[systemd-devel] systemd-216 breaks combined ReadOnlyDirectories / ReadWriteDirectories

Reindl Harald h.reindl at thelounge.net
Wed Feb 25 03:37:40 PST 2015 


Am 28.01.2015 um 02:48 schrieb Lennart Poettering:
> On Tue, 20.01.15 13:48, Reindl Harald (h.reindl at thelounge.net) wrote:
>
>> after upgrade to Fedora 21 with new systemd namespaces like below no longer
>> works which breaks *all my systemd-units*
>>
>> why?
>>
>> ReadOnlyDirectories=/var/lib
>> ReadWriteDirectories=/var/lib/mysql
>
> I cannot reproduce this issue with systemd upstream. This appears to
> work fine. Any chance you can try to reproduce this with current
> upstream?
>
> Do you have any other namespace-related settings in the unit file that
> triggers this? Like ProtectSystem= or so? Can you paste the entire
> unit file?

here is a sample unit and some tests
https://bugzilla.redhat.com/show_bug.cgi?id=1184016#c29

systemd-213-4.fc21 was the last build without that issue
see sample below, /var/lib/test/subfolder is owned by the user

in general i try to use as much as possible features to restrict 
services to their absolute minimum need
_________________________________________________________________

[root at rawhide ~]# cat /etc/systemd/system/test.service
[Unit]
Description=Test-Service

[Service]
Type=oneshot
User=nobody
Group=nobody
#PermissionsStartOnly=true
#ExecStartPre=/usr/bin/touch /var/lib/test/subfolder/test.txt
ExecStart=/usr/bin/touch /var/lib/test/subfolder/test.txt

ReadOnlyDirectories=/etc
ReadOnlyDirectories=/usr
ReadOnlyDirectories=/var/lib/test
ReadWriteDirectories=/var/lib/test/subfolder
_________________________________________________________________

[root at rawhide ~]# stat /var/lib/test/
   File: '/var/lib/test/'
   Size: 4096            Blocks: 8          IO Block: 4096   directory
Device: 811h/2065d      Inode: 130889      Links: 3
Access: (0755/drwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2015-02-23 16:41:32.523299826 +0100
Modify: 2015-02-23 16:41:38.617223191 +0100
Change: 2015-02-24 16:17:18.969601190 +0100
  Birth: -

[root at rawhide ~]# stat /var/lib/test/subfolder
   File: '/var/lib/test/subfolder'
   Size: 4096            Blocks: 8          IO Block: 4096   directory
Device: 811h/2065d      Inode: 130912      Links: 2
Access: (0755/drwxr-xr-x)  Uid: (   99/  nobody)   Gid: (   99/  nobody)
Access: 2015-02-24 16:17:19.021782540 +0100
Modify: 2015-02-24 15:01:51.760650707 +0100
Change: 2015-02-24 16:17:19.021782540 +0100
  Birth: -


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20150225/4896dffe/attachment.sig>

More information about the systemd-devel mailing list