[systemd-devel] Portable service binding a system port

[François]

Hi,

I’m playing around with portables services and I’m trying to make unbound (the DNS resolver) work.

Despite all my efforts these last days and some Google-Fu, I can’t make it work. It always fails when trying to bind the interface on port 53, with a « permission denied » message.
The exact same config running directly on the host works.
Binding to a port > 1024 also works.

Here is the [Service] section of the .service file provided by the image :

[Service]
ExecStart=/usr/bin/unbound -d
ExecReload=+/bin/kill -HUP $MAINPID
ExecStop=+/bin/kill -TERM $MAINPID
NotifyAccess=main
Type=notify
CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
ProtectHome=true
ProtectControlGroups=true
ProtectKernelModules=true
ProtectSystem=strict
ConfigurationDirectory=unbound
RuntimeDirectory=unbound
BindReadOnlyPaths=/run/systemd/notify
BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
RestrictRealtime=true
SystemCallArchitectures=native
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources
RestrictNamespaces=yes
LockPersonality=yes
RestrictSUIDSGID=yes
DynamicUser=yes
AmbientCapabilities=CAP_NET_BIND_SERVICE


It’s attached with the default profile.

Amongst the billion things I tried to make it work, I :
- tried to confirm the AmbientCapabilities= directive in a local drop-in but without success ;
- tried the « trusted » profile with no luck ;
- tried to remove some directives or override them (don’t remember exactly what, I’ve spent like 50 hours on it :-/ )


Are there some « specials » restrictions for portable services ? What am I missing / misunderstanding ?

Thanks a lot for your work,

-- 
François