Bugzilla – Bug 1216628
tpm2-0-tss: tpm2-tss-fapi.conf: Failed to parse ACL "default:group:tss:rwx", ignoring: Invalid argument
Last modified: 2023-12-22 15:00:12 UTC
systemd v254 complains about some entries in /usr/lib/tmpfiles.d/tpm2-tss-fapi.conf: > localhost:/home/dev # journalctl -b -o short-monotonic | grep -e "Switching root" -e "Failed to parse ACL" -e "systemd-tmpfiles" > [ 0.981616] localhost systemd[1]: Starting systemd-tmpfiles-setup-dev-early.service... > [ 0.996270] localhost systemd[1]: Finished systemd-tmpfiles-setup-dev-early.service. > [ 0.951089] localhost systemd-tmpfiles[190]: Failed to parse ACL "default:group:tss:rwx", ignoring: Invalid argument > [ 0.951182] localhost systemd-tmpfiles[190]: Failed to parse ACL "default:group:tss:rwx", ignoring: Invalid argument > [ 0.957291] localhost systemd[1]: Starting systemd-tmpfiles-setup-dev.service... > [ 0.966039] localhost systemd[1]: Finished systemd-tmpfiles-setup-dev.service. > [ 0.969147] localhost systemd[1]: Starting systemd-tmpfiles-setup.service... > [ 0.973000] localhost systemd[1]: Finished systemd-tmpfiles-setup.service. > [ 385.095563] localhost systemd[1]: systemd-tmpfiles-setup.service: Deactivated successfully. > [ 385.095931] localhost systemd[1]: Stopped systemd-tmpfiles-setup.service. > [ 385.120665] localhost systemd[1]: systemd-tmpfiles-setup-dev.service: Deactivated successfully. > [ 385.120786] localhost systemd[1]: Stopped systemd-tmpfiles-setup-dev.service. > [ 385.121256] localhost systemd[1]: systemd-tmpfiles-setup-dev-early.service: Deactivated successfully. > [ 385.121366] localhost systemd[1]: Stopped systemd-tmpfiles-setup-dev-early.service. > [ 385.148920] localhost systemd[1]: Switching root. > localhost:/home/dev # grep -r -n --color "default:group:tss:rwx" /{etc,usr/lib}/tmpfiles.d/ > /usr/lib/tmpfiles.d/tpm2-tss-fapi.conf:3:a+ /var/lib/tpm2-tss/system/keystore - - - - default:group:tss:rwx > /usr/lib/tmpfiles.d/tpm2-tss-fapi.conf:5:a+ /run/tpm2-tss/eventlog - - - - default:group:tss:rwx > localhost:/home/dev # rpm -qf /usr/lib/tmpfiles.d/tpm2-tss-fapi.conf > libtss2-fapi1-4.0.1-2.2.x86_64 I'm not sure if this is a tpm2-tss or systemd issue, further investigation is necessary.
Do you have the 'tss' group configured when this happens? $ grep tss /etc/group tss:x:98:
(In reply to Matthias Gerstner from comment #1) > Do you have the 'tss' group configured when this happens? > > $ grep tss /etc/group > tss:x:98: No, that's the problem, since systemd-v254 introduced systemd-tmpfiles-setup-dev-early the group creation happens after: > [ 1.292449] localhost systemd[1]: Starting systemd-tmpfiles-setup-dev-early.service... > [ 1.310492] localhost systemd[1]: Finished systemd-tmpfiles-setup-dev-early.service. > [ 1.311963] localhost systemd[1]: Starting systemd-sysusers.service... > [ 1.324310] localhost systemd[1]: Finished systemd-sysusers.service. > [ 1.287280] localhost systemd-tmpfiles[192]: Failed to parse ACL "default:group:tss:rwx", ignoring: Invalid argument > [ 1.287340] localhost systemd-tmpfiles[192]: Failed to parse ACL "default:group:tss:rwx", ignoring: Invalid argument > [ 1.287391] localhost systemd-sysusers[198]: Creating group 'tss' with GID 98. > [ 1.287450] localhost systemd-sysusers[198]: Creating user 'tss' (TSS daemon) with UID 98 and GID 98. > [ 1.345281] localhost systemd[1]: Starting systemd-tmpfiles-setup-dev.service... > [ 1.292545] localhost systemd[1]: Finished systemd-tmpfiles-setup-dev.service. > [ 1.296431] localhost systemd[1]: Starting systemd-tmpfiles-setup.service... > [ 1.300444] localhost systemd[1]: Finished systemd-tmpfiles-setup.service.
Excerpt from https://github.com/systemd/systemd/commit/bb7f485f ``` This makes tmpfiles, sysusers, and udevd invoked in the following order: 1. systemd-tmpfiles-setup-dev-early.service Create device nodes gracefully, that is, create device nodes anyway by ignoring unknown users and groups. 2. systemd-sysusers.service Create users and groups, to make later invocations of tmpfiles and udevd can resolve necessary users and groups. 3. systemd-tmpfiles-setup-dev.service Adjust owners of previously created device nodes. ``` So maybe it's a warning that can be ignored.
I cannot really reproduce your issue. How do you get into this state? I just used an up-to-date Tumbleweed, installed libtss2-fapi1, and both user and tmpfiles are correctly setup, no warnings occuring.
(In reply to Matthias Gerstner from comment #4) > I cannot really reproduce your issue. How do you get into this state? > > I just used an up-to-date Tumbleweed, installed libtss2-fapi1, and both user > and tmpfiles are correctly setup, no warnings occuring. The systemd is configured to auto unlock the root fs from the initrd. - /boot unencrypted - / encrypted: LUKS2, TPM2 token enrolled with `systemd-cryptenroll`, entry in /etc/crypttab with `tpm2-device=auto`, initrd rebuilt after that. Seen after setting up https://bugzilla.suse.com/show_bug.cgi?id=1216244#c0 in Tumbleweed.
I don't have a suitable test environment to reproduce this then. From the context I can imagine that this is already triggered in the initrd before control is transfered to the root file system. Since the TPM stack is used here during boot already it could be that the tmpfile setup is triggered, but the tss user is not existing in the initrd. But that is just wild guessing.
(In reply to Matthias Gerstner from comment #6) > I don't have a suitable test environment to reproduce this then. Easy way to reproduce it: # dracut -f -a tpm2-tss # reboot > > From the context I can imagine that this is already triggered in the initrd > before control is transfered to the root file system. Since the TPM stack is > used here during boot already it could be that the tmpfile setup is > triggered, > but the tss user is not existing in the initrd. > > But that is just wild guessing. Yes, that is what is happening. This new systemd-tmpfiles-setup-dev-early.service is ordered before systemd-sysusers, but after that the old systemd-tmpfiles-setup-dev.service runs without error. Stopping the boot process before dracut-cmdline shows: sh-5.2# stat /var/lib/tpm2-tss/system/keystore File: /var/lib/tpm2-tss/system/keystore Size: 0 Blocks: 0 IO Block: 4096 directory Device: 0,2 Inode: 478 Links: 2 Access: (2775/drwxrwsr-x) Uid: ( 98/ tss) Gid: ( 98/ tss) Access: 2023-10-27 08:10:38.126666663 +0000 Modify: 2023-10-27 08:08:52.869999999 +0000 Change: 2023-10-27 08:08:52.869999999 +0000 Birth: - sh-5.2# stat /run/tpm2-tss/eventlog File: /run/tpm2-tss/eventlog Size: 40 Blocks: 0 IO Block: 4096 directory Device: 0,26 Inode: 112 Links: 2 Access: (2775/drwxrwsr-x) Uid: ( 98/ tss) Gid: ( 98/ tss) Access: 2023-10-27 08:08:52.869999999 +0000 Modify: 2023-10-27 08:08:52.869999999 +0000 Change: 2023-10-27 08:08:52.869999999 +0000 Birth: 2023-10-27 08:08:52.869999999 +0000 So I think everything is ok, but maybe systemd-tmpfiles should not log this kind of errors when it's executed before systemd-sysusers, but only after that.
Ok, I'd say this is a bug in systemd, not in tpm2-tss-fapi.conf # systemctl cat systemd-tmpfiles-setup-dev-early.service | grep Exec ExecStart=systemd-tmpfiles --prefix=/dev --create --boot --graceful # systemd-tmpfiles --help | grep graceful --graceful Quietly ignore unknown users or groups Thanks Matthias, I'll take a look.
The fix came quickly: https://github.com/systemd/systemd/commit/f939a403ca93a01fc677af9f7757d89f81e0fc37 Frack, handing over to you, you decide if it's worth backport it to 15-SP6.
Thanks Antonio, I backported the fix to SUSE/v254. Closing.
This is an autogenerated message for OBS integration: This bug (1216628) was mentioned in https://build.opensuse.org/request/show/1132619 Factory / systemd