Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Problems with systemd after newest update #3352

Closed
JustArchi opened this issue Dec 3, 2024 Discussed in #3351 · 14 comments
Closed

Problems with systemd after newest update #3352

JustArchi opened this issue Dec 3, 2024 Discussed in #3351 · 14 comments
Labels
☑️ Already possible Issues marked with this label are already possible to achieve with existing solutions. 🏁 Finished Issues marked with this label were finished already and no further work is required on them. 🐍 Not a bug Issues marked with this label indicate that given behaviour is intended to happen - not a bug.

Comments

@JustArchi
Copy link
Member

Discussed in #3351

Originally posted by Ren108 December 2, 2024
After Updating DotNet to Version 9 and updating ASF to latest version i am unable to execute start ArchiSteamFarm@asf

image

however i can still run dotnet /home/asf/ArchiSteamFarm/ArchiSteamFarm.dll with no issues... any suggestions?

For now i will run dotnet /home/asf/ArchiSteamFarm/ArchiSteamFarm.dll in screen...

@JustArchi JustArchi added 🐛 Bug Issues marked with this label indicate unintended program behaviour that needs correction. 💭 Acknowledged Issues marked with this label were acknowledged, but weren't verified yet, waiting for confirmation. 🟢 Low priority Issues marked with this label are actively being worked on if nothing serious is on the list. ⁉️ Can't reproduce Issues marked with this label can't be reproduced by the developer, more info needed. labels Dec 3, 2024
@JustArchi
Copy link
Member Author

JustArchi commented Dec 3, 2024

@Ren108 I can't reproduce this, so I'll need more details from you.

Somewhere in dmesg right after the program crashes (it's actually systemd killing the process for security reasons) you should have kernel information what exactly killed the process.

This is example of what you're looking for in dmesg:

[ 3345.424812] audit: type=1326 audit(1733217842.742:43): auid=4294967295 uid=1000 gid=1000 ses=4294967295 subj=unconfined pid=20759 comm="ArchiSteamFarm" exe="/home/archi/ArchiSteamFarm/ArchiSteamFarm" sig=31 arch=c000003e syscall=267 compat=0 ip=0x7fabc8c2b0a7 code=0x80000000

Please reproduce your issue and let me know, I won't be able to go forward with this issue without that information as I'm unable to reproduce it on my debian machine.

@JustArchi JustArchi added the 🤔 Requires more info Issues marked with this label are incomplete - please provide requested details for moving forward. label Dec 3, 2024
@Ren108
Copy link

Ren108 commented Dec 3, 2024

[Dez 3 10:53] audit: type=1400 audit(1733219572.779:5882): apparmor="DENIED" operation="mount" class="mount" info="failed perms check" error=-13 profile="lxc-305_</var/lib/lxc>" name="/run/systemd/unit-root/" pid=3829455 comm="(dotnet)" srcname="/" flags="rw, rbind" [ +0,990917] audit: type=1326 audit(1733219573.770:5883): auid=4294967295 uid=1001 gid=1001 ses=4294967295 subj=lxc-305_</var/lib/lxc>//&:lxc-305_<-var-lib-lxc>:unconfined pid=3829455 comm=2E4E455420545020576F726B6572 exe="/usr/lib/dotnet/dotnet" sig=31 arch=c000003e syscall=27 compat=0 ip=0x7fac3791ebab code=0x80000000

@JustArchi
Copy link
Member Author

JustArchi commented Dec 3, 2024

Based on the above log you're running ASF in LXC container and not natively in systemd. Apparently, this is less secure as it requires calls that are normally NOT needed for running ASF, that ASF's systemd service explicitly disallows.

You can use systemctl edit ArchiSteamFarm@ to add override for ASF service, in your case you'll need to disable SystemCallFilter.

### Editing /etc/systemd/system/[email protected]/override.conf
### Anything between here and the comment below will become the contents of the drop-in file

[Service]
SystemCallFilter=

### Edits below this comment will be discarded


### /etc/systemd/system/[email protected]
# [Install]
# WantedBy=multi-user.target
(...)

See https://github.com/JustArchiNET/ArchiSteamFarm/wiki/Management#overriding-part-of-the-service-unit for more details.

Since I don't believe disabling additional security measures by ASF is a good idea only to make ASF work in LXC, I believe there isn't anything to improve in this regard. If users want to run ASF in less secure environments, including, additional sandboxes that require additional privileges, then it's expected from them to modify ASF's example systemd unit to suit their needs.

And yes, I acknowledge that it could've been working in the past (.NET 8), but it doesn't change the above.

@JustArchi JustArchi closed this as not planned Won't fix, can't repro, duplicate, stale Dec 3, 2024
@JustArchi JustArchi added ❌ Won't fix Issues marked with this label are not considered and they won't receive any development action. 🐍 Not a bug Issues marked with this label indicate that given behaviour is intended to happen - not a bug. ☑️ Already possible Issues marked with this label are already possible to achieve with existing solutions. 👎 Not going to happen Issues marked with this label are not going to be implemented into the program. and removed 🐛 Bug Issues marked with this label indicate unintended program behaviour that needs correction. ⁉️ Can't reproduce Issues marked with this label can't be reproduced by the developer, more info needed. 💭 Acknowledged Issues marked with this label were acknowledged, but weren't verified yet, waiting for confirmation. 🟢 Low priority Issues marked with this label are actively being worked on if nothing serious is on the list. 🤔 Requires more info Issues marked with this label are incomplete - please provide requested details for moving forward. labels Dec 3, 2024
@Ren108
Copy link

Ren108 commented Dec 3, 2024

i am not that familar with linux. I just followed the tutorial on the github wiki and thats the result after updating. How can i enable that security? I have not disabled that knowingly.

@JustArchi
Copy link
Member Author

JustArchi commented Dec 3, 2024

I'd recommend you to just override the unit for your environment instead, Ubuntu is known for doing things differently than all other linux distros, unless you have motivation to change for other linux distro, it's easier to fix ASF to work in this situation than reinstall or fiddle with its differences. Especially considering I can't really provide you ubuntu support since I don't use that distro.

@Ren108
Copy link

Ren108 commented Dec 3, 2024

So everyone with ubuntu distro will face this issue?

@JustArchi
Copy link
Member Author

JustArchi commented Dec 3, 2024

No, I already said I don't know your environment - this is clean install of Ubuntu 24.10, both ASF generic and OS-specific works fine, without any edits.

Screenshot From 2024-12-03 17-02-04
Screenshot From 2024-12-03 17-05-13

@Ren108
Copy link

Ren108 commented Dec 3, 2024

As you can see in the screenshot its 22.04.5 lts

@JustArchi
Copy link
Member Author

Okay, but I'm not going to test thousands of different distributions and versions to ensure that ASF works on all of them, and fix their bugs.

I tested latest version of Debian, latest version of Ubuntu, on top of latest versions of other distros - ASF works fine there. I do not know why on ubuntu 22.04 LTS ASF doesn't work and since it's not latest version of Ubuntu I don't believe it's a problem on ASF end - likely some bug that got corrected in the newer release (because it works there).

I do not provide distro-specific and especially distro-version-specific support here in ASF repo. I presented you above two solutions - either upgrading to latest Ubuntu version, or adding systemd override for your specific environment problem. If you're not satisfied with those solutions then you can ask on ubuntu support why this specific app does not work with systemd shipped there, because I'm not going to dig into distro specific internals to find out why, considering the newer version of the same distro works fine.

@Ren108
Copy link

Ren108 commented Dec 3, 2024

As i stated above i am not that familar with linux. You said you dont know my environment but it was readable in my screenshot. I will try to upgrade my distro to 24 lts and hopefully i will get rid of that bug ;) thx for your help so far.

@ezhevita
Copy link
Member

ezhevita commented Dec 3, 2024

As i stated above i am not that familar with linux. You said you dont know my environment but it was readable in my screenshot. I will try to upgrade my distro to 24 lts and hopefully i will get rid of that bug ;) thx for your help so far.

this is less of a OS issue and more of a "where did you get this server/machine" issue, you have a LXC container instead of a VM or just running bare metal
so you should contact your machine provider about this, they probably manage permissions for your container

@Ren108
Copy link

Ren108 commented Dec 3, 2024

oh ok i see... as its a rented server i should do that.

@JustArchi JustArchi removed ❌ Won't fix Issues marked with this label are not considered and they won't receive any development action. 👎 Not going to happen Issues marked with this label are not going to be implemented into the program. labels Dec 5, 2024
JustArchi added a commit that referenced this issue Dec 5, 2024
@JustArchi
Copy link
Member Author

FYI I've added a fix for that in V6.1.0.3, since I managed to grab more details and determined even if it's not really ASF issue, there is no reason to have overly aggressive system call filter.

@JustArchi JustArchi added the 🏁 Finished Issues marked with this label were finished already and no further work is required on them. label Dec 5, 2024
@Ren108
Copy link

Ren108 commented Dec 6, 2024

Thx in the name of others that dont know LXC containers ;) I myself never heard of it. I only knew VM.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
☑️ Already possible Issues marked with this label are already possible to achieve with existing solutions. 🏁 Finished Issues marked with this label were finished already and no further work is required on them. 🐍 Not a bug Issues marked with this label indicate that given behaviour is intended to happen - not a bug.
Projects
None yet
Development

No branches or pull requests

3 participants