[arch-general] Problems with shadow service
Hello, because of a performance problem I've checked services and noticed this line: ● shadow.service loaded failed failed Verify integrity of password and group files So I checked this service and got this output: $ systemctl status shadow ● shadow.service - Verify integrity of password and group files Loaded: loaded (/usr/lib/systemd/system/shadow.service; static; vendor preset: disabled) Active: failed (Result: exit-code) since Wed 2018-12-12 06:59:27 CET; 14h ago Process: 561 ExecStart=/bin/sh -c /usr/bin/pwck -r || r=1; /usr/bin/grpck -r && exit $r (code=exited, status=1/FAILURE) Main PID: 561 (code=exited, status=1/FAILURE) Dez 12 06:59:24 tuchola systemd[1]: Started Verify integrity of password and group files. Dez 12 06:59:26 tuchola sh[561]: Benutzer »ceph«: Verzeichnis »/run/ceph« existiert nicht. Dez 12 06:59:26 tuchola sh[561]: pwck: Keine Änderungen Dez 12 06:59:27 tuchola systemd[1]: shadow.service: Main process exited, code=exited, status=1/FAILURE Dez 12 06:59:27 tuchola systemd[1]: shadow.service: Failed with result 'exit-code'. As system seems to run without problems (other than performance), I've got two questions: 1. Do I need the shadow service? Why? 2. Why does it fail? User "ceph" is defined, but /run/ceph does not exist as its home directory - why? Seems there's a problem in the installation of ceph-libs or any or its dependants (like libvirt). Probably the user is created only if whole ceph is installed, too? Kind regards Peter
On Wed, 12 Dec 2018 22:28:40 +0100, Peter Nabbefeld wrote:
As system seems to run without problems (other than performance), I've got two questions:
1. Do I need the shadow service? Why?
If verifying the integrity of group files and/or password files fails, I wouldn't call it an install "without problems". [rocketmouse@archlinux ~]$ grep '#' -A1 /usr/lib/systemd/system/shadow.service # Always run both checks, but fail the service if either fails ExecStart=/bin/sh -c '/usr/bin/pwck -r || r=1; /usr/bin/grpck -r && exit $r' [rocketmouse@archlinux ~]$ apropos pwck pwck (8) - verify integrity of password files [rocketmouse@archlinux ~]$ pwck --help | grep read-only -A1 -r, --read-only display errors and warnings but do not change files [rocketmouse@archlinux ~]$ apropos grpck grpck (8) - verify integrity of group files [rocketmouse@archlinux ~]$ grpck --help | grep read-only -A1 -r, --read-only display errors and warnings but do not change files
2. Why does it fail?
See above.
PS: When editing password or group files you should use vipw and vigr and FWIW to edit the sudoers file it's common to use visudo. The EDITOR variable allows to replace vi by an editor of your choice.
Good Morning, thank You for Your reply. 1. I don't edit /etc/passwd nor /etc/group manually. 2. As I've already pointed out, it's the incomplete ceph-libs user "ceph", which misses its home directory "/run/ceph". It seems, some install script didn't work correctly (e.g. I'd never create a home directory under "/run" manually). Probably I should create the folder to fix the problem. Which owner and access rights are needed? Kind regards Peter Am 13.12.18 um 07:16 schrieb Ralf Mardorf via arch-general:
PS: When editing password or group files you should use vipw and vigr and FWIW to edit the sudoers file it's common to use visudo. The EDITOR variable allows to replace vi by an editor of your choice.
On Thu, 13 Dec 2018 07:34:12 +0100, Peter Nabbefeld wrote:
Probably I should create the folder to fix the problem. Which owner and access rights are needed?
No, use /usr/lib/sysusers.d/ to declare the user. [root@archlinux rocketmouse]# apropos sysusers.d sysusers.d (5) - Declarative allocation of system users and groups [root@archlinux rocketmouse]# cat /usr/lib/sysusers.d/ceph.conf u ceph 340 - /run/ceph [root@archlinux rocketmouse]# ls -ld /run/ceph/ drwxrwx--- 2 ceph ceph 40 Dec 11 09:21 /run/ceph/
On Thu, 13 Dec 2018 07:52:55 +0100 Ralf Mardorf via arch-general <arch-general@archlinux.org> wrote:
On Thu, 13 Dec 2018 07:34:12 +0100, Peter Nabbefeld wrote:
Probably I should create the folder to fix the problem. Which owner and access rights are needed?
No, use /usr/lib/sysusers.d/ to declare the user.
[root@archlinux rocketmouse]# apropos sysusers.d sysusers.d (5) - Declarative allocation of system users and groups [root@archlinux rocketmouse]# cat /usr/lib/sysusers.d/ceph.conf u ceph 340 - /run/ceph [root@archlinux rocketmouse]# ls -ld /run/ceph/ drwxrwx--- 2 ceph ceph 40 Dec 11 09:21 /run/ceph/
None of this is valid. sysusers.d is not the fix here in any way. See my other message. Scimmia
On Thu, 13 Dec 2018 00:59:19 -0600, Doug Newgard via arch-general wrote:
On Thu, 13 Dec 2018 07:52:55 +0100 Ralf Mardorf via arch-general <arch-general@archlinux.org> wrote:
On Thu, 13 Dec 2018 07:34:12 +0100, Peter Nabbefeld wrote:
Probably I should create the folder to fix the problem. Which owner and access rights are needed?
No, use /usr/lib/sysusers.d/ to declare the user.
[root@archlinux rocketmouse]# apropos sysusers.d sysusers.d (5) - Declarative allocation of system users and groups [root@archlinux rocketmouse]# cat /usr/lib/sysusers.d/ceph.conf u ceph 340 - /run/ceph [root@archlinux rocketmouse]# ls -ld /run/ceph/ drwxrwx--- 2 ceph ceph 40 Dec 11 09:21 /run/ceph/
None of this is valid. sysusers.d is not the fix here in any way. See my other message.
IIUC you recommend to install and remove the package ceph. [rocketmouse@archlinux tmp]$ asp checkout ceph Cloning into 'ceph'... done. [rocketmouse@archlinux tmp]$ cat ceph/trunk/ceph.sysusers u ceph 340 - /run/ceph
IIUC you recommend to install and remove the package ceph.
[rocketmouse@archlinux tmp]$ asp checkout ceph Cloning into 'ceph'... done. [rocketmouse@archlinux tmp]$ cat ceph/trunk/ceph.sysusers u ceph 340 - /run/ceph
Oops, or do you imply to remove the user, after the package is removed? You did not really mention what the OP should do.
On Thu, 13 Dec 2018 08:24:35 +0100, Ralf Mardorf wrote:
IIUC you recommend to install and remove the package ceph.
[rocketmouse@archlinux tmp]$ asp checkout ceph Cloning into 'ceph'... done. [rocketmouse@archlinux tmp]$ cat ceph/trunk/ceph.sysusers u ceph 340 - /run/ceph
Oops, or do you imply to remove the user, after the package is removed? You did not really mention what the OP should do.
I forget to point out that my guess/understanding is, that the OP needs to remove the broken user ceph and after that to recreate it, if it should be required at all?! sysusers.d won't fix it, since a broken user ceph already exists?!
On Thu, 13 Dec 2018 09:28:51 +0100, Ralf Mardorf wrote:
On Thu, 13 Dec 2018 08:24:35 +0100, Ralf Mardorf wrote:
IIUC you recommend to install and remove the package ceph.
[rocketmouse@archlinux tmp]$ asp checkout ceph Cloning into 'ceph'... done. [rocketmouse@archlinux tmp]$ cat ceph/trunk/ceph.sysusers u ceph 340 - /run/ceph
Oops, or do you imply to remove the user, after the package is removed? You did not really mention what the OP should do.
I forget to point out that my guess/understanding is, that the OP needs to remove the broken user ceph and after that to recreate it, if it should be required at all?! sysusers.d won't fix it, since a broken user ceph already exists?!
Or regarding the run-dir nothing is broken at all? Could somebody explain?
On Wed, Dec 12, 2018 at 10:28 PM Peter Nabbefeld <peter.nabbefeld@gmx.de> wrote:
Hello,
because of a performance problem I've checked services and noticed this line: ● shadow.service loaded failed failed Verify integrity of password and group files
So I checked this service and got this output:
$ systemctl status shadow ● shadow.service - Verify integrity of password and group files Loaded: loaded (/usr/lib/systemd/system/shadow.service; static; vendor preset: disabled) Active: failed (Result: exit-code) since Wed 2018-12-12 06:59:27 CET; 14h ago Process: 561 ExecStart=/bin/sh -c /usr/bin/pwck -r || r=1; /usr/bin/grpck -r && exit $r (code=exited, status=1/FAILURE) Main PID: 561 (code=exited, status=1/FAILURE)
Dez 12 06:59:24 tuchola systemd[1]: Started Verify integrity of password and group files. Dez 12 06:59:26 tuchola sh[561]: Benutzer »ceph«: Verzeichnis »/run/ceph« existiert nicht. Dez 12 06:59:26 tuchola sh[561]: pwck: Keine Änderungen Dez 12 06:59:27 tuchola systemd[1]: shadow.service: Main process exited, code=exited, status=1/FAILURE Dez 12 06:59:27 tuchola systemd[1]: shadow.service: Failed with result 'exit-code'.
As system seems to run without problems (other than performance), I've got two questions:
1. Do I need the shadow service? Why?
2. Why does it fail? User "ceph" is defined, but /run/ceph does not exist as its home directory - why? Seems there's a problem in the installation of ceph-libs or any or its dependants (like libvirt). Probably the user is created only if whole ceph is installed, too?
Kind regards
Peter
Create the directory /run/ceph and pwck will be happy If you don't want this service whining, just disabled it, systemctl --disable --now shadow.service People love to be overly dramatic but this shadow service is a fairly recent addition and we all got along fine without it. A missing home directory is not going to make your system slow or leave it open for attack.
On Thu, 13 Dec 2018 07:33:49 +0100 Andy Pieters <arch-general@andypieters.me.uk> wrote:
On Wed, Dec 12, 2018 at 10:28 PM Peter Nabbefeld <peter.nabbefeld@gmx.de> wrote:
Hello,
because of a performance problem I've checked services and noticed this line: ● shadow.service loaded failed failed Verify integrity of password and group files
So I checked this service and got this output:
$ systemctl status shadow ● shadow.service - Verify integrity of password and group files Loaded: loaded (/usr/lib/systemd/system/shadow.service; static; vendor preset: disabled) Active: failed (Result: exit-code) since Wed 2018-12-12 06:59:27 CET; 14h ago Process: 561 ExecStart=/bin/sh -c /usr/bin/pwck -r || r=1; /usr/bin/grpck -r && exit $r (code=exited, status=1/FAILURE) Main PID: 561 (code=exited, status=1/FAILURE)
Dez 12 06:59:24 tuchola systemd[1]: Started Verify integrity of password and group files. Dez 12 06:59:26 tuchola sh[561]: Benutzer »ceph«: Verzeichnis »/run/ceph« existiert nicht. Dez 12 06:59:26 tuchola sh[561]: pwck: Keine Änderungen Dez 12 06:59:27 tuchola systemd[1]: shadow.service: Main process exited, code=exited, status=1/FAILURE Dez 12 06:59:27 tuchola systemd[1]: shadow.service: Failed with result 'exit-code'.
As system seems to run without problems (other than performance), I've got two questions:
1. Do I need the shadow service? Why?
2. Why does it fail? User "ceph" is defined, but /run/ceph does not exist as its home directory - why? Seems there's a problem in the installation of ceph-libs or any or its dependants (like libvirt). Probably the user is created only if whole ceph is installed, too?
Kind regards
Peter
Create the directory /run/ceph and pwck will be happy
How well do you really expect creating a dir on tmpfs to work? Anyway, for the OP, pacman does not remove users that were created by package installation for security reasons. If you removed ceph, the user is left over for you to deal with. See https://www.archlinux.org/todo/usergroup-management/ Scimmia
Am 13.12.18 um 07:56 schrieb Doug Newgard via arch-general:
On Thu, 13 Dec 2018 07:33:49 +0100 Andy Pieters <arch-general@andypieters.me.uk> wrote:
On Wed, Dec 12, 2018 at 10:28 PM Peter Nabbefeld <peter.nabbefeld@gmx.de> wrote:
Hello,
because of a performance problem I've checked services and noticed this line: ● shadow.service loaded failed failed Verify integrity of password and group files
So I checked this service and got this output:
$ systemctl status shadow ● shadow.service - Verify integrity of password and group files Loaded: loaded (/usr/lib/systemd/system/shadow.service; static; vendor preset: disabled) Active: failed (Result: exit-code) since Wed 2018-12-12 06:59:27 CET; 14h ago Process: 561 ExecStart=/bin/sh -c /usr/bin/pwck -r || r=1; /usr/bin/grpck -r && exit $r (code=exited, status=1/FAILURE) Main PID: 561 (code=exited, status=1/FAILURE)
Dez 12 06:59:24 tuchola systemd[1]: Started Verify integrity of password and group files. Dez 12 06:59:26 tuchola sh[561]: Benutzer »ceph«: Verzeichnis »/run/ceph« existiert nicht. Dez 12 06:59:26 tuchola sh[561]: pwck: Keine Änderungen Dez 12 06:59:27 tuchola systemd[1]: shadow.service: Main process exited, code=exited, status=1/FAILURE Dez 12 06:59:27 tuchola systemd[1]: shadow.service: Failed with result 'exit-code'.
As system seems to run without problems (other than performance), I've got two questions:
1. Do I need the shadow service? Why?
2. Why does it fail? User "ceph" is defined, but /run/ceph does not exist as its home directory - why? Seems there's a problem in the installation of ceph-libs or any or its dependants (like libvirt). Probably the user is created only if whole ceph is installed, too?
Kind regards
Peter
Create the directory /run/ceph and pwck will be happy
How well do you really expect creating a dir on tmpfs to work?
Anyway, for the OP, pacman does not remove users that were created by package installation for security reasons. If you removed ceph, the user is left over for you to deal with. See https://www.archlinux.org/todo/usergroup-management/
Scimmia
Okay, thank You, that'll probably fix it - just checked the ceph-package is in my cache (though not installed, currently), so it seems I had installed ceph at some time just for testing ... Kind regards Pete
PPS: On Wed, 12 Dec 2018 22:28:40 +0100, Peter Nabbefeld wrote:
Probably the user is created only if whole ceph is installed, too?
$ pacman -Qo /usr/lib/sysusers.d/ceph.conf /usr/lib/sysusers.d/ceph.conf is owned by ceph 13.2.1-2
Am 13.12.18 um 07:43 schrieb Ralf Mardorf via arch-general:
PPS:
On Wed, 12 Dec 2018 22:28:40 +0100, Peter Nabbefeld wrote:
Probably the user is created only if whole ceph is installed, too? $ pacman -Qo /usr/lib/sysusers.d/ceph.conf /usr/lib/sysusers.d/ceph.conf is owned by ceph 13.2.1-2 I don't have any /usr/lib/sysusers.d/ceph.conf file on my system, because ceph-libs is installed only as a dependency of libvirt, no ceph installed
participants (4)
-
Andy Pieters
-
Doug Newgard
-
Peter Nabbefeld
-
Ralf Mardorf