Weekly Changes – 03/04/2023
There were fewer changes this week for the Ubuntu Jammy platform as the focus moves on to hardware testing. Nevertheless this was a busy week, solving some interesting and challenging problems with Systemd and Apparmor. Here are all the notable details…
Ubuntu Jammy
Details of recent progress on the Ubuntu Jammy platform are now recorded separately, see the latest report.
pam_nologin and systemd-user-sessions.service
On DICE we use the PAM nologin module to deny login access whilst doing maintenance on multi-user systems. Recently we noticed after a reboot that users were able to login because the /etc/nologin
file, which had been created by the LCFG auth component, had been deleted. Investigations revealed that this was being deleted on every boot by the systemd-user-sessions service. The intention of that service is that it creates /run/nologin
on shutdown and then deletes it on next boot once the system is “ready” for user access. For historical reasons, it also deletes /etc/nologin
(which isn’t documented anywhere) and that breaks our assumptions that the file will persist as long as necessary. To work around this problem on DICE we have introduced a replacement systemd-user-sessions service which only works with the run file:
[Unit] Description=Permit User Sessions (LCFG) After=remote-fs.target nss-user-lookup.target sshd.service [Service] Type=oneshot ExecStart=/usr/bin/rm -f /run/nologin ExecStop=/usr/bin/echo "This system is currently down for maintenance." > /run/nologin RemainAfterExit=yes
So that everyone benefits from the improved version, we will move this to the LCFG level once we’re happy it’s working as expected.
This has been reported to the Systemd project – issue 26965 – so at some point in the future we should see an upstream fix.
apparmor
There is a new header which can be used to completely disable the apparmor Linux security module. We had previously assumed that to disable apparmor it was sufficient to just disable the Systemd service. It turns out that the only way to fully disable it is to pass the apparmor=0
option on the kernel command line.
Having apparmor enabled spectacularly broke the LCFG dns component on DICE Ubuntu last week when the bind9 packages were upgraded and is likely to cause problems for other components which do not behave exactly as expected in the upstream apparmor rules.
Ubuntu Installer
The new installer copies all logs from the install process into the /var/log/install
directory on the target host. A new install method has been added to tighten up the permissions on that directory so they are not publically readable.
aptly
The aptly package repository many software has been updated to 1.5.0 for Ubuntu. Several Go libraries required for building the package are not available on Focal so this package provides the pre-built binaries from the project website rather than being built from source.
The LCFG header also now ensures that gnupg is installed.
rsyslog
The Systemd configuration for rsyslog on Ubuntu now sets LimitNOFILE=16384
to match with SL7. This is the upstream default setting on Ubuntu, so it’s not changing anything but having the option exposed through a resource allows it to be easily changed when necessary.
hardware component
The LCFG hardware component has been modified to deal with changes to localectl behaviour on Ubuntu Jammy.
DNS component
The LCFG dns component has been modified as some utilities are now found in different locations on Ubuntu Jammy.
truecrypt/veracrypt
The veracrypt disk encryption software is now available on DICE Ubuntu systems. This is using the pre-built packages provided on the upstream website. By default only the allocated user for a system will have permission to run the software using sudo.
Changes to headers and package lists
Members of the Informatics Computing team can browse all the changes to the headers and package lists.
Recent comments