oct 6 15:26 uuidd
# ls -lh /run/systemd
total 4.0K
drwxr-xr-x 2 root root 40 Oct 6 15:26 ask-password
-rw-r--r-- 1 root root 4 Oct 6 15:26 container
drwxr-xr-x 6 root root 180 Oct 6 15:26 generator
drwxr-xr-x 3 root root 60 Oct 6 15:26 generator.early
drwxr-xr-x 4 root root 140 Oct 6 15:26 generator.late
d--------- 3 root root 120 Oct 6 15:26 inaccessible
drwxr-xr-x 2 root root 60 Oct 6 15:26 initctl
drwxr-xr-x 3 root root 180 Oct 6 15:26 journal
drwxr-xr-x 2 root root 40 Oct 6 15:26 machines
drwxr-xr-x 4 systemd-network systemd-network 80 Oct 6 15:26 netif
drwxr-xr-x 2 root root 60 Oct 6 15:26 network
srwxrwxrwx 1 root root 0 Oct 6 15:26 notify
srwxrwxrwx 1 root root 0 Oct 6 15:26 private
drwxr-xr-x 2 systemd-resolve systemd-resolve 40 Oct 6 15:26 resolve
drwxr-xr-x 2 root root 60 Oct 6 16:13 seats
drwxr-xr-x 2 root root 40 Oct 6 15:26 sessions
-rw-r--r-- 1 root root 0 Oct 6 15:26 show-status
drwxr-xr-x 2 root root 40 Oct 6 15:26 shutdown
drwxr-xr-x 2 root root 40 Oct 6 15:26 system
drwx------ 2 root root 40 Oct 6 15:26 unit-root
drwxr-xr-x 2 root root 820 Oct 6 16:13 units
drwxr-xr-x 2 root root 40 Oct 6 15:26 users
# ls -lh /run/systemd/journal
total 4.0K
srw-rw-rw- 1 root root 0 Oct 6 15:26 dev-log
-rw-r--r-- 1 root root 0 Oct 6 15:26 flushed
-rw-r--r-- 1 root root 8 Oct 6 15:26 kernel-seqnum
srw-rw-rw- 1 root root 0 Oct 6 15:26 socket
srw-rw-rw- 1 root root 0 Oct 6 15:26 stdout
drwxr-xr-x 2 root root 160 Oct 6 16:13 streams
srw-rw-rw- 1 root root 0 Oct 6 15:26 syslog
# systemctl cat systemd-networkd
# /lib/systemd/system/systemd-networkd.service
# SPDX-License-Identifier: LGPL-2.1+
#
# This file is part of systemd.
#
# systemd is free software; you can redistribute it and/or modify it
# under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation; either version 2.1 of the License, or
# (at your option) any later version.
[Unit]
Description=Network Service
Documentation=man:systemd-networkd.service(8)
ConditionCapability=CAP_NET_ADMIN
DefaultDependencies=no
# systemd-udevd.service can be dropped once tuntap is moved to netlink
After=systemd-udevd.service network-pre.target systemd-sysusers.service systemd-sysctl.service
Before=network.target multi-user.target shutdown.target
Conflicts=shutdown.target
Wants=network.target
[Service]
Type=notify
Restart=on-failure
RestartSec=0
ExecStart=!!/lib/systemd/systemd-networkd
WatchdogSec=3min
User=systemd-network
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW
ProtectSystem=strict
ProtectHome=yes
ProtectControlGroups=yes
ProtectKernelModules=yes
MemoryDenyWriteExecute=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
SystemCallArchitectures=native
LockPersonality=yes
RuntimeDirectory=systemd/netif
RuntimeDirectoryPreserve=yes
[Install]
WantedBy=multi-user.target
Also=systemd-networkd.socket
Alias=dbus-org.freedesktop.network1.service
# We want to enable systemd-networkd-wait-online.service whenever this service
# is enabled. systemd-networkd-wait-online.service has
# WantedBy=network-online.target, so enabling it only has an effect if
# network-online.target itself is enabled or pulled in by some other unit.
Also=systemd-networkd-wait-online.service
stat /
too for good measure
# stat /
File: /
Size: 212 Blocks: 0 IO Block: 4096 directory
Device: 45h/69d Inode: 258 Links: 1
Access: (0744/drwxr--r--) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2020-10-06 14:09:03.881696899 -0400
Modify: 2020-10-06 14:06:18.150317750 -0400
Change: 2020-10-06 14:06:18.150317750 -0400
Birth: -
# tail -f /var/log/syslog
Oct 6 14:13:35 lxd-mosaic systemd[1]: Stopping Unattended Upgrades Shutdown...
Oct 6 14:13:35 lxd-mosaic systemd[1]: Stopping PM2 process manager...
Oct 6 14:13:35 lxd-mosaic systemd[1]: Stopping OpenBSD Secure Shell server...
Oct 6 14:13:35 lxd-mosaic systemd[1]: Stopping MySQL Community Server...
Oct 6 14:13:35 lxd-mosaic systemd[1]: Stopping Deferred execution scheduler...
Oct 6 14:13:35 lxd-mosaic systemd[1]: Stopping LSB: disk temperature monitoring daemon...
Oct 6 14:13:35 lxd-mosaic systemd[1]: Stopping Dispatcher daemon for systemd-networkd...
Oct 6 14:13:35 lxd-mosaic systemd[1]: Stopped Initialize hardware monitoring sensors.
Oct 6 14:13:35 lxd-mosaic systemd[1]: Stopped Apply the settings specified in cloud-config.
Oct 6 14:13:35 lxd-mosaic systemd[1]: Stopped Wait until snapd is fully seeded.
Try chmod 755 /
and reboot the container.
0744
may prevent traversal for non-root users causing some issues.
that did it. can you explain what happened here?
No idea
Something in your container must have performed a chmod 744 /
somehow either directly for some odd reason or more likely by meaning to change some other path with an incorrectly empty variable chmod 744 /$mypath
or something like that.
This results in anyone but root being able to traverse / as the executable bit needed for directory traversal was missing for the group
and other
part of the mask.
I’m not sure how this happened, though. I’ll dig. Thanks a lot for your help Stephan!