Re: How to avoid using policy kit with openvpn

From: matti kaasinen <matti kaasinen gmail com>
To: Lubomir Rintel <lkundrak v3 sk>
Cc: Dan Williams <dcbw redhat com>, "networkmanager." <networkmanager-list gnome org>
Subject: Re: How to avoid using policy kit with openvpn
Date: Tue, 13 Dec 2016 11:37:31 +0200

Lubomir, Dan,

I found what triggers this issue. I don't know what the reason is, though! It has nothing to do with NetworkManager.

The trigger:

1) I load openvpn cert as zipped tar archive to root.

2) I uncompress/untar the archive that creates /etc/openvpn directory with openvpn cert/config files, user = original user.

There is no way back at this point. Whole system is corrupted. It does not help deleting /etc/openvpn directory and note that it is not needed to start openvpn service to get this triggered. Only way I have found to recover is re-install whole system!

I'm somewhat worried how easily one can corrupt whole Linux system - just load files to /etc whose user is not a proper user of the installation! They can be loaded to other place, change owner there and load then tho /etc. Anyhow this is none of your worry, I suppose.

Cheers,

Matti

2016-12-09 16:35 GMT+02:00 matti kaasinen <matti kaasinen gmail com>:

Lubo,
It took some time before I had change to get to this issue again. I got new board and it did not start at all, so I had to study u-boot in between..
Anyhow, answers to your comments:

2016-11-25 18:15 GMT+02:00 Lubomir Rintel <lkundrak v3 sk>:
That sounds very strange.

Please enable eavesdropping on the system bus:
https://wiki.ubuntu.com/DebuggingDBus#How_to_monitor_the_system_bus

And then monitor the actual bus traffic before starting the "openvpn
service" (is that the NM VPN plugin?) and after starting it and look
out for what changed.
No. That is coming from Yocto/meta-openembedded/meta-networking layer. Just pure openvpn binary and systemd unit file for starting service.
Only (main) difference I noticed from dbus-monitor log was that before openvpn I got following errors:

   string "Could not get owner of name 'org.freedesktop.nm_avahi_autoipd': no such name"
   string "Could not get owner of name 'org.fedoraproject.FirewallD1': no such name"
   string "Could not get owner of name 'org.freedesktop.login1': no such name"
   string "Could not get owner of name 'org.bluez': no such name"
   string "Could not get owner of name 'org.freedesktop.ModemManager1': no such name"
   string "Could not get owner of name 'org.bluez': no such name"
   string "Could not get owner of name 'org.freedesktop.nm_dispatcher': no such name"

And after enabling openvpn service I got:

   string "Could not get owner of name 'org.freedesktop.nm_avahi_autoipd': no such name"
   string "Could not get owner of name 'org.fedoraproject.FirewallD1': no such name"
   string "Could not get owner of name 'org.freedesktop.login1': no such name"
   string "Could not get owner of name 'org.bluez': no such name"
   string "Could not get owner of name 'org.freedesktop.PolicyKit1': no such name"
   string "Could not get owner of name 'org.bluez': no such name"
   string "Could not get owner of name 'org.freedesktop.nm_dispatcher': no such name"

So, policy kit has vanished.

I'm not sure at all that I could concentrate on the correct details of these logs, though. So, I would really appreciate any suggestions.

What I noticed from systemd journal regarding ntp synchronization was:

Dec 09 15:08:47 cpr3 systemd[1]: Starting Network Time Synchronization...
Dec 09 15:08:47 cpr3 systemd-timesyncd[467]: [[0;1;31mFailed to allocate manager: Permission denied[[0m
Dec 09 15:08:47 cpr3 systemd[1]: [[0;1;39msystemd-timesyncd.service: Main process exited, code=exited, status=1/FAILURE[[0m
Dec 09 15:08:47 cpr3 systemd[1]: [[0;1;31mFailed to start Network Time Synchronization.[[0m
Dec 09 15:08:47 cpr3 systemd[1]: [[0;1;39msystemd-timesyncd.service: Unit entered failed state.[[0m
Dec 09 15:08:47 cpr3 systemd[1]: [[0;1;39msystemd-timesyncd.service: Failed with result 'exit-code'.[[0m
Dec 09 15:08:47 cpr3 systemd[1]: systemd-timesyncd.service: Service has no hold-off time, scheduling restart.
Dec 09 15:08:47 cpr3 systemd[1]: Stopped Network Time Synchronization.
Dec 09 15:08:47 cpr3 systemd[1]: Starting Network Time Synchronization...
....

Avahi was behaving pretty much the same besides that "Permission denied" message:

Dec 09 15:09:01 cpr3 systemd[1]: Starting Avahi mDNS/DNS-SD Stack...
Dec 09 15:09:01 cpr3 systemd[1]: [[0;1;39mavahi-daemon.service: Main process exited, code=exited, status=255/n/a[[0m
Dec 09 15:09:01 cpr3 systemd[1]: [[0;1;31mFailed to start Avahi mDNS/DNS-SD Stack.[[0m
Dec 09 15:09:01 cpr3 systemd[1]: [[0;1;39mavahi-daemon.service: Unit entered failed state.[[0m
Dec 09 15:09:01 cpr3 systemd[1]: [[0;1;39mavahi-daemon.service: Failed with result 'exit-code'.[[0m
Dec 09 15:09:01 cpr3 systemd[1]: avahi-daemon.service: Service hold-off time over, scheduling restart.
Dec 09 15:09:01 cpr3 systemd[1]: Stopped Avahi mDNS/DNS-SD Stack.
Dec 09 15:09:01 cpr3 systemd[1]: Starting Avahi mDNS/DNS-SD Stack...

Any help appreciated,
-Matti

Follow-Ups:
- Re: How to avoid using policy kit with openvpn
  - From: matti kaasinen

References:
- Re: How to avoid using policy kit with openvpn
  - From: matti kaasinen

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]