|
Bugzilla – Full Text Bug Listing |
| Summary: | Permission denied if run as systemd service | ||
|---|---|---|---|
| Product: | [openSUSE] openSUSE Distribution | Reporter: | Fabian Vogt <fvogt> |
| Component: | Basesystem | Assignee: | E-mail List <bnc-team-screening> |
| Status: | RESOLVED INVALID | QA Contact: | E-mail List <qa-bugs> |
| Severity: | Normal | ||
| Priority: | P5 - None | ||
| Version: | Leap 42.1 | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| Whiteboard: | |||
| Found By: | --- | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
Seems to be a case of stuck apparmor profiles. Disabling appamor entirely and rebooting fixed it. |
Running openQA on Leap 42.1. openqa workers are started with the following service file: > [Unit] > Description=openQA Worker #%i > Wants=apache2.service openqa-webui.service network.target > After=apache2.service openqa-webui.service network.target openqa-slirpvde.service > PartOf=openqa-worker.target > > [Service] > Type=simple > PermissionsStartOnly=True > ExecStartPre=/usr/bin/install -d -m 0755 -o %u /var/lib/openqa/pool/%i > ExecStart=/usr/share/openqa/script/worker --instance %i > User=_openqa-worker > KillMode=mixed > > [Install] > WantedBy=multi-user.target So the perl script is started as _openqa-worker user. This works fine for normal use, but if networking (VDE or OVS) is enabled, it causes various permission denied errors. Currently it's failing when trying to execute a binary (vdecmd/unixcmd), for no apparent reason. Before that it failed when accessing tapX IFs. As those didn't make any sense (Owner of the files/taps was _openqa-worker) I tried starting the workers manually with "sudo -u _openqa-worker", which works just fine. Is this a configuration issue (what's the difference between "User=_openqa-worker" and "sudo -u _openqa-worker"?) or a genuine bug?