Since upgrading from Fedora 38 to Fedora 39, my Fedora installations have not been capturing log entries for freeipa users. Entering “journalctl --user” while logged in as a freeipa user at the terminal results in journalctl showing log entries from before upgrading to Fedora 39. The journal files in /var/log/journal for the freeipa users are have the date of the upgrade as the newest files. No newer files for freeipa users exist. This happens on both my Fedora and Fedora Silverblue installs.
Not having log entries for freeipa users causes some interesting problems. For example, distrobox seemingly relies on log entries for initial container initialization and for removal of exported apps. Without user log entries distrobox stalls on both tasks.
Before filing a bug report, I thought I would come here for assistance. Is anyone else experiencing this problem? Any suggested solutions or techniques to get to the root cause of the issue? Any other information that would be helpful?
As an additional datapoint, freeipa users have no user logs with a new install too. Running “journalctl --user” on a new install returns a message that the user must be in “adm” “systemd-journald”, or “wheel” groups to view all logs. Running “journalctl --user” as a non-wheel local user returns the user logs as expected.
I don’t know anything about freeipa. What UID range does it use?
man systemd-journald says:
By default, each user, with a UID outside the range of system users, dynamic service users, and the nobody user, will get their own set of journal files in /var/log/journal/. See Users, Groups, UIDs and GIDs on systemd systems for more details about UID ranges. These journal files will not be owned by the user, however, in order to avoid that the user can write to them directly. Instead, file system ACLs are used to ensure the user gets read access only.
The id range for my freeipa domain is 1518400000 to 1518599999. I wonder if systemd-journald is flagging the freeipa users a nobody user. Interestingly, before Fedora 39, freeipa user had no issues with systemd-journald. I just checked the journal for systemd-journal.{serivce,socket} and syslog. No errors are being reported.
Thanks. That interesting and unfortunate. I’ll have to see if a knob exists to change that number. Otherwise, I’ll have to find a path to migrate the freeipa users to new user ids. This issue will have to be addressed in the future. I can only imagine the number of freeipa or Redhat Identity Management setups that have uids in that range.
Those are compile-time constants. Fedora enables the flag that makes systemd read /etc/login.defs, but that only applies to the system user boundary (<1000).
Please open a bug for Fedora with systemd component.
Any static check like that is bound to fail in a relatively complex environment. Let me know the bug number so that I can discuss it with systemd team.