Debian 11 issue with Portmaster 1.5

[Hanter492]

What happened:

After changing the core from portmaster-core_v1-4-5 to portmaster-core_v1-5-0 or portmaster-core_v1-5-1 it does not start after starting linux (service file in the old way) I have encrypted partitions and I think it does not work because it runs too fast. The problem is that it starts but there is no internet access and you can't run the gui or stop the application other than killing (the entire app has a black screen) the process. Interestingly, after killing core, the entire application returns to normal operation.

What did you expect to happen?:

Something changed from version 1.4 to 1.5 because it was working before. I would like it to be fixed. As for a temporary solution, it would be good to add an option to change the core to an older one.

How did you reproduce it?:

I have debian11 with encrypted \opt and \home partition, gnome 44 system. I installed portmaster from your website (it still worked then)

Debug Information:

logs:

{"Created":1698166661,"Modified":1698166661,"Expires":1700758661,"Deleted":0}
executing core/portmaster-core version 1.5.1 on linux amd64
portmaster-start[831]: [pmstart] 2023/10/24 16:57:41 starting /opt/safing/portmaster/updates/linux_amd64/core/portmaster-core_v1-5-1 --data /opt/safing/portmaster
portmaster-start[831]: 231024 18:57:42.047 ▶ BOF
portmaster-start[831]: 231024 18:57:42.047 e/asm_amd6:1650 ▶ WARN 001 core: failed to enable persisted metrics: database not initialized
portmaster-start[831]: 231024 18:57:42.276 dbus_linux:065 ▶ WARN 003 failed to get nameserver: failed to access /:org.freedesktop.NetworkManager.Connection.Active.Ip4Config: Object does not exist in the path „/”
portmaster-start[831]: 231024 18:57:42.279 dbus_linux:072 ▶ WARN 005 failed to get nameserver: failed to access /:org.freedesktop.NetworkManager.Connection.Active.Ip6Config: Object does not exist in the path „/”
portmaster-start[831]: 231024 18:57:42.299 olver-mdns:087 ▶ WARN 007 intel(mdns): failed to create udp4 listen multicast socket: listen udp4 224.0.0.251:5353: setsockopt: no such device
portmaster-start[831]: 231024 18:57:42.300 olver-mdns:114 ▶ WARN 009 intel(mdns): failed to create udp6 listen multicast socket: listen udp6 [ff02::fb]:5353: setsockopt: no such device
Unknown portmaster-start[831]: 231024 18:57:42.413 v/location:303 ▶ WARN 011 netenv: failed to get IPv4 device location from traceroute: failed to send icmp packet: write ip4 0.0.0.0->1.1.1.1: sendto: network is unreachable
Unknown portmaster-start[831]: 231024 18:57:42.593 les/worker:109 ▶ ERRO 013 interception: service-worker ebpf connection listener failed (1): ebpf: failed to remove ebpf memlock: failed to set memlock rlimit: operation not permitted - restarting in 2s
portmaster-start[831]: 231024 18:57:42.593 les/worker:109 ▶ ERRO 015 interception: service-worker ebpf bandwidth stats monitor failed (1): ebpf: failed to remove memlock: failed to set memlock rlimit: operation not permitted - restarting in 2s
portmaster-start[831]: 231024 18:57:44.593 les/worker:109 ▶ ERRO 017 interception: service-worker ebpf bandwidth stats monitor failed (2): ebpf: failed to remove memlock: failed to set memlock rlimit: operation not permitted - restarting in 4s
portmaster-start[831]: 231024 18:57:44.593 les/worker:109 ▶ ERRO 019 interception: service-worker ebpf connection listener failed (2): ebpf: failed to remove ebpf memlock: failed to set memlock rlimit: operation not permitted - restarting in 4s

[github-actions]

Greetings and welcome to our community! As this is the first issue you opened here, we wanted to share some useful infos with you:

• 🗣️ Our community on Discord is super helpful and active. We also have an AI-enabled support bot that knows Portmaster well and can give you immediate help.
• 📖 The Wiki answers all common questions and has many important details. If you can't find an answer there, let us know, so we can add anything that's missing.

[dhaavi]

It seems there are a couple issues with your service file:

• Please ensure that Portmaster is started after the network.
• Make sure Portmaster gets all the needed capabilities for using ebpf.

Please refer to our latest systemd service file: https://github.com/safing/portmaster-packaging/blob/develop/linux/portmaster.service

[Hanter492]

I added the launch as far as I could through the lines in service:
After=NetworkManager-wait-online.service
Unfortunately, the above error still occurs and for the application work well I have to reset the core by killing the process.

what do you mean by "Make sure Portmaster gets all the needed capabilities for using ebpf."

Logs have changed:

portmaster-start[1038]: [pmstart] starting /opt/safing/portmaster/updates/linux_amd64/core/portmaster-core_v1-5-1 --data /opt/safing/portmaster
portmaster-start[1038]: 231030 03:35:59.601 ▶ BOF
portmaster-start[1038]: 231030 03:35:59.602 e/asm_amd6:1650 ▶ WARN 001 core: failed to enable persisted metrics: database not initialized
portmaster-start[1038]: 231030 03:35:59.937 v/location:303 ▶ WARN 003 netenv: failed to get IPv4 device location from traceroute: failed to send icmp packet: write ip4 0.0.0.0->1.1.1.1: sendto: operation not permitted
portmaster-start[1038]: 231030 03:35:59.974 les/worker:109 ▶ ERRO 005 interception: service-worker ebpf connection listener failed (1): ebpf: failed to remove ebpf memlock: failed to set memlock rlimit: operation not permitted - restarting in 2s
portmaster-start[1038]: 231030 03:35:59.974 les/worker:109 ▶ ERRO 007 interception: service-worker ebpf bandwidth stats monitor failed (1): ebpf: failed to remove memlock: failed to set memlock rlimit: operation not permitted - restarting in 2s
portmaster-start[1038]: 231030 03:36:01.975 les/worker:109 ▶ ERRO 009 interception: service-worker ebpf bandwidth stats monitor failed (2): ebpf: failed to remove memlock: failed to set memlock rlimit: operation not permitted - restarting in 4s
portmaster-start[1038]: 231030 03:36:01.975 les/worker:109 ▶ ERRO 011 interception: service-worker ebpf connection listener failed (2): ebpf: failed to remove ebpf memlock: failed to set memlock rlimit: operation not permitted - restarting in 4s
portmaster-start[1038]: 231030 03:36:05.976 les/worker:109 ▶ ERRO 013 interception: service-worker ebpf bandwidth stats monitor failed (3): ebpf: failed to remove memlock: failed to set memlock rlimit: operation not permitted - restarting in 6s
Unknown portmaster-start[1038]: 231030 03:36:05.976 les/worker:109 ▶ ERRO 015 interception: service-worker ebpf connection listener failed (3): ebpf: failed to remove ebpf memlock: failed to set memlock rlimit: operation not permitted - restarting in 6s
Unknown portmaster-start[1038]: 231030 03:36:11.976 les/worker:109 ▶ ERRO 017 interception: service-worker ebpf bandwidth stats monitor failed (4): ebpf: failed to remove memlock: failed to set memlock rlimit: operation not permitted - restarting in 8s
Unknown portmaster-start[1038]: 231030 03:36:11.976 les/worker:109 ▶ ERRO 019 interception: service-worker ebpf connection listener failed (4): ebpf: failed to remove ebpf memlock: failed to set memlock rlimit: operation not permitted - restarting in 8s
Unknown portmaster-start[1038]: 231030 03:36:19.977 ner/worker:030 ▶ WARN 021 ebpf: failed to remove memlock 5 times, giving up with error failed to set memlock rlimit: operation not permitted
Unknown portmaster-start[1038]: 231030 03:36:19.977 /interface:032 ▶ WARN 023 ebpf: failed to remove memlock 5 times, giving up with error failed to set memlock rlimit: operation not permitted

[Hanter492]

I added the launch as far as I could through the lines in service:
After=NetworkManager-wait-online.service
Unfortunately, the above error still occurs and for the application work well I have to reset the core by killing the process.

what do you mean by "Make sure Portmaster gets all the needed capabilities for using ebpf."

Logs have changed:

portmaster-start[1038]: [pmstart] starting /opt/safing/portmaster/updates/linux_amd64/core/portmaster-core_v1-5-1 --data /opt/safing/portmaster
portmaster-start[1038]: 231030 03:35:59.601 ▶ BOF
portmaster-start[1038]: 231030 03:35:59.602 e/asm_amd6:1650 ▶ WARN 001 core: failed to enable persisted metrics: database not initialized
portmaster-start[1038]: 231030 03:35:59.937 v/location:303 ▶ WARN 003 netenv: failed to get IPv4 device location from traceroute: failed to send icmp packet: write ip4 0.0.0.0->1.1.1.1: sendto: operation not permitted
portmaster-start[1038]: 231030 03:35:59.974 les/worker:109 ▶ ERRO 005 interception: service-worker ebpf connection listener failed (1): ebpf: failed to remove ebpf memlock: failed to set memlock rlimit: operation not permitted - restarting in 2s
portmaster-start[1038]: 231030 03:35:59.974 les/worker:109 ▶ ERRO 007 interception: service-worker ebpf bandwidth stats monitor failed (1): ebpf: failed to remove memlock: failed to set memlock rlimit: operation not permitted - restarting in 2s
portmaster-start[1038]: 231030 03:36:01.975 les/worker:109 ▶ ERRO 009 interception: service-worker ebpf bandwidth stats monitor failed (2): ebpf: failed to remove memlock: failed to set memlock rlimit: operation not permitted - restarting in 4s
portmaster-start[1038]: 231030 03:36:01.975 les/worker:109 ▶ ERRO 011 interception: service-worker ebpf connection listener failed (2): ebpf: failed to remove ebpf memlock: failed to set memlock rlimit: operation not permitted - restarting in 4s
portmaster-start[1038]: 231030 03:36:05.976 les/worker:109 ▶ ERRO 013 interception: service-worker ebpf bandwidth stats monitor failed (3): ebpf: failed to remove memlock: failed to set memlock rlimit: operation not permitted - restarting in 6s
Unknown portmaster-start[1038]: 231030 03:36:05.976 les/worker:109 ▶ ERRO 015 interception: service-worker ebpf connection listener failed (3): ebpf: failed to remove ebpf memlock: failed to set memlock rlimit: operation not permitted - restarting in 6s
Unknown portmaster-start[1038]: 231030 03:36:11.976 les/worker:109 ▶ ERRO 017 interception: service-worker ebpf bandwidth stats monitor failed (4): ebpf: failed to remove memlock: failed to set memlock rlimit: operation not permitted - restarting in 8s
Unknown portmaster-start[1038]: 231030 03:36:11.976 les/worker:109 ▶ ERRO 019 interception: service-worker ebpf connection listener failed (4): ebpf: failed to remove ebpf memlock: failed to set memlock rlimit: operation not permitted - restarting in 8s
Unknown portmaster-start[1038]: 231030 03:36:19.977 ner/worker:030 ▶ WARN 021 ebpf: failed to remove memlock 5 times, giving up with error failed to set memlock rlimit: operation not permitted
Unknown portmaster-start[1038]: 231030 03:36:19.977 /interface:032 ▶ WARN 023 ebpf: failed to remove memlock 5 times, giving up with error failed to set memlock rlimit: operation not permitted

[dhaavi]

Portmaster needs these capabilities, in case it does not receive blanket root perms - which seems to be the case judging by your logs:

AmbientCapabilities=cap_chown cap_kill cap_net_admin cap_net_bind_service cap_net_broadcast cap_net_raw cap_sys_module cap_sys_ptrace cap_dac_override cap_fowner cap_fsetid cap_sys_resource cap_bpf cap_perfmon
CapabilityBoundingSet=cap_chown cap_kill cap_net_admin cap_net_bind_service cap_net_broadcast cap_net_raw cap_sys_module cap_sys_ptrace cap_dac_override cap_fowner cap_fsetid cap_sys_resource cap_bpf cap_perfmon

[Hanter492]

I still have this bug, the Core application works but the gui does not start.

I put a screen for your insight.

systemd[1]: Started portmaster.service - Portmaster by Safing.
░░ Subject: The task was successfully completed for the Portmaster.Service unit
░░ Defined-by: Systemd
░░ Support: https://www.debian.org/support
░░
░░ The starting task for the Portmaster.Service unit was successfully completed.
░░
░░ Task ID: 125.
portmaster-start[1063]: [pmstart] 2023/10/31 02:12:50 starting /opt/safing/portmaster/updates/linux_amd64/core/portmaster-core_v1-5-1 --data /opt/safing/portmaster
portmaster-start[1063]: 231031 03:12:50.925 ▶ BOF
portmaster-start[1063]: 231031 03:12:50.925 e/asm_amd6:1650 ▶ WARN 001 core: failed to enable persisted metrics: database not initialized
portmaster-start[1063]: 231031 03:12:51.263 v/location:303 ▶ WARN 003 netenv: failed to get IPv4 device location from traceroute: failed to send icmp packet: write ip4 0.0.0.0->1.1.1.1: sendto: operation not permitted
portmaster-start[1063]: 231031 01:14:34.427 on/nfq/nfq:212 ▶ WARN 005 nfqueue: no verdict set for packet pkt:20 qid:17040 (10.110.112.200 -> 10.110.112.82) after 20.0011234s, dropping
portmaster-start[1063]: 231031 01:14:39.423 on/nfq/nfq:212 ▶ WARN 007 nfqueue: no verdict set for packet pkt:21 qid:17040 (10.110.112.200 -> 10.110.112.82) after 20.000401473s, dropping
portmaster-start[1063]: 231031 01:14:44.426 on/nfq/nfq:212 ▶ WARN 009 nfqueue: no verdict set for packet pkt:34 qid:17040 (10.110.112.200 -> 10.110.112.82) after 20.000631813s, dropping

[github-actions]

This issue has been automatically marked as inactive because it has not had activity in the past two months.

If no further activity occurs, this issue will be automatically closed in one week in order to increase our focus on active topics.

[github-actions]

This issue has been automatically closed because it has not had recent activity. Thank you for your contributions.

If the issue has not been resolved, you can find more information in our Wiki or continue the conversation on our Discord.