[systemd-devel] how to debug failures when trying to lock down services
Mantas Mikulėnas
grawity at gmail.com
Thu Nov 30 05:52:35 UTC 2017
On Thu, Nov 30, 2017 at 5:27 AM, Michael Biebl <mbiebl at gmail.com> wrote:
> Hi,
>
> today I tried to lock down the rsyslog.service that I have on my system.
>
> For that I first created an override.conf that contained
>
> [Service]
> ProtectHome=yes
> PrivateTmp=yes
> PrivateDevices=yes
>
> ProtectSystem=strict
> ReadWritePaths=/var/log
> ReadWritePaths=/var/spool/rsyslog
> ReadWritePaths=/proc/kmsg
>
Are you using imklog or imkmsg? The latter would require the new /dev/kmsg
interface (which probably conflicts with PrivateDevices= above).
> Unfortunately, rsyslog.service failed to start:
> ● rsyslog.service - System Logging Service
> Loaded: loaded (/lib/systemd/system/rsyslog.service; enabled;
> vendor preset: enabled)
> Drop-In: /etc/systemd/system/rsyslog.service.d
> └─override.conf
> Active: failed (Result: exit-code) since Thu 2017-11-30 04:25:03 CET;
> 2s ago
> Docs: man:rsyslogd(8)
> http://www.rsyslog.com/doc/
> Process: 2734 ExecStart=/usr/sbin/rsyslogd -n (code=exited,
> status=1/FAILURE)
> Main PID: 2734 (code=exited, status=1/FAILURE)
>
Well, it does say that the failure comes from rsyslogd itself, not from the
namespace setup...
> The journal doesn't contain anything useful.
>
I'm guessing rsyslog will log its own errors to /var/log/syslog rather than
stderr.
> Any hints how I can further debug this why rsyslog fails to start?
>
rsyslogd -d -d -d
strace
--
Mantas Mikulėnas <grawity at gmail.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20171130/c8292fb9/attachment.html>
More information about the systemd-devel
mailing list