not working when started by systemd
Task Info (Flyspray) | |
---|---|
Opened By | Andrej Podzimek (andrej) |
Task ID | 70326 |
Type | Bug Report |
Project | Community Packages |
Category | Packages |
Version | None |
OS | All |
Opened | 2021-04-07 03:22:05 UTC |
Status | Assigned |
Assignee | Christian Rebischke (Shibumi) |
Assignee | Levente Polyak (anthraxx) |
Details
Description:
arch-audit works when run manually, but fails when started by systemd. This has been happening since a recent update a few hours ago.
The logs report DNS resolution problems. Yet the machine doesn't have any such problems: Both systemd-resolve (--status) and dig work fine. Bind runs on the machine, which serves as an authoritative DNS as well as a caching resolver.
A manual resolution of the reported domain name (see logs below) yields both IPv6 and iPv4 addresses and the JSON file can be downloaded without issues (tested only with IPv6, who cares about IPv4 anyway).
Starting arch-audit (-u) manually under a normal user account works fine as well.
That^^^ said, my speculation would be that this is caused by one of the (tens of) restrictions specified in the systemd .service file for arch-audit.
Additional info:
- package version(s)
arch-audit 0.1.19-1 linux 5.11.11.arch1-1 systemd 248-3
- config and/or log files etc.
$ journalctl -u arch-audit: [...] systemd[1]: Starting Audit installed packages against known vulnerabilities... arch-audit[980123]: Error: failed to get AVG json arch-audit[980123]: Because: failed to fetch AVGs from URL arch-audit[980123]: Because: Failed to send request arch-audit[980123]: Because: error sending request for url (https://security.archlinux.org/all.json): error trying to connect: dns error: failed to lookup address information: Temporary failure in name resolution arch-audit[980123]: Because: error trying to connect: dns error: failed to lookup address information: Temporary failure in name resolution arch-audit[980123]: Because: dns error: failed to lookup address information: Temporary failure in name resolution arch-audit[980123]: Because: failed to lookup address information: Temporary failure in name resolution systemd[1]: arch-audit.service: Main process exited, code=exited, status=1/FAILURE systemd[1]: arch-audit.service: Failed with result 'exit-code'. [...]
$ cat /etc/resolv.conf nameserver ::1
$ egrep -v '^[[:space:]]*($|#)' /etc/systemd/resolved.conf [Resolve] DNS=::1#<<<censored (domain name)>>> FallbackDNS= DNSSEC=yes
$ systemd-resolve --status Global Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=yes/supported resolv.conf mode: foreign Current DNS Server: ::1#<<<censored (domain name)>>> DNS Servers: ::1#<<<censored (domain name)>>>
Link 2 (charon1g0) Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=yes/supported Current DNS Server: ::1 DNS Servers: ::1
Link 3 (charon10g0) Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=yes/supported Current DNS Server: ::1 DNS Servers: ::1
[...] ~5 further interfaces; all the same
$ dig +short security.archlinux.org AAAA 2a01:4f9:c010:aa84::1
$ systemd-resolve security.archlinux.org security.archlinux.org: 2a01:4f9:c010:aa84::1 95.217.239.55
-- Information acquired via protocol DNS in 17.8ms. -- Data is authenticated: no; Data was acquired via local or encrypted transport: no -- Data from: network
BTW, this looks concerning: "Data is authenticated: no;" A security-related domain without DNSSEC? Srsly? It's unrelated to the problem, but worth pointing out nonetheless.
- link to upstream bug report, if any
N/A
Steps to reproduce:
This fails: # systemctl restart arch-audit Also the timer fails. This works: $ arch-audit -u $ arch-audit