[systemd-devel] how to debug failures when trying to lock down services
Michael Biebl
mbiebl at gmail.com
Thu Nov 30 15:12:04 UTC 2017
2017-11-30 16:07 GMT+01:00 Michael Biebl <mbiebl at gmail.com>:
> 2017-11-30 9:35 GMT+01:00 Mantas Mikulėnas <grawity at gmail.com>:
>> On Thu, Nov 30, 2017 at 10:31 AM, Michael Biebl <mbiebl at gmail.com> wrote:
>>>
>>> 2017-11-30 6:52 GMT+01:00 Mantas Mikulėnas <grawity at gmail.com>:
>>> > On Thu, Nov 30, 2017 at 5:27 AM, Michael Biebl <mbiebl at gmail.com> wrote:
>>> >>
>>> >> [Service]
>>> >> ProtectHome=yes
>>> >> PrivateTmp=yes
>>> >> PrivateDevices=yes
>>> >>
>>> >> ProtectSystem=strict
>>> >> ReadWritePaths=/var/log
>>> >> ReadWritePaths=/var/spool/rsyslog
>>> >> ReadWritePaths=/proc/kmsg
>>> >
>
>>>
>>> I suspect it's related to ProtectSystem=strict, as with
>>> ProtectSystem=full rsyslog seems to start successfully. But this is
>
>> Then I'm guessing ProtectSystem=strict overrides ReadWritePaths and makes
>> /var/log read-only... I think I've seen other people have that problem
>> recently.
>
>
> *facepalm*
> rsyslog.service by default uses StandardOutput=null, so I didn't see
> the error messages in debug mode.
>
> After fixing that, it was rather obvious.
>
> *double facepalm*
> rsyslog writes a pid file in /run and fails to start if it can't write
> the pidfile. I will raise this upstream that maybe writing a pidfile
> in socket activation / sd_notify mode is not really necessary and it
> should stop doing that.
Filed https://github.com/rsyslog/rsyslog/issues/2143 for that
> For now I used RuntimeDirectory=rsyslog and
> ExecStart=/usr/sbin/rsyslogd -n -i /run/rsyslog/rsyslogd.pid
>
> So the complete rsyslog.service now looks like
>
> [Unit]
> Description=System Logging Service
> Requires=syslog.socket
> Documentation=man:rsyslogd(8)
> Documentation=http://www.rsyslog.com/doc/
>
> [Service]
> Type=notify
> ExecStart=/usr/sbin/rsyslogd -n
> StandardOutput=null
> Restart=on-failure
>
> PrivateTmp=yes
> PrivateDevices=yes
> ProtectHome=yes
> ProtectSystem=strict
> ReadWritePaths=/var/log
> ReadWritePaths=/var/spool/rsyslog
> ReadWritePaths=/proc/kmsg
> ReadWritePaths=/tmp
>
> RuntimeDirectory=rsyslog
>
> CapabilityBoundingSet=CAP_SYSLOG
> CapabilityBoundingSet=CAP_NET_BIND_SERVICE
>
> ExecStart=/usr/sbin/rsyslogd -n -i /run/rsyslog/rsyslogd.pid
>
> [Install]
> WantedBy=multi-user.target
> Alias=syslog.service
>
> Feedback welcome on how to reasonably lock down rsyslog by default
> without breaking commonly used functionality (like remote syslog)
>
> Regards,
> Michael
> --
> Why is it that all of the instruments seeking intelligent life in the
> universe are pointed away from Earth?
--
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?
More information about the systemd-devel
mailing list