No networking, no permission for dmesg, syslog stopped logging

stgraber · October 6, 2020, 8:12pm

Looks mostly like a networkd issue though it’s unclear exactly what the problem is there…

Can you show:

ls -lh /
ls -lh /run
ls -lh /run/systemd
ls -lh /run/systemd/journal
systemctl cat systemd-networkd

Robco · October 6, 2020, 8:15pm

# ls -lh /
total 16K
drwxr-xr-x   1 root   root    2.4K Sep 23 06:05 bin
drwxr-xr-x   1 root   root       0 Jul 14 11:54 boot
drwxr-xr-x   8 root   root     500 Oct  6 15:26 dev
drwxr-xr-x   1 root   root    3.2K Sep 24 15:25 etc
drwxr-xr-x   1 root   root      72 Sep  8 15:46 home
drwxr-xr-x   1 root   root     462 Jul 15 19:43 lib
drwxr-xr-x   1 root   root      40 Jul 14 11:50 lib64
drwxr-xr-x   1 root   root      26 Sep 15 16:18 media
drwxr-xr-x   1 root   root       0 Jul 14 11:49 mnt
drwxr-xr-x   1 root   root       0 Jul 14 11:49 opt
dr-xr-xr-x 407 nobody nogroup    0 Oct  6 15:26 proc
drwx------   1 root   root     130 Sep 23 11:48 root
drwxr-xr-x  25 root   root     820 Oct  6 16:11 run
drwxr-xr-x   1 root   root    3.7K Sep 18 08:53 sbin
drwxr-xr-x   1 root   root      46 Sep 15 16:16 snap
drwxr-xr-x   1 root   root       0 Jul 14 11:49 srv
dr-xr-xr-x  13 nobody nogroup    0 Oct  6 15:26 sys
drwxrwxrwt   1 root   root     410 Oct  6 16:11 tmp
drwxr-xr-x   1 root   root      70 Jul 14 11:49 usr
drwxr-xr-x   1 root   root     114 Sep  8 15:47 var


# ls -lh /run
total 20K
drwxr-xr-x  3 root    root     60 Oct  6 15:26 NetworkManager
srw-rw-rw-  1 root    root      0 Oct  6 15:26 acpid.socket
-rw-------  1 root    root      0 Oct  6 15:31 agetty.reload
drwxr-xr-x  2 root    root     60 Oct  6 15:28 apache2
-rw-------  1 root    root      0 Oct  6 15:32 apport.lock
srw-------  1 root    root      0 Oct  6 15:26 apport.socket
drwxr-xr-x  2 root    root    240 Oct  6 15:34 cloud-init
drwxr-xr-x  2 root    root     60 Oct  6 15:26 console-setup
-rw-r--r--  1 root    root      4 Oct  6 15:28 crond.pid
----------  1 root    root      0 Oct  6 15:28 crond.reboot
drwx------  2 root    root     40 Oct  6 15:26 cryptsetup
drwxr-xr-x  2 root    root     60 Oct  6 15:26 dbus
prw-------  1 root    root      0 Oct  6 15:26 dmeventd-client
prw-------  1 root    root      0 Oct  6 15:26 dmeventd-server
drwxr-xr-x  2 glances glances  40 Oct  6 15:28 glances
lrwxrwxrwx  1 root    root     25 Oct  6 15:26 initctl -> /run/systemd/initctl/fifo
drwxrwxrwt  5 root    root    100 Oct  6 15:28 lock
drwxr-xr-x  2 root    root     40 Oct  6 15:26 log
drwx------  2 root    root     80 Oct  6 15:26 lvm
drwxr-xr-x  2 root    root     80 Oct  6 15:26 mount
drwxr-xr-x  2 mysql   mysql    40 Oct  6 16:11 mysqld
drwxr-xr-x  2 root    root     40 Oct  6 15:28 netns
-rw-r--r--  1 root    root      5 Oct  6 16:10 rsyslogd.pid
drwxr-xr-x  3 root    root     60 Oct  6 15:28 salt
-rw-r--r--  1 root    root      3 Oct  6 15:28 salt-minion.pid
drwxrwxrwt  2 root    utmp     40 Oct  6 15:26 screen
drwxr-xr-x  2 root    root     40 Oct  6 15:26 sendsigs.omit.d
lrwxrwxrwx  1 root    root      8 Oct  6 15:26 shm -> /dev/shm
drwxr-xr-x  4 root    root     80 Oct  6 15:28 snapd
srw-rw-rw-  1 root    root      0 Oct  6 15:26 snapd-snap.socket
srw-rw-rw-  1 root    root      0 Oct  6 15:26 snapd.socket
drwxr-xr-x  2 root    root     40 Oct  6 15:28 sshd
-rw-r--r--  1 root    root      4 Oct  6 15:28 sshd.pid
drwx--x--x  3 root    root     60 Oct  6 15:26 sudo
drwxr-xr-x 20 root    root    480 Oct  6 15:26 systemd
drwxr-xr-x  2 root    root     60 Oct  6 15:26 udev
drwxr-xr-x  2 root    root     40 Oct  6 15:26 user
-rw-rw-r--  1 root    utmp    768 Oct  6 15:31 utmp
drwxr-xr-x  2 root    root     60 Oct  6 15:26 uuidd


# ls -lh /run/systemd
total 4.0K
drwxr-xr-x 2 root            root             40 Oct  6 15:26 ask-password
-rw-r--r-- 1 root            root              4 Oct  6 15:26 container
drwxr-xr-x 6 root            root            180 Oct  6 15:26 generator
drwxr-xr-x 3 root            root             60 Oct  6 15:26 generator.early
drwxr-xr-x 4 root            root            140 Oct  6 15:26 generator.late
d--------- 3 root            root            120 Oct  6 15:26 inaccessible
drwxr-xr-x 2 root            root             60 Oct  6 15:26 initctl
drwxr-xr-x 3 root            root            180 Oct  6 15:26 journal
drwxr-xr-x 2 root            root             40 Oct  6 15:26 machines
drwxr-xr-x 4 systemd-network systemd-network  80 Oct  6 15:26 netif
drwxr-xr-x 2 root            root             60 Oct  6 15:26 network
srwxrwxrwx 1 root            root              0 Oct  6 15:26 notify
srwxrwxrwx 1 root            root              0 Oct  6 15:26 private
drwxr-xr-x 2 systemd-resolve systemd-resolve  40 Oct  6 15:26 resolve
drwxr-xr-x 2 root            root             60 Oct  6 16:13 seats
drwxr-xr-x 2 root            root             40 Oct  6 15:26 sessions
-rw-r--r-- 1 root            root              0 Oct  6 15:26 show-status
drwxr-xr-x 2 root            root             40 Oct  6 15:26 shutdown
drwxr-xr-x 2 root            root             40 Oct  6 15:26 system
drwx------ 2 root            root             40 Oct  6 15:26 unit-root
drwxr-xr-x 2 root            root            820 Oct  6 16:13 units
drwxr-xr-x 2 root            root             40 Oct  6 15:26 users


# ls -lh /run/systemd/journal
total 4.0K
srw-rw-rw- 1 root root   0 Oct  6 15:26 dev-log
-rw-r--r-- 1 root root   0 Oct  6 15:26 flushed
-rw-r--r-- 1 root root   8 Oct  6 15:26 kernel-seqnum
srw-rw-rw- 1 root root   0 Oct  6 15:26 socket
srw-rw-rw- 1 root root   0 Oct  6 15:26 stdout
drwxr-xr-x 2 root root 160 Oct  6 16:13 streams
srw-rw-rw- 1 root root   0 Oct  6 15:26 syslog


# systemctl cat systemd-networkd
# /lib/systemd/system/systemd-networkd.service
#  SPDX-License-Identifier: LGPL-2.1+
#
#  This file is part of systemd.
#
#  systemd is free software; you can redistribute it and/or modify it
#  under the terms of the GNU Lesser General Public License as published by
#  the Free Software Foundation; either version 2.1 of the License, or
#  (at your option) any later version.

[Unit]
Description=Network Service
Documentation=man:systemd-networkd.service(8)
ConditionCapability=CAP_NET_ADMIN
DefaultDependencies=no
# systemd-udevd.service can be dropped once tuntap is moved to netlink
After=systemd-udevd.service network-pre.target systemd-sysusers.service systemd-sysctl.service
Before=network.target multi-user.target shutdown.target
Conflicts=shutdown.target
Wants=network.target

[Service]
Type=notify
Restart=on-failure
RestartSec=0
ExecStart=!!/lib/systemd/systemd-networkd
WatchdogSec=3min
User=systemd-network
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW
ProtectSystem=strict
ProtectHome=yes
ProtectControlGroups=yes
ProtectKernelModules=yes
MemoryDenyWriteExecute=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
SystemCallArchitectures=native
LockPersonality=yes
RuntimeDirectory=systemd/netif
RuntimeDirectoryPreserve=yes

[Install]
WantedBy=multi-user.target
Also=systemd-networkd.socket
Alias=dbus-org.freedesktop.network1.service

# We want to enable systemd-networkd-wait-online.service whenever this service
# is enabled. systemd-networkd-wait-online.service has
# WantedBy=network-online.target, so enabling it only has an effect if
# network-online.target itself is enabled or pulled in by some other unit.
Also=systemd-networkd-wait-online.service

stgraber · October 6, 2020, 8:17pm

stat / too for good measure

Robco · October 6, 2020, 8:30pm

# stat /
  File: /
  Size: 212       	Blocks: 0          IO Block: 4096   directory
Device: 45h/69d	Inode: 258         Links: 1
Access: (0744/drwxr--r--)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2020-10-06 14:09:03.881696899 -0400
Modify: 2020-10-06 14:06:18.150317750 -0400
Change: 2020-10-06 14:06:18.150317750 -0400
 Birth: -

Robco · October 6, 2020, 8:32pm

# tail -f /var/log/syslog
Oct  6 14:13:35 lxd-mosaic systemd[1]: Stopping Unattended Upgrades Shutdown...
Oct  6 14:13:35 lxd-mosaic systemd[1]: Stopping PM2 process manager...
Oct  6 14:13:35 lxd-mosaic systemd[1]: Stopping OpenBSD Secure Shell server...
Oct  6 14:13:35 lxd-mosaic systemd[1]: Stopping MySQL Community Server...
Oct  6 14:13:35 lxd-mosaic systemd[1]: Stopping Deferred execution scheduler...
Oct  6 14:13:35 lxd-mosaic systemd[1]: Stopping LSB: disk temperature monitoring daemon...
Oct  6 14:13:35 lxd-mosaic systemd[1]: Stopping Dispatcher daemon for systemd-networkd...
Oct  6 14:13:35 lxd-mosaic systemd[1]: Stopped Initialize hardware monitoring sensors.
Oct  6 14:13:35 lxd-mosaic systemd[1]: Stopped Apply the settings specified in cloud-config.
Oct  6 14:13:35 lxd-mosaic systemd[1]: Stopped Wait until snapd is fully seeded.

stgraber · October 6, 2020, 8:49pm

Try chmod 755 / and reboot the container.

0744 may prevent traversal for non-root users causing some issues.

Robco · October 6, 2020, 8:51pm

that did it. can you explain what happened here?

stgraber · October 6, 2020, 8:59pm

No idea

Something in your container must have performed a chmod 744 / somehow either directly for some odd reason or more likely by meaning to change some other path with an incorrectly empty variable chmod 744 /$mypath or something like that.

This results in anyone but root being able to traverse / as the executable bit needed for directory traversal was missing for the group and other part of the mask.

Robco · October 6, 2020, 9:03pm

I’m not sure how this happened, though. I’ll dig. Thanks a lot for your help Stephan!