[systemd-devel] how to debug failures when trying to lock down services
Michael Biebl
mbiebl at gmail.com
Thu Nov 30 08:31:50 UTC 2017
2017-11-30 6:52 GMT+01:00 Mantas Mikulėnas <grawity at gmail.com>:
> On Thu, Nov 30, 2017 at 5:27 AM, Michael Biebl <mbiebl at gmail.com> wrote:
>>
>> Hi,
>>
>> today I tried to lock down the rsyslog.service that I have on my system.
>>
>> For that I first created an override.conf that contained
>>
>> [Service]
>> ProtectHome=yes
>> PrivateTmp=yes
>> PrivateDevices=yes
>>
>> ProtectSystem=strict
>> ReadWritePaths=/var/log
>> ReadWritePaths=/var/spool/rsyslog
>> ReadWritePaths=/proc/kmsg
>
>
> Are you using imklog or imkmsg? The latter would require the new /dev/kmsg
> interface (which probably conflicts with PrivateDevices= above).
I suspect it's related to ProtectSystem=strict, as with
ProtectSystem=full rsyslog seems to start successfully. But this is
just trial and error.
>>
>> Unfortunately, rsyslog.service failed to start:
>> ● rsyslog.service - System Logging Service
>> Loaded: loaded (/lib/systemd/system/rsyslog.service; enabled;
>> vendor preset: enabled)
>> Drop-In: /etc/systemd/system/rsyslog.service.d
>> └─override.conf
>> Active: failed (Result: exit-code) since Thu 2017-11-30 04:25:03 CET;
>> 2s ago
>> Docs: man:rsyslogd(8)
>> http://www.rsyslog.com/doc/
>> Process: 2734 ExecStart=/usr/sbin/rsyslogd -n (code=exited,
>> status=1/FAILURE)
>> Main PID: 2734 (code=exited, status=1/FAILURE)
>
>
> Well, it does say that the failure comes from rsyslogd itself, not from the
> namespace setup...
>
>>
>> The journal doesn't contain anything useful.
>
>
> I'm guessing rsyslog will log its own errors to /var/log/syslog rather than
> stderr.
I don't have anyting in /var/log/syslog
>>
>> Any hints how I can further debug this why rsyslog fails to start?
>
>
> rsyslogd -d -d -d
Already tried that, doesn't produce any useful logs.
> strace
Already tried
ExecStart=
ExecStart=/usr/bin/strace -f -o /var/log/strace /usr/sbin/rsyslogd -n
but this didn't produce any /var/log/strace log file.
--
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?
More information about the systemd-devel
mailing list